AWS Certified Solutions Architect – Associate (SAA-C02) — Question 799

A company manages and runs a critical data management application in containers that are hosted on Amazon Elastic Container Service (Amazon ECS). The application has endpoints that are exposed through Application Load Balancers (ALBs). The application uses an Amazon Elastic File System (Amazon EFS) file system mount for persistent data storage. The company has configured Amazon ECS to use a minimal IAM instance role.
Which combination of actions should a solutions architect take to improve the overall security posture of the application? (Choose two.)

Answer options

• A. Decompose the Amazon ECS IAM instance role. Use only ECS task roles.
• B. Enable EFS encryption in transit to protect data that is being written to Amazon EFS.
• C. Use AWS Config to define patch management policies on the container instances.
• D. Use Amazon Macie integration with Amazon EFS to monitor and protect sensitive information in the file system.
• E. Use Amazon GuardDuty to authenticate data access between the ALBs and the container instances.

Correct answer: B, C

Explanation

Enabling encryption in transit for Amazon EFS ensures that all data moving between the Amazon ECS containers and the storage layer is fully encrypted to prevent unauthorized interception. Utilizing AWS Config allows the organization to define and track compliance for patch management policies on the container instances, ensuring the host environments remain secure against known vulnerabilities. Other services like Amazon Macie do not natively integrate with Amazon EFS for direct file system scanning, and Amazon GuardDuty is used for threat detection rather than network authentication.