Shared Responsibility Model

Question 1

Which of the following is a sole responsibility of AWS?

1. Application deployment
2. Patch management
3. Availability Zone management
4. Customer data access controls

Answer 1

3. Availability Zone management

According to the shared responsibility model, AWS is responsible to the management of all AWS global infrastructure components including Regions, Availability Zones, Edge locations, Regional Edge Caches, and Local Zones.

• Application deployment is incorrect. Applications are deployed by customers, not AWS.
• Patch management is incorrect. Patch management is a shared responsibility. Customers must patch instances databases running on EC2 and AWS will patch the underlying infrastructure and some managed services.
• Customer data access controls is incorrect. Customers are responsible for implementing access controls for their data.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 2

According to the AWS shared responsibility model, which task is the customer’s responsibility?

1. Maintaining the infrastructure needed to run Amazon DynamoDB.
2. Updating the operating system of AWS Lambda instances.
3. Maintaining Amazon API Gateway infrastructure.
4. Updating the guest operating system on Amazon EC2 instances.

Answer 2

4. Updating the guest operating system on Amazon EC2 instances.

According to the AWS Shared Responsibility Model updating Amazon EC2 guest operating systems falls under the area of security in the cloud which is a customer responsibility. With EC2, AWS manage the underlying platform on which EC2 runs but you must launch and manage your operating systems.

• Updating the guest operating system on Amazon EC2 instances is the correct answer.
• Maintaining the infrastructure needed to run Amazon DynamoDB is incorrect. This is a responsibility of AWS.
• Updating the operating system of AWS Lambda instances is incorrect. This is a responsibility of AWS.
• Maintaining Amazon API Gateway infrastructure is incorrect. This is a responsibility of AWS.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 3

According to the AWS Shared responsibility model, which two tasks are the responsibility of AWS?

(Select TWO.)

1. Encrypt client-side data and authenticate data integrity.
2. Manage customer data.
3. Perform identity and access management.
4. Provide physical security for Availability Zones.
5. Patch the operating system of Amazon S3.

Answer 3

4. Provide physical security for Availability Zones.
5. Patch the operating system of Amazon S

As part of the AWS Shared Responsibility Model, the customer does not have any insight into how physical infrastructure is managed or maintained. The customer is responsible for security in the cloud, whereas AWS are responsible for the security of the cloud.
Also, AWS customers have no insight into how Amazon S3 works behind the scenes, as Amazon S3 is a fully managed object storage service. Users simply use Amazon S3, and AWS manage all the infrastructure, OS patching and maintenance etc. for you.

• Encrypt client-side data and authenticate data integrity is incorrect. Customers are responsible for the security of what is in the cloud, including encryption, and how data integrity is managed.
• Perform identity and access management is incorrect. Only AWS customers can use IAM to provision permissions to Users, Groups, and roles within AWS.
• Manage customer data is incorrect. AWS does not have an insight into customer data stored as part of AWS, and this is solely the responsibility of the AWS customer to manage their own data.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 4

Under the AWS shared responsibility model, which of the following is an example of a customer responsibility in the AWS Cloud?

1. Managing edge locations
2. Physical security
3. Firewall configuration
4. Global infrastructure

Answer 4

3. Firewall configuration

Firewall configuration is an example of security in the cloud. This is the customer’s responsibility, not an AWS responsibility.

• Managing edge locations is incorrect. This is an example of security of the cloud and is an AWS responsibility.
• Physical security is incorrect. This is an example of security of the cloud and is an AWS responsibility.
• Global infrastructure is incorrect. This is an example of security of the cloud and is an AWS responsibility.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 5

After an organization has migrated several servers into AWS, they are unsure as to what they must directly manage themselves.

Which cost is the company’s direct responsibility?

1. Cost of application software licenses.
2. Cost of the hardware infrastructure on AWS.
3. Cost of power for the AWS servers.
4. Cost of physical security for the AWS data center.

Answer 5

1. Cost of application software licenses.

Licensing costs for applications still is part of the customer responsibility, as AWS only looks after the infrastructure which the applications are running on. The application layer itself is managed entirely by the customer - not AWS.

• Cost of the hardware infrastructure on AWS is incorrect as this sits firmly on the AWS side of the shared responsibility model.
• Cost of power for the AWS servers is incorrect. AWS looks after the physical infrastructure, and customers have no input into how this is managed.
• Cost of physical security for the AWS data center is incorrect. Security of the cloud is an AWS responsibility and security in the cloud is a customer’s responsibility.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 6

Under the AWS shared responsibility model, which actions are the responsibility of AWS?

(Select TWO.)

1. Scanning AWS service endpoints for vulnerabilities.
2. Enabling encryption on an Amazon S3 bucket.
3. Configuring security group rules.
4. Enforcing application access restrictions.
5. Encrypting traffic on the AWS backbone between global and regional AWS facilities.

Answer 6

1. Scanning AWS service endpoints for vulnerabilities.
5. Encrypting traffic on the AWS backbone between global and regional AWS facilities.

Scanning endpoints owned by AWS sits firmly under AWS’s responsibility, as you as an AWS user do not have access or insight into how AWS private endpoints work behind the scenes. This is abstracted away from the end user meaning it sits under the sole responsibility of AWS.
As for encrypting traffic on the AWS backbone, as the lines and the network is solely owned and operated by AWS, it is AWS’s responsibility to maintain the security of it. This sits under security of the cloud vs in the cloud.

