Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 158 discussion

The answer is B.

B taskRoleArn The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf.

Correct Answer B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition. Explanation The solutions architect can ensure that the application has permission to access Amazon S3 by following these steps: B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition. By creating an IAM role with the necessary permissions for accessing Amazon S3 and specifying that role as the taskRoleArn in the task definition, the ECS tasks launched by the application will assume this role and inherit the permissions. This allows the application to make the necessary Amazon S3 API calls to store the resized images. Option B is the correct solution for granting the application permission to access Amazon S3 in the context of Amazon ECS.

BBBBBBBBBB

Answer: B

I go with B. Resource-based policy is not working with ECS. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

It´s B. Perfect case for using IAM Role

B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.

The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf. For more information, see Amazon ECS Task Role in the Amazon Elastic Container Service Developer Guide. TaskRoleArn - IAM roles for tasks on Windows require that the -EnableTaskIAMRole option is set when you launch the Amazon ECS-optimized Windows AMI. Your containers must also run some configuration code in order to take advantage of the feature. For more information, see Windows IAM roles for tasks in the Amazon Elastic Container Service Developer Guide. Link - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html

Can someone tell what is wrong with A?

C is wrong as the qn is about permissions D is wrong as it is not recommended to create IAM user A is wrong as the qn is asking about the application not the service B is the answer https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html: "The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf."

B for sure

It should be B

Ans = B Focus on IAM role when dealing with resource access permissions.

Roles are recommand in this use case

B for Sure

Answer: B