CLF-C02: AWS Certified Cloud Practitioner

31%

Question 91

What is the customer's obligation while using an AWS managed service under the AWS shared responsibility model?
Physical security of the data centers
Server-side encryption
Customer data
Operating system patching




Answer is Customer data

AWS has an increased responsibility for our managed services. Examples of managed services include Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon Elastic MapReduce, and Amazon WorkSpaces. These services provide the scalability and flexibility of cloud-based resources with less operational overhead because we handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery. For most managed services, you only configure logical access controls and protect account credentials, while maintaining control and responsibility of any personal data.

Reference:
https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/

Question 92

All AWS users have access to which AWS Trusted Advisor check?
Core checks
All checks
Cost optimization checks
Fault tolerance checks




Answer is Core checks

What does Trusted Advisor check?

Trusted Advisor includes an ever-expanding list of checks in the following four categories:
Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.
Security – identification of security settings that could make your Amazon Web Services solution less secure.
Fault Tolerance – recommendations that help increase the resiliency of your Amazon Web Services solution by highlighting redundancy shortfalls, current service limits, and overutilized resources.
Performance – recommendations that can help to improve the speed and responsiveness of your applications.

Reference:
https://www.amazonaws.cn/en/support/trustedadvisor/faq/#checks

Question 93

Which of the following is an example of security in the AWS Cloud under the AWS shared responsibility model?
Managing edge locations
Physical security
Firewall configuration
Global infrastructure




Answer is Firewall configuration

The AWS Shared Responsibility Model – This specifies that AWS is responsible for security of the Cloud while the customer is responsible for security 'in' the Cloud.
Customer’s Responsibility – Patching the OS running on EC2 instances; creating security groups; configuring the firewall; managing user accounts, access rights, and permissions; securing AMIs; and encrypting data at the client and server side.

Question 94

Permissions for which of the following are managed by service control policies (SCPs)?
Availability Zones
AWS Regions
AWS Organizations
Edge locations




Answer is AWS Organizations

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.

Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Question 95

According to the AWS shared responsibility model, which job is shared between AWS and the customer?
Physical and environmental controls
Server hardware management and encryption
Application security
Patch management and configuration management




Answer is Patch management and configuration management

Shared Controls: Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include:

Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
Awareness & Training - AWS trains AWS employees, but a customer must train their own employees.

Reference:
https://aws.amazon.com/compliance/shared-responsibility-model/

Question 96

Which duty is the customer's responsibility while administering AWS Lambda functions under the AWS shared responsibility model?
Creating versions of Lambda functions
Maintaining server and operating systems
Scaling Lambda resources according to demand
Updating the Lambda runtime environment




Answer is Creating versions of Lambda functions

When customers use AWS Lambda, AWS manages the underlying infrastructure and foundation services, the operating system, and the application platform. Customers themselves are responsible for the security of their code, the storage and accessibility of sensitive data, and identity and access management (IAM) to the Lambda service and within their function.

A. Creating versions of Lambda functions: This falls under the customer's responsibility. The customer is responsible for the management and configuration of the Lambda function, which includes creating versions, deploying code, and setting environment variables.

B. Maintaining server and operating systems: AWS handles this. With Lambda, you don't manage the underlying servers or operating systems.

C. Scaling Lambda resources according to demand: AWS automatically scales the execution of your Lambda function in response to incoming traffic.

D. Updating the Lambda runtime environment: While AWS provides the runtime environments (like Node.js, Python, etc.), the responsibility to choose and, if necessary, update to a newer provided runtime is with the customer, especially if AWS deprecates an old runtime.

Reference:
https://aws.amazon.com/lambda/security-overview-of-aws-lambda/

Question 97

Which of the following is a duty of the client under the AWS shared responsibility model? (Select two.)
Decommissioning of physical storage devices
Security group and ACL configuration
Patch management of an Amazon RDS instance operating system
Controlling physical access to data centers
Patch management of an Amazon EC2 instance operating system




Answers are;
Security group and ACL configuration
E. Patch management of an Amazon EC2 instance operating system


Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data.

Reference:
https://aws.amazon.com/compliance/shared-responsibility-model/

Question 98

What attributes of an AWS account can AWS Trusted Advisor monitor and advise on? (Select two.)
Compliance with security best practices
Application performance
Network utilization
Cost optimization
Compliance status




Answers are;
Compliance with security best practices
D. Cost optimization


All Trusted Advisor categories:
Cost optimization, Performance, Security, Fault tolerance, Service limits

Reference:
https://aws.amazon.com/blogs/startups/optimizing-latency-and-bandwidth-for-aws-traffic/

Question 99

How should an Amazon EC2 instance be granted access to an Amazon S3 bucket in accordance with security best practices?
Hard code an IAM user's secret key and access key directly in the application, and upload the file.
Store the IAM user's secret key and access key in a text file on the EC2 instance, read the keys, then upload the file.
Have the EC2 instance assume a role to obtain the privileges to upload the file.
Modify the S3 bucket policy so that any service can upload to it at any time.




Answer is Have the EC2 instance assume a role to obtain the privileges to upload the file.

role is the best identity to link between EC2 and S3.

Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/

Question 100

Which of the following is included in the AWS Trusted Advisor checks? (Select two.)
Information on Amazon S3 bucket permissions
AWS service outages
Multi-factor authentication enabled on the AWS account root user
Available software patches
Number of users in the account




Answers are;
Information on Amazon S3 bucket permissions
C. Multi-factor authentication enabled on the AWS account root user


If you have a Basic Support and Developer Support plan, you can use the Trusted Advisor console to access all checks in the Service limits category and the following checks in the security category:

-Amazon EBS Public Snapshots
-Amazon RDS Public Snapshots
-Amazon S3 Bucket Permissions
-IAM Use
-MFA on Root Account
-Security Groups – Specific Ports Unrestricted

Reference:
https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html

< Previous PageNext Page >

Quick access to all questions in this exam