Exam AWS Certified Security - Specialty topic 1 question 156 discussion

correct answer is B,C

Guys I have done this at work its B and C.. So the break down is B,, resource consumption is a classic sign of possible attack on containers and C,, segmenting of containers by function is a best practices,, On the other hand D,, is Docker specific.

Felt a deja vu on this one

B. Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries: AWS's "Best practices for building containers" guide highlights the importance of limiting resource consumption, networking connections, ports, and removing unnecessary container libraries to minimize the attack surface: https://aws.amazon.com/blogs/containers/best-practices-for-building-containers/ C. Segregate container by host, function, and data classification: - AWS's "Securing Amazon ECS container instances" documentation discusses segregating containers based on their function and data classification: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-container-security.html - The AWS Well-Architected Framework's "Security Pillar" also highlights the importance of segregating containers and applying the principle of least privilege: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf

https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_surface.html Answer BC

https://www.trendmicro.com/en_us/what-is/container-security.html This links supports C more than D So choosing B and C

Not selecting D since its docker specific and task definition seems vague

You should configure tasks with CPU and memory limits to minimize the following risk. A task's resource limits set an upper bound for the amount of CPU and memory that can be reserved by all the containers within a task. If no limits are set, tasks have access to the host's CPU and memory. This can cause issues where tasks deployed on a shared host can starve other tasks of system resources. Notary is the available community-supported tool that would allow for signing and verifying OCI/Docker

BC，i think is correct answer

B, since, resource consumption is a classic sign of a possible attack on containers. D, since, the notary is used for the security of Docker.

Dup question, Its C and C

Had trouble with selecting C or D. D seems right, but the "host' mentioned in C let me feel uncomfortable. After reading https://www.cncf.io/blog/2021/07/28/enforcing-image-trust-on-docker-containers-using-notary/, and plan to use Notary in my work in the future.

BC - when you reduce the attack surface, you need to limit the accessibility to resources by container.

Answer is B & C. Docker Notary is just a destruction.

Docker Notary is used to sign images not task definitions. So B, C.

AWS Says B and ? https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html and C https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-network.html

According to the Zeal Vora course its BC... I trust him a little more lol