[08] Security Flashcards
What is the definitive source for information on controlling access to ECS actions?
The Service Authorization Reference
What is a method for scoping IAM policies for ECS?
Based on tags, ecs:cluster or ecs:service
When is the ECS service linked role created?
Automatically when a cluster or service is created, including when created using the CLI or API directly
What is the purpose of the AmazonEC2ContainerServiceforEC2Role managed IAM policy?
Intended for use by EC2 container instances
What permissions are included in the AmazonEC2ContainerServiceforEC2Role policy?
ec2:DescribeTags, ecs:CreateCluser, ecs:DeregisterContainerInstance, ecs:DiscoverPollEndpoint, ecs:Poll, ecs:RegisterContainerInstance, ecs:StartTelemetrySession, ecs:TagResource, ecs:UpdateContainerInstanceState, ecs:Submit*, ecr permissions for pulling images, and CloudWatch logging permissions
What does the AmazonECSTaskExecutionRolePolicy managed policy allow?
Includes permissions for pulling images from ECR and CloudWatch logging
What permission is required to create tags as part of other API calls like CreateCluster?
ecs:TagResource
Where can credentials for the task role be fetched from?
169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}
What is the format of the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable?
/{{credentials_version}}/credentials?id={{task_credential_id}}
What API action cannot have the aws:sourceVpc or aws:sourceVPce condition keys applied to it?
ecr:GetAuthorizationToken
Why can’t the aws:sourceVpc or aws:sourceVPce condition keys be applied to the ecr:GetAuthorizationToken API action?
The GetAuthorizationToken API call goes through the Fargate ENI, not the task ENI
Can tasks running on EC2 instances access IMDS by default?
Yes
How can access to IMDS be prevented for awsvpc tasks on EC2?
Using the ECS_AWSVPC_BLOCK_IMDS agent setting
How can access to IMDS be prevented for bridge tasks on EC2?
Using an iptables rule
Is it possible to prevent access to IMDS for host tasks on EC2?
No
