Explanation:
Using the ECS task execution role with IAM policy for ECR actions (GetAuthorizationToken, BatchGetImage) ensures only authorized tasks can pull images. VPC endpoints provide private connectivity but not authorization. Shield is for DDoS. Image scanning is for vulnerabilities, not access control.
Ultimate access to all questions.
A healthcare analytics startup runs its microservices on Amazon ECS using the EC2 launch type, and it stores all container images in Amazon ECR. The security team wants to ensure that only authorized ECS tasks can pull images from ECR. What is the most appropriate way to secure the interaction between ECS and ECR?
A
Configure VPC interface endpoints for Amazon ECR so ECS can reach ECR without using the internet
B
Enable AWS Shield Advanced to block unauthorized access to the ECR registry
C
Attach an IAM policy that allows required ECR pull actions to the ECS task execution role and set that role in the task definition
D
Turn on Amazon ECR image scanning on push to restrict who can download images
No comments yet.