Correct Answer: A.
The statement is false because containers running on your container instances are not prevented from accessing the credentials supplied to the container instance profile.
Incorrect Answers:
Options B, C, and D are incorrect answers because they are true in this context.
References:
https://amzn.to/2Xv7vTg
Sure, I'd be happy to provide a detailed explanation of the answer choices and the context in which they are presented.
The scenario presented in this question involves using IAM roles for Amazon ECS tasks to sign AWS API requests with AWS credentials. IAM roles for Amazon ECS tasks provide an easy way to manage AWS credentials for tasks that run on Amazon Elastic Container Service (Amazon ECS) by using IAM roles to delegate permission to make API requests.
Let's look at each answer choice:
A. Containers that are running on your container instances are prevented accordingly from accessing the credentials that are supplied to the container instance profile.
This statement is true. When you use IAM roles for Amazon ECS tasks, the credentials are available to the task, but not to the container instance itself. This means that containers running on the instance cannot access the credentials directly.
B. It is recommended to limit the permissions in your container instance role to the minimal list of permissions in AmazonEC2ContainerServiceforEC2Role role e.g. ecs:CreateCluster, ecr:GetAuthorizationToken.
This statement is also true. When you create an IAM role for your Amazon ECS tasks, you should follow the principle of least privilege and limit the permissions to the minimum required to perform the necessary tasks. The AmazonEC2ContainerServiceforEC2Role role contains the minimum set of permissions required by Amazon ECS to manage containers on your behalf.
C. Set the ECS_AWSVPC_BLOCK_IMDS agent configuration variable to true in the agent configuration file and restart the agent to protect credential information supplied to the container instance profile.
This statement is true. The ECS_AWSVPC_BLOCK_IMDS agent configuration variable can be set to true to block access to the instance metadata service (IMDS) from within a task. This helps to protect credentials supplied to the container instance profile from being accessed by unauthorized processes within the task.
D. You define the IAM role to use in your task definitions, or you can use a taskRoleArn override when running a task manually with the RunTask API operation.
This statement is also true. When you use IAM roles for Amazon ECS tasks, you can specify the IAM role to use for each task definition. Alternatively, you can use a taskRoleArn override when running a task manually with the RunTask API operation.
Therefore, the statement that is not true in this context is not present among the answer choices. All the statements are true and provide best practices and recommendations for using IAM roles for Amazon ECS tasks to securely manage AWS credentials.