Explanation:
Attach an IAM policy that allows required ECR pull actions to the ECS task execution role and set that role in the task definition is correct because ECS uses the task execution role to obtain an authorization token and call ecr:GetAuthorizationToken, ecr:BatchGetImage, and related actions to pull images from ECR. Granting these permissions to the execution role ensures only tasks with that role can retrieve images. Configure VPC interface endpoints for Amazon ECR so ECS can reach ECR without using the internet is not sufficient because PrivateLink provides private connectivity, but it does not enforce which principals are allowed to pull images from ECR. Enable AWS Shield Advanced to block unauthorized access to the ECR registry is incorrect because Shield addresses DDoS protection and does not implement IAM-based authorization for ECR pulls. Turn on Amazon ECR image scanning on push to restrict who can download images is incorrect because image scanning is a vulnerability assessment feature and does not control access permissions to pull images. When the question is about who can pull images from ECR, think IAM and the ECS task execution role. Private connectivity and scanning features improve security posture but do not enforce authorization.
Ultimate access to all questions.
A healthcare analytics startup runs its microservices on Amazon ECS using the EC2 launch type, and it stores all container images in Amazon ECR. The security team wants to ensure that only authorized ECS tasks can pull images from ECR. What is the most appropriate way to secure the interaction between ECS and ECR?
A
Configure VPC interface endpoints for Amazon ECR so ECS can reach ECR without using the internet
B
Enable AWS Shield Advanced to block unauthorized access to the ECR registry
C
Attach an IAM policy that allows required ECR pull actions to the ECS task execution role and set that role in the task definition
D
Turn on Amazon ECR image scanning on push to restrict who can download images
No comments yet.