Exactly this. I think this is pretty much the use case most people envision when they think about a container orchestration service (it was for me, anyway). My understanding is that EC2 and friends didn't deliver this on day 0 because efficient container isolation is hard.