[04] Task Definitions Flashcards
What are the two options for logging stdout/stderr from containers?
Docker logging driver e.g. awslogs, Sidecar container e.g. AWS Firelens
What are Docker logging drivers?
Built into the Docker daemon
What Docker logging drivers are supported on Fargate?
awslogs, splunk
What Docker logging drivers are supported on EC2?
awslogs, fluentd, gelf, json-file, journald, logentries, syslog, splunk
What are the components of the logConfiguration object in a task definition?
logDriver, option and secretOptions
What role is used to connect send logs to CloudWatch when using Docker logging drivers?
The execution role
What is the default mode for awslogs Docker logging driver?
blocking
What mode is recommended for awslogs Docker logging driver?
non-blocking
What is a sidecar container?
A container that runs alongside the main application
What port does the FireLens log router listen on?
24224
What type of container dependency is recommended when using FireLens?
A container dependency to ensure the log router starts before the application container
When is a container dependency required for FireLens?
For bridge networking mode
What role is used by the sidecar container to send logs?
The task role
What is the PROVISIONING state?
The state a task will be in while ECS is performing additional provisioning steps
What options are available for passing secrets to containers in ECS?
Automatically expose the secrets as environment variables by setting the secrets
field in the container definition(s) to reference secrets stored in Secrets Manager or AWS Systems Manager parameter store, update their application to directly pull secrets from Secrets Manager or SSM using the AWS SDK, in the case of logging, the logConfiguration
field in the container definition can reference secrets in Secrets Manager or SSM, for private registry authentication, only Secrets Manager is supported, or for EC2, the ECS agent can be configured by setting ECS_ENGINE_AUTH_TYPE
and ECS_ENGINE_AUTH_DATA
What role is used when automatically exposing secrets as environment variables?
The execution role
What role is used when the application pulls secrets directly from Secrets Manager or SSM?
The task role
How can you troubleshoot issues with secrets in ECS?
Check CloudTrail, as all operations which access secrets are recorded
What CloudTrail events are recorded when accessing secrets from Secrets Manager?
The API secretsmanager:GetSecretValue
is recorded
What CloudTrail events are recorded when accessing secrets from SSM?
Calls will be made to ssm:GetParameters
& secretsmanager:GetSecretValue
(note that the actual secret is stored in Secrets Manager because SSM parameter store only stores a pointer)
What other CloudTrail events may be recorded when accessing secrets?
There will be calls to KMS (e.g. kms:Decrypt
) if the secrets are encrypted with a CMK
Are secrets injected as environment variables updated automatically?
No, secrets injected as environment variables are not updated automatically
What Linux networking mode allocates an ENI to each task?
awsvpc
What networking mode is recommended for both Linux and Windows tasks?
awsvpc
What networking mode allows traffic to be audited using VPC Flow Logs?
awsvpc
What networking mode allows containers in the same task to communicate using localhost without configuring links?
awsvpc
What is the default networking mode for Linux tasks?
bridge
What Linux networking mode binds a host port to a container port if hostPort is set?
bridge
What is the default networking mode for Windows tasks?
default
What Linux networking mode uses the host’s network and requires hostPort?
host