AWS Certified Developer – Associate (DVA-C02) — Question 512

Two containerized microservices are hosted on Amazon EC2 ECS. The first microservice reads an Amazon RDS Aurora database instance, and the second microservice reads an Amazon DynamoDB table.

How can each microservice be granted the minimum privileges?

Answer options

• A. Set ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent configuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.
• B. Set ECS_ENABLE_TASK_IAM ROLE to false on EC2 instance boot in the ECS agent configuration file. Grant the instance profile role read-only access to the Aurora database and DynamoDB.
• C. Set ECS_ENABLE_TASK_IAM ROLE to true on EC2 instance boot in the ECS agent configuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.
• D. Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent configuration file. Grant the instance profile role read-only access to the Aurora database and DynamoDB.

Correct answer: C

Explanation

To implement the principle of least privilege for ECS tasks on EC2, ECS_ENABLE_TASK_IAM_ROLE must be set to true in the ECS agent configuration to allow tasks to assume their own specific IAM roles. Assigning unique IAM roles to each task ensures that the Aurora-reading microservice and the DynamoDB-reading microservice only have access to their respective resources. Using the EC2 instance profile role for both services would violate least privilege by granting both containers access to both data stores.