AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
A company is planning to migrate its website from an on-premises data center to AWS and adopt a containerized microservice architecture to enhance availability and cost efficiency. The company's security policy mandates that privileges and network permissions be configured using the principle of least privilege. A solutions architect needs to design a containerized architecture that adheres to these security requirements and has already deployed the application on an Amazon ECS cluster. What post-deployment steps are necessary to fulfill the security requirements? (Select two options.)
A company is planning to migrate its website from an on-premises data center to AWS and adopt a containerized microservice architecture to enhance availability and cost efficiency. The company's security policy mandates that privileges and network permissions be configured using the principle of least privilege. A solutions architect needs to design a containerized architecture that adheres to these security requirements and has already deployed the application on an Amazon ECS cluster. What post-deployment steps are necessary to fulfill the security requirements? (Select two options.)
Explanation:
The correct answers are B and E. Option B, 'Create tasks using the awsvpc network mode,' is correct because the awsvpc network mode provides each task with its own elastic network interface, allowing for better network isolation and security, which aligns with the security policy requirements. Option E, 'Apply security groups to the tasks and employ IAM roles for tasks to access other AWS resources,' is correct because applying security groups to tasks ensures network traffic is controlled at a granular level, and using IAM roles for tasks allows specific permissions to be allocated directly to tasks, adhering to the principle of least privilege. Option C is incorrect because although applying security groups to EC2 instances and using IAM roles for instances provides security control, it does not offer the fine-grained control achievable by attaching roles to tasks directly. Option D is also incorrect because passing IAM credentials into the container is not recommended as it can expose sensitive information and does not adhere to the best practices for security in AWS.