nerdexam
Amazon

DVA-C02 · Question #532

Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table. How can e

The correct answer is C. Set ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agent. To grant minimum privileges to individual ECS tasks, you must enable task-level IAM roles by setting the ECS agent configuration flag to true.

Submitted by miguelv· Mar 5, 2026Security

Question

Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table. How can each microservice be granted the minimum privileges?

Options

  • ASet ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent configuration
  • BSet ECS_ENABLE_TASK_IAM ROLE to false on EC2 instance boot in the ECS agent
  • CSet ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agent
  • DSet ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent

How the community answered

(30 responses)
  • A
    13% (4)
  • B
    3% (1)
  • C
    80% (24)
  • D
    3% (1)

Why each option

To grant minimum privileges to individual ECS tasks, you must enable task-level IAM roles by setting the ECS agent configuration flag to true.

ASet ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent configuration

Setting ECS_ENABLE_TASK_IAM_ROLE to false disables task-level IAM role support entirely, preventing individual tasks from assuming their own roles.

BSet ECS_ENABLE_TASK_IAM ROLE to false on EC2 instance boot in the ECS agent

Setting the flag to false also disables task IAM roles; the missing underscore in the variable name makes this syntactically incorrect as well.

CSet ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agentCorrect

Setting ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration allows each ECS task to be assigned its own IAM role via the task definition. This enables the first microservice to receive an IAM role with only RDS Aurora read permissions and the second to receive a role with only DynamoDB read permissions, satisfying the principle of least privilege at the task level.

DSet ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent

While D has the correct variable name spelling with the underscore, the question designates C as correct; both convey the same intent of enabling the feature, but C is the marked answer.

Concept tested: ECS task-level IAM roles least privilege

Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice