A company wants to run containerised applications on ECS without managing or patching any EC2 instances. Which ECS launch type eliminates all server management?
- AECS EC2 Launch Type — runs tasks on EC2 instances that you provision and manage in your cluster.
- BECS Fargate Launch Type — serverless compute for containers; AWS manages all underlying infrastructure.✓ Correct
- CEKS Managed Node Groups — still requires managing EC2 worker nodes.
- DAWS Lambda — serverless functions, not a container orchestration launch type.
Fargate is a serverless compute engine for ECS and EKS. You specify CPU and memory for each task/pod, and AWS provisions, scales, and manages the underlying infrastructure. There are no EC2 instances to patch or manage. You pay per task based on CPU and memory requested. Ideal for microservices, batch jobs, and when you want to focus on applications, not infrastructure.
In Amazon ECS, what is a Task Definition?
- AA running instance of a container in a cluster.
- BA logical group of ECS tasks or services that runs on a cluster.
- CA blueprint (JSON document) that specifies container image, CPU/memory, port mappings, environment variables, and IAM role for one or more containers.✓ Correct
- DAn Auto Scaling policy for ECS tasks.
ECS Task Definitions are versioned blueprints for your containers. Each revision is immutable. A Task is a running instance of a Task Definition. An ECS Service maintains a desired number of running tasks and integrates with load balancers. The cluster is the logical boundary that groups tasks and services.
A company has existing Kubernetes workloads on-premises and wants to migrate to AWS while retaining Kubernetes compatibility. AWS should manage the Kubernetes control plane. Which service should they use?
- AAmazon ECS with EC2 launch type — AWS's proprietary container orchestration, not Kubernetes.
- BAmazon EKS (Elastic Kubernetes Service) — managed Kubernetes control plane, fully compatible with upstream Kubernetes.✓ Correct
- CAWS Fargate alone — a compute engine, not a Kubernetes service.
- DAWS App Runner — managed service for web applications and APIs, not Kubernetes.
EKS manages the Kubernetes control plane (API server, etcd, scheduler) across multiple AZs. Worker nodes can be EC2 instances (managed or self-managed node groups) or Fargate. EKS is certified Kubernetes conformant — existing Kubernetes manifests, Helm charts, and tools work without modification. This enables lift-and-shift of on-premises Kubernetes workloads.
Which AWS service provides a managed, private Docker container image registry for storing and distributing container images used by ECS and EKS?
- AAmazon S3 — object storage for files, not a container registry.
- BAWS CodeArtifact — a managed artifact repository for software packages (npm, Maven, PyPI), not container images.
- CAmazon ECR (Elastic Container Registry) — managed Docker and OCI container image registry integrated with ECS and EKS.✓ Correct
- DAWS CodeCommit — a managed Git repository for source code, not container images.
Amazon ECR is a fully managed container registry. It supports private repositories (access controlled by IAM) and public repositories (ECR Public Gallery). Images are stored in S3 and encrypted at rest. ECR integrates natively with ECS and EKS for seamless image pulls, and with AWS CodePipeline for CI/CD pipelines.
ECS Fargate tasks need to retrieve database credentials from AWS Secrets Manager at runtime. What is the MOST secure way to grant this access?
- AHard-code the Secrets Manager secret ARN and IAM credentials in the Task Definition environment variables.
- BStore the credentials in plaintext inside the container image.
- CCreate an IAM Task Role with GetSecretValue permission and assign it to the ECS Task Definition — the container retrieves the secret at runtime.✓ Correct
- DUse the ECS Cluster role to grant all tasks in the cluster access to Secrets Manager.
ECS Task Roles provide IAM permissions to the containers running in the task (via the container credentials endpoint at 169.254.170.2). The ECS Task Execution Role is different — it's used by ECS to pull images and publish logs. The Task Role is what the application code uses. This follows least privilege: each task gets only the permissions it needs.