AWS Certified Developer – Associate — Question 406

A developer is testing a Docker-based application that uses the AWS SDK to interact with Amazon DynamoDB. In the local development environment, the application has used IAM access keys. The application is now ready for deployment onto an ECS cluster.
How should the application authenticate with AWS services in production?

Answer options

• A. Configure an ECS task IAM role for the application to use.
• B. Refactor the application to call AWS STS AssumeRole based on an instance role.
• C. Configure AWS access key/secret access key environment variables with new credentials.
• D. Configure the credentials file with a new access key/secret access key.

Correct answer: A

Explanation

Using an ECS task IAM role is the AWS-recommended best practice for granting permissions to ECS containers, as it adheres to the principle of least privilege and avoids managing long-lived credentials. Hardcoding or using environment variables for IAM access keys poses a significant security risk and is not recommended for production. Refactoring the application to manually assume a role is unnecessary because the AWS SDK automatically handles credential retrieval when an ECS task role is attached.