Answer-first summary for fast verification
Answer: Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
## Explanation **Correct Answer: B** - Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition. **Why this is correct:** 1. **IAM Roles for ECS Tasks**: In Amazon ECS, the proper way to grant permissions to containers is through IAM roles attached to the ECS task definition using the `taskRoleArn` parameter. 2. **Task Execution Role**: The task execution role (`executionRoleArn`) is used for ECS agent and Docker daemon to pull images from ECR, but the task role (`taskRoleArn`) is what grants permissions to the actual application running inside the container. 3. **Best Practice**: This follows AWS security best practices by using IAM roles instead of users, and attaching permissions at the task level rather than instance level. **Why other options are incorrect:** **A**: "Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container." - There's no such thing as an "S3 role" - S3 doesn't have roles, IAM does. - This approach doesn't properly attach permissions to the ECS task. **C**: "Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch configuration used by the ECS cluster." - Security groups control network traffic, not API permissions. - S3 access requires IAM permissions, not network-level permissions (S3 uses HTTPS API calls). **D**: "Create an IAM user with S3 permissions, and then relaunch the Amazon EC2 instances for the ECS cluster while logged in as this account." - Using IAM users for applications is not a best practice. - Credentials would need to be stored and managed, creating security risks. - Relaunching instances with user credentials is inefficient and insecure. **Key AWS Concepts:** - **IAM Roles**: Provide temporary credentials to AWS services and applications. - **ECS Task Roles**: Allow containers to make AWS API calls. - **Least Privilege**: Grant only the S3 permissions needed (e.g., `s3:PutObject`, `s3:GetObject`). - **No Network Rules Needed**: S3 access doesn't require security group rules since it uses public HTTPS endpoints (though VPC endpoints can be used for private access).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs an application using Amazon ECS. The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3. How can a solutions architect ensure that the application has permission to access Amazon S3?
A
Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.
B
Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
C
Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch configuration used by the ECS cluster.
D
Create an IAM user with S3 permissions, and then relaunch the Amazon EC2 instances for the ECS cluster while logged in as this account.