Answer: A, C, D
Option A is correct. The Amazon ECS container agent makes calls to the Amazon ECS API on your behalf. Container instances that run the agent require an IAM policy and role for the service to know that the agent belongs to you. Before you can launch container instances and register them into a cluster, you must create an IAM role for those container instances to use when they are launched. This requirement applies to container instances launched with theAmazonECS-optimizedAMI provided by Amazon or with any other instances that you intend to run the agent on.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
Option B is not correct. Amazon ECS container instance has no password to use for SSH access; you use a key pair to securely log in to your instance. You specify the name of the key pair when you launch your container instance, then provide the private key when you log in using SSH.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html?shortFooter=true#create-a-key-pair
Option C is correct. Security groups act as a firewall to ECS container instances. If outbound rules are not allowing any traffic to ECS service endpoints, the container agent will not be able to report the status back to ECS.
For more information on Security Groups, refer to documentation here.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html?shortFooter=true#create-a-base-security-group
Option D is correct.ECS supports interface VPC endpoints.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/vpc-endpoints.html
https://aws.amazon.com/blogs/aws/aws-privatelink-update-vpc-endpoints-for-your-own-applications-services/
Option E is not correct. T2.micro is supported for container instance.
