How can a solutions architect ensure that the application has permission to access Amazon S3?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company runs an application using Amazon ECS.The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3.

How can a solutions architect ensure that the application has permission to access Amazon S3?

Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.

Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.

Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch configuration used by the ECS cluster.

Create an IAM user with S3 permissions, and then relaunch the Amazon EC2 instances for the ECS cluster while logged in as this account.

Explanations:

Updating the S3 role in IAM does not directly grant permissions to ECS tasks. The tasks need an IAM role specified in their task definition to access S3.

Creating an IAM role with S3 permissions and specifying it as the taskRoleArn in the ECS task definition allows the application running in ECS to assume the role and access S3 resources.

Security groups control network access, not IAM permissions. S3 access permissions must be managed through IAM roles, not security groups.

Creating an IAM user does not provide the necessary permissions to ECS tasks. IAM roles should be used instead, and launching EC2 instances as an IAM user does not grant permissions to ECS tasks.

2025-10-08

1 Comment

  1. Jeremy
    Author

    I value that the answer is:
    Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 + eighteen =