Questions 22 to 24

Explanations for questions 22 to 24

We'll cover the following

Question 22

An application running on an Amazon ECS container instance using the EC2 launch type needs permissions to write data to Amazon DynamoDB.

How can you assign these permissions only to the specific ECS task that is running the application?

  1. Create an IAM policy with permissions to DynamoDB, and attach it to the container instance.
  2. Create an IAM policy with permissions to DynamoDB, and assign it to a task using the taskRoleArn parameter.
  3. Use a security group to allow outbound connections to DynamoDB, and assign it to the container instance.
  4. Modify the AmazonECSTaskExecutionRolePolicy policy to add permissions for DynamoDB.

Correct Answer: 2

Explanation: To specify permissions for a specific task on Amazon ECS, you should use IAM Roles for Tasks. The permissions policy can be applied to tasks when creating the task definition or by using an IAM task role override using the AWS CLI or SDKs. The taskRoleArn parameter is used to specify the policy.

INCORRECT: “Create an IAM policy with permissions to DynamoDB, and attach it to the container instance.” is incorrect. You should not apply the permissions to the container instance as they will then apply to all tasks running on the instance as well as to the instance itself.

CORRECT: “Create an IAM policy with permissions to DynamoDB, and assign it to a task using the taskRoleArn parameter.” is the correct answer.

INCORRECT: “Use a security group to allow outbound connections to DynamoDB, and assign it to the container instance.” is incorrect. Although you will need a security group to allow outbound connections to DynamoDB, the question is asking how to assign permissions to write data to DynamoDB, and a security group cannot provide those permissions.

INCORRECT: “Modify the AmazonECSTaskExecutionRolePolicy policy to add permissions for DynamoDB.” is incorrect. The AmazonECSTaskExecutionRolePolicy policy is the Task Execution IAM Role. This is used by the container agent so it can pull container images, write log files, etc.

References:

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.