Question

You have docker containers that are going to be deployed in the AWS Elastic Container Service. You need to ensure that the underlying EC2 instances hosting the containers cannot access each other (since containers may be used by different customers)

How can you accomplish this?

A. Place IAM Roles for the underlying EC2 Instances.

B. Place the access keys in the Docker containers.

C. Place the access keys in the EC2 Instances.

D. Configure the Security Groups of the instances to allow only required traffic.

Answer 1

Answer - D.

Q: How does Amazon ECS isolate containers belonging to different customers?

Amazon ECS schedules containers for execution on customer-controlled Amazon EC2 instances or with AWS Fargate and builds on the same isolation controls and compliance available for EC2 customers.

Your compute instances are located in a Virtual Private Cloud (VPC) with an IP range that you specify.

You decide which instances are exposed to the Internet and which remain private.

Your EC2 instances use an IAM role to access the ECS service.

Your ECS tasks use an IAM role to access services and resources.

Security Groups and networks ACLs allow you to control inbound and outbound network access to and from your instances.

You can connect your existing IT infrastructure to resources in your VPC using industry-standard encrypted IPsec VPN connections.

You can provision your EC2 resources as Dedicated Instances.

Dedicated Instances are Amazon EC2 Instances that run on hardware dedicated to a single customer for additional isolation.

Option A is incorrect since the Roles need to be assigned on the task level.

Options B and C are incorrect since access keys are not the ideal security practice.