nerdexam
ExamsSAP-C02Questions#664
AmazonAmazon

SAP-C02 · Question #664

SAP-C02 Question #664: Real Exam Question with Answer & Explanation

The correct answer is B: Create tasks using the awsvpc network mode.. The task is to secure an Amazon ECS cluster for a containerized microservice architecture, ensuring least privilege for network and IAM permissions.

Submitted by kwame.gh· Mar 6, 2026Migrate Workloads and Modernize Solutions

Question

A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege. A solutions architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster. What steps are required after the deployment to meet the requirements? (Choose two.)

Options

  • ACreate tasks using the bridge network mode.
  • BCreate tasks using the awsvpc network mode.
  • CApply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access
  • DApply security groups to the tasks, and pass IAM credentials into the container at launch time to
  • EApply security groups to the tasks, and use IAM roles for tasks to access other resources.

Explanation

The task is to secure an Amazon ECS cluster for a containerized microservice architecture, ensuring least privilege for network and IAM permissions.

Common mistakes.

  • A. The bridge network mode does not allow security groups to be applied directly to individual tasks, making granular network control at the task level difficult and failing to meet least privilege requirements for containerized applications.
  • C. Applying security groups to EC2 instances and using instance IAM roles for containers is less granular and violates least privilege, as all tasks on an instance would share the same network and IAM permissions.
  • D. Passing IAM credentials directly into the container is a security anti-pattern, as it complicates credential management, increases the risk of exposure, and bypasses the security benefits of temporary credentials provided by Task IAM Roles.

Concept tested. ECS awsvpc networking and Task IAM Roles for security

Reference. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SAP-C02 PracticeBrowse All SAP-C02 Questions