• Encrypting traffic on the AWS backbone between global and regional AWS facilities is also a correct answer (as explained above.)
• Enabling encryption on an Amazon S3 bucket is incorrect; this sits firmly under the customer responsibility under the AWS shared responsibility model.
• Configuring security group rules is incorrect as you as the AWS customer configure security group rules depending on how your application is going to function.
• Enforcing application access restrictions is incorrect as AWS has no insight into the application which you build upon AWS, only the infrastructure of which it is hosted upon.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 7

Which aspects of security on AWS are customer responsibilities?

(Select TWO.)

1. Setting up account password policies
2. Physical access controls
3. Server-side encryption
4. Patching of storage systems
5. Availability of AWS regions

Answer 7

1. Setting up account password policies
3. Server-side encryption

AWS are responsible for the security of the cloud. This includes protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
The customer is responsible for security in the cloud. Customer responsibility depends on the service consumed but includes aspects such as Identity and Access Management (includes password policies), encryption of data, protection of network traffic, and operating system, network and firewall configuration.

• Physical access controls is incorrect as explained above.
• Patching of storage systems is incorrect as explained above.
• Availability of AWS regions is incorrect as explained above.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 8

Which statement is correct in relation to the AWS Shared Responsibility Model?

1. AWS are responsible for the security of regions and availability zones
2. Customers are responsible for patching storage systems
3. AWS are responsible for encrypting customer data
4. Customers are responsible for security of the cloud

Answer 8

1. AWS are responsible for the security of regions and availability zones

AWS are responsible for Security of the Cloud. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services, and this includes regions, availability zones and edge locations.
Customers are responsible for Security in the Cloud. This includes encrypting customer data, patching operating systems but not patching or maintaining the underlying infrastructure.

• Customers are responsible for patching storage systems is incorrect as this is an AWS responsibility.
• AWS are responsible for encrypting customer data is incorrect as this is a customer responsibility.
• Customers are responsible for security of the cloud is incorrect as this is an AWS responsibility.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 9

Which actions are the responsibility of AWS, according to the AWS shared responsibility model?

(Select TWO.)

1. Securing the virtualization layer
2. Patching the operating system on Amazon EC2 instances
3. Enforcing a strict password policy for IAM users
4. Patching the operating system on Amazon RDS instances
5. Configuring security groups and network ACLs

Answer 9

1. Securing the virtualization layer
4. Patching the operating system on Amazon RDS instances

Security of the virtualization layer comes down to the responsibility of AWS, as the AWS customer has no insight into this layer within the physical infrastructure.
Patching the operating system on Amazon RDS instances is AWS’s responsibility as Amazon RDS is a managed service. As part of this, you do not need to manage or patch the operating system within the RDS database.

• Patching the operating system on Amazon EC2 instances is incorrect as EC2 is an Amazon EC2 instance is an Infrastructure as a Service tool, in which you simply have direct access to the underlying virtual machine. Therefore it is your responsibility to patch the operating system on any EC2 instance you use.
• Enforcing a strict password policy for IAM users is incorrect. It would be the responsibility of an AWS customer to regulate the password policy of IAM users.
• Configuring security groups and network ACLs is incorrect. It would be the responsibility of an AWS customer to configure security groups and network ACLs..

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 10

A company wants to push VPC flow logs to Amazon S3. What action is the company responsible for under the Shared Responsibility Model?

1. Managing the infrastructure that runs the S3 bucket.
2. Managing the data in transit.
3. Managing the encryption options on the S3 bucket.
4. Managing the operating system updates on the S3 bucket.

Answer 10

3. Managing the encryption options on the S3 bucket.

The company is responsible for enabling encryption on the bucket because the customer is responsible for the data within the bucket, and the way it is protected using things like Bucket Policies, permissions, and encryption.

• Managing the infrastructure that runs the S3 bucket is incorrect. AWS manages the physical infrastructure underlying the cloud and the customer has no insight or input into this.
• Managing the data in transit is incorrect. When you push VPC flow logs to S3 this will be done over the AWS backbone, meaning that it will be encrypted by default and the customer has no insight into this.
• Managing the operating system updates on the S3 bucket is incorrect. Amazon S3 gives no exposure to the underlying operating system to the end-user, and the user interacts with the S3 console, CLI, or API and has no insight into the underlying operating system.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.

Question 11

Under the AWS Shared Responsibility Model, which of the following is the customer NOT responsible for?

1. Adding firewall rules to security groups and network ACLs
2. Applying encryption to data stored on an EBS volume
3. Applying bucket policies to share Amazon S3 data
4. Installing firmware updates on host servers

Answer 11

4. Installing firmware updates on host servers

AWS customers are not responsible for installing firmware updates on the underlying infrastructure. AWS customers must protect their AWS services through policies, encryption, and firewall rules.

• Adding firewall rules to security groups and network ACLs is incorrect as this is a customer responsibility.
• Applying encryption to data stored on an EBS volume is incorrect as this is a customer responsibility.
• Applying bucket policies to share Amazon S3 data is incorrect as this is a customer responsibility.

Reference:
Shared Responsibility Model

Save time with our AWS cheat sheets.