DVA-C02 · Question #532
Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table. How can e
The correct answer is C. Set ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agent. To grant minimum privileges to individual ECS tasks, you must enable task-level IAM roles by setting the ECS agent configuration flag to true.
Question
Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table. How can each microservice be granted the minimum privileges?
Options
- ASet ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent configuration
- BSet ECS_ENABLE_TASK_IAM ROLE to false on EC2 instance boot in the ECS agent
- CSet ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agent
- DSet ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent
How the community answered
(30 responses)- A13% (4)
- B3% (1)
- C80% (24)
- D3% (1)
Why each option
To grant minimum privileges to individual ECS tasks, you must enable task-level IAM roles by setting the ECS agent configuration flag to true.
Setting ECS_ENABLE_TASK_IAM_ROLE to false disables task-level IAM role support entirely, preventing individual tasks from assuming their own roles.
Setting the flag to false also disables task IAM roles; the missing underscore in the variable name makes this syntactically incorrect as well.
Setting ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration allows each ECS task to be assigned its own IAM role via the task definition. This enables the first microservice to receive an IAM role with only RDS Aurora read permissions and the second to receive a role with only DynamoDB read permissions, satisfying the principle of least privilege at the task level.
While D has the correct variable name spelling with the underscore, the question designates C as correct; both convey the same intent of enabling the feature, but C is the marked answer.
Concept tested: ECS task-level IAM roles least privilege
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Community Discussion
No community discussion yet for this question.