Q66 — AWS DVA-C02 Ch.1

Question 66 of 100 | ← Chapter 1

Two containerized microservices are hosted on Amazon EC2 using Amazon ECS. The first microservice reads from an Amazon RDS Aurora database instance; the second microservice reads from an Amazon DynamoDB table. How should least-privilege permissions be granted to each microservice?

Correct Answer: C. Set ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration file at EC2 instance launch. Run the first microservice as an ECS task with an IAM role granting read-only access to the Aurora database. Run the second microservice as an ECS task with an IAM role granting read-only access to DynamoDB.

Explanation

To grant least-privilege permissions to two microservices, setting ECS_ENABLE_TASK_IAM_ROLE to true enables fine-grained, task-level IAM roles. Assigning a dedicated IAM role with Aurora read-only permissions to the first ECS task and a separate IAM role with DynamoDB read-only permissions to the second ECS task achieves precise, minimal permissions. Option A disables task IAM roles, preventing effective delegation. Options B and D assign broad permissions to the EC2 instance profile, violating least privilege. Therefore, option C is correct. 【Lantern Certification: swufelp1999】