Question #928
A company is deploying a containerized application on Amazon ECS. They need to follow security best practices, including least privilege for permissions and network access. Which configurations should be implemented? (Choose two.)
Use bridge network mode and assign IAM roles to EC2 instances.
Use awsvpc network mode and apply security groups to tasks.
Assign security groups to EC2 instances and pass IAM credentials to containers.
Use IAM roles for tasks and apply security groups to tasks.
Use host network mode and assign IAM roles to EC2 instances.
Explanation
Answer B (awsvpc network mode with security groups on tasks) ensures each task has its own network interface, enabling granular network control via security groups. Answer D (IAM roles for tasks) assigns permissions at the task level, avoiding over-privileged EC2 instance roles.
Other options are incorrect: A/E use EC2-level IAM roles (not task-specific) and less secure network modes (bridge/host). Option C suggests passing IAM credentials (insecure) instead of using roles. Key points: Always use task-specific IAM roles and awsvpc mode for network isolation to enforce least privilege in ECS.
Answer
The correct answer is: BD