AWS Certified Solutions Architect – Professional (SAP-C02) — Question 371

A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company’s security policy states that privileges and network permissions must be configured according to best practice, using least privilege.

A solutions architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster.

What steps are required after the deployment to meet the requirements? (Choose two.)

Answer options

• A. Create tasks using the bridge network mode.
• B. Create tasks using the awsvpc network mode.
• C. Apply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access other resources.
• D. Apply security groups to the tasks, and pass IAM credentials into the container at launch time to access other resources.
• E. Apply security groups to the tasks, and use IAM roles for tasks to access other resources.

Correct answer: B, E

Explanation

Using the awsvpc network mode allows each Amazon ECS task to receive its own elastic network interface (ENI) and dedicated private IP address, enabling granular network access control via security groups at the task level rather than sharing the host's network. To implement the principle of least privilege for IAM permissions, using IAM roles for tasks ensures that each containerized microservice only has the specific permissions it needs, whereas using EC2 instance roles or passing hardcoded credentials violates security best practices.