A company wants to use Amazon ECS to provide a Docker container runtime environment. For compliance reasons, all Amazon EBS volumes used in the ECS cluster must be encrypted. Rolling updates will be made to the cluster instances and the company wants the instances drained of all tasks before being terminated. How can these requirements be met? (Select TWO.)
A) Modify the default ECS AMI user data to create a script that executes docker rm -f {id} for all running container instances. Copy the script to the /etc/init.d/rc.d directory and execute chconfig enabling the script to run during operating system shutdown. Modify the default ECS AMI user data to create a script that executes docker rm -f {id} for all running container instances. Copy the script to the /etc/init.d/rc.d directory and execute chconfig enabling the script to run during operating system shutdown.
B) Use AWS CodePipeline to build a pipeline that discovers the latest Amazon-provided ECS AMI, then copies the image to an encrypted AMI outputting the encrypted AMI ID. Use the encrypted AMI ID when deploying the cluster.
C) Copy the default AWS CloudFormation template that ECS uses to deploy cluster instances. Modify the template resource EBS configuration setting to set 'Encrypted: True' and include the AWS KMS alias: 'aws/ebs' to encrypt the AMI.
D) Create an Auto Scaling lifecycle hook backed by an AWS Lambda function that uses the AWS SDK to mark a terminating instance as DRAINING . Prevent the lifecycle hook from completing until the running tasks on the instance are zero. Create an Auto Scaling lifecycle hook backed by an AWS Lambda function that uses the AWS SDK to mark a terminating instance as DRAINING . Prevent the lifecycle hook from completing until the running tasks on the instance are zero.
E) Create an IAM role that allows the action ECS::EncryptedImage . Configure the AWS CLI and a profile to use this role. Start the cluster using the AWS CLI providing the --use-encrypted-image and --kms-key arguments to the create-cluster ECS command. Create an IAM role that allows the action ECS::EncryptedImage . Configure the AWS CLI and a profile to use this role. Start the cluster using the AWS CLI providing the --use-encrypted-image and --kms-key arguments to the create-cluster ECS command.

Question

Quizplus · Accepted Answer

D: Auto Scaling lifecycle hooks allow you to perform custom actions when instances are being terminated. In this case, the lifecycle hook can be used to mark the instance as DRAINING and prevent it from completing until all tasks have been drained.E: The ECS::EncryptedImage action allows you to create an ECS cluster with encrypted EBS volumes. The AWS CLI can be used to create the cluster and specify the --use-encrypted-image and --kms-key arguments to enable encryption.

A Company Wants to Use Amazon ECS to Provide a Docker