Q66 — AWS DVA-C02 Ch.1
Question 66 of 100 | ← Chapter 1
Two containerized microservices are hosted on Amazon EC2 using Amazon ECS. The first microservice reads from an Amazon RDS Aurora database instance; the second microservice reads from an Amazon DynamoDB table. How should least-privilege permissions be granted to each microservice?
- A. Set ECS_ENABLE_TASK_IAM_ROLE to false in the ECS agent configuration file at EC2 instance launch. Run the first microservice as an ECS task with an IAM role granting read-only access to the Aurora database. Run the second microservice as an ECS task with an IAM role granting read-only access to DynamoDB.
- B. Set ECS_ENABLE_TASK_IAM_ROLE to false in the ECS agent configuration file at EC2 instance launch. Grant the EC2 instance profile role read-only access to both the Aurora database and DynamoDB.
- C. Set ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration file at EC2 instance launch. Run the first microservice as an ECS task with an IAM role granting read-only access to the Aurora database. Run the second microservice as an ECS task with an IAM role granting read-only access to DynamoDB. ✓
- D. Set ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration file at EC2 instance launch. Grant the EC2 instance profile role read-only access to both the Aurora database and DynamoDB.
Correct Answer: C. Set ECS_ENABLE_TASK_IAM_ROLE to true in the ECS agent configuration file at EC2 instance launch. Run the first microservice as an ECS task with an IAM role granting read-only access to the Aurora database. Run the second microservice as an ECS task with an IAM role granting read-only access to DynamoDB.
Explanation
To grant least-privilege permissions to two microservices, setting ECS_ENABLE_TASK_IAM_ROLE to true enables fine-grained, task-level IAM roles. Assigning a dedicated IAM role with Aurora read-only permissions to the first ECS task and a separate IAM role with DynamoDB read-only permissions to the second ECS task achieves precise, minimal permissions. Option A disables task IAM roles, preventing effective delegation. Options B and D assign broad permissions to the EC2 instance profile, violating least privilege. Therefore, option C is correct. 【Lantern Certification: swufelp1999】