AWS Certified Solutions Architect – Associate (SAA-C02) — Question 141

A company runs an application using Amazon ECS. The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3. How can a solutions architect ensure that the application has permission to access Amazon S3?

Answer options

• A. Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.
• B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
• C. Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch configuration used by the ECS cluster.
• D. Create an IAM user with S3 permissions, and then relaunch the Amazon EC2 instances for the ECS cluster while logged in as this account.

Correct answer: B

Explanation

The correct answer is B because specifying an IAM role with S3 permissions as the taskRoleArn in the task definition enables the ECS task to automatically assume the role and obtain the necessary permissions. Option A does not utilize the task role concept correctly, while option C incorrectly suggests using a security group, which does not control access to S3. Option D is not suitable since IAM users are not meant to be used for ECS tasks, and relaunching EC2 instances does not grant permissions to the ECS application.