AWS Certified Solutions Architect – Professional — Question 912

A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege.
A Solutions Architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster.
What steps are required after the deployment to meet the requirements? (Choose two.)

Answer options

• A. Create tasks using the bridge network mode.
• B. Create tasks using the awsvpc network mode.
• C. Apply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access other resources.
• D. Apply security groups to the tasks, and pass IAM credentials into the container at launch time to access other resources.
• E. Apply security groups to the tasks, and use IAM roles for tasks to access other resources.

Correct answer: B, E

Explanation

To achieve least privilege network control, using the awsvpc network mode is required because it allocates a dedicated ENI to each task, allowing security groups to be applied directly at the task level rather than the instance level. For access control, IAM roles for tasks should be used so that each task is granted only the specific permissions it needs to interact with other AWS services. Applying security groups to the EC2 host instances or passing hardcoded IAM credentials directly into containers violates security best practices and fails to meet the least privilege requirement.