How can each microservice be granted the minimum privileges?
Set ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in ECS agent configuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.
Set ECS_ENABLE_TASK_IAM_ROLE to false on EC2 instance boot in the ECS agent configuration file. Grant the instance profile role read-only access to the Aurora database and DynamoDB.
Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent configuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.
Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent configuration file. Grant the instance profile role read-only access to the Aurora database and DynamoDB.
Explanations:
SettingECS_ENABLE_TASK_IAM_ROLEto false disables the use of IAM roles for tasks, meaning the microservices won’t be able to assume task-specific IAM roles.
SettingECS_ENABLE_TASK_IAM_ROLEto false disables task-specific IAM roles, meaning the EC2 instance profile role would be the only role granted permissions.
EnablingECS_ENABLE_TASK_IAM_ROLEallows ECS tasks to assume IAM roles. The microservices can then use specific IAM roles for read-only access to Aurora and DynamoDB.
EnablingECS_ENABLE_TASK_IAM_ROLEfor the EC2 instance profile would not grant the individual tasks the necessary IAM roles for accessing Aurora and DynamoDB.
I rank that the answer is:
Set ECS_ENABLE_TASK_IAM_ROLE to true on EC2 instance boot in the ECS agent configuration file. Run the first microservice with an IAM role for ECS tasks with read-only access for the Aurora database. Run the second microservice with an IAM role for ECS tasks with read-only access to DynamoDB.