Amazon Elastic Container Service | Security and Compliance Flashcards
How should I choose between using AWS Fargate with Amazon ECS or just using ECS?
Security and Compliance
Amazon Elastic Container Service | Compute
Amazon ECS supports Fargate technology and customers will be able to choose AWS Fargate to launch their containers without having to provision or manage EC2 instances. AWS Fargate is the easiest way to launch and run containers on AWS. Customers who require greater control of their EC2 instances to support compliance and governance requirements or broader customization options can choose to use ECS without Fargate to launch EC2 instances.
How does Amazon ECS isolate containers belonging to different customers?
Security and Compliance
Amazon Elastic Container Service | Compute
Amazon ECS schedules containers for execution on customer-controlled Amazon EC2 instances or with AWS Fargate and builds on the same isolation controls and compliance that are available for EC2 customers. Your compute instances are located in a Virtual Private Cloud (VPC) with an IP range that you specify. You decide which instances are exposed to the Internet and which remain private.
Your EC2 instances use an IAM role to access the ECS service.
Your ECS tasks use an IAM role to access services and resources.
Security Groups and networks ACLs allow you to control inbound and outbound network access to and from your instances.
You can connect your existing IT infrastructure to resources in your VPC using industry-standard encrypted IPsec VPN connections.
You can provision your EC2 resources as Dedicated Instances. Dedicated Instances are Amazon EC2 Instances that run on hardware dedicated to a single customer for additional isolation.
Can I apply additional security configuration and isolation frameworks to my container instances?
Security and Compliance
Amazon Elastic Container Service | Compute
Yes. As an Amazon EC2 customer, you have root access to the operating system of your container instances, enabling you to take ownership of the operating system’s security settings as well as load and configure additional software components for security capabilities such as monitoring, patch management, log management and host intrusion detection.
Can I operate container instances with different security settings or segregate different tasks across different environments?
Security and Compliance
Amazon Elastic Container Service | Compute
Yes. You can configure your different container instances using the tooling of your choice. Amazon ECS allows you to control the placement of tasks in different container instances through the construct of clusters and targeted launches.
Does Amazon ECS support retrieving Docker images from a private or internal source?
Security and Compliance
Amazon Elastic Container Service | Compute
Yes. Customers can configure their container instances to access a private Docker image registry within a VPC or a registry that’s accessible outside a VPC such as Amazon ECR.
How do I configure IAM roles for ECS tasks?
Security and Compliance
Amazon Elastic Container Service | Compute
You first need to create an IAM role for your task, using the ‘Amazon EC2 Container Service Task Role’ service role and attaching a policy with the required permissions. When you create a new task definition or a task definition revision you can then specify a role by selecting it form the ’Task Role’ drop-down or using the ‘taskRoleArn’ filed in the JSON format.
With which compliance programs does Amazon ECS conform?
Security and Compliance
Amazon Elastic Container Service | Compute
Amazon ECS meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and HIPAA eligibility.
For more information, visit our compliance pages.
Can I use Amazon ECS for Protected Health Information (PHI) and other HIPAA regulated workloads?
Security and Compliance
Amazon Elastic Container Service | Compute
Yes. Amazon ECS is HIPAA-eligible. If you have an executed Business Associate Addendum (BAA) with AWS, you can use Amazon ECS to process encrypted Protected Health Information (PHI) using Docker containers deployed onto the AWS Fargate launch-type or Amazon EC2 compute instances.
For more information, please visit our page on HIPAA compliance. If you plan to process, store, or transmit PHI and do not have an executed BAA from AWS, please contact us for more information.