AWS Certified Solutions Architect – Associate (SAA-C03) — Question 184

A company runs an application using Amazon ECS. The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3.

How can a solutions architect ensure that the application has permission to access Amazon S3?

Answer options

• A. Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.
• B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
• C. Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch configuration used by the ECS cluster.
• D. Create an IAM user with S3 permissions, and then relaunch the Amazon EC2 instances for the ECS cluster while logged in as this account.

Correct answer: B

Explanation

The correct answer is B because assigning an IAM role with appropriate S3 permissions as taskRoleArn in the task definition allows the ECS tasks to access S3 directly. Option A is incorrect because updating the S3 role alone does not grant permissions to the ECS tasks. Option C is not valid since security groups do not control access to S3, and option D is incorrect as IAM users are not the appropriate method for granting permissions to ECS tasks.