A company is using AWS CodeBuild to build a Docker image and push it to Amazon ECR. Which permissions are required for the CodeBuild service role? (Choose THREE.)
Needed to upload the Docker image.
Why this answer
Option A is correct because `ecr:PutImage` is the permission required to push a Docker image to an Amazon ECR repository. When CodeBuild completes a build and runs `docker push`, it calls the ECR API `PutImage` to upload the image manifest. Without this permission, the push operation will fail with an access denied error.
Exam trap
The trap here is that candidates may confuse `ecr:PutImage` with the non-existent `ecr:CreateImage` or mistakenly think `ecr:BatchGetImage` is needed for pushing, when in fact it is only used for pulling images.