What is the customer's obligation while using an AWS managed service under the AWS shared responsibility model?
Physical security of the data centers
Server-side encryption
Customer data
Operating system patching
Answer is Customer data
AWS has an increased responsibility for our managed services. Examples of managed services include Amazon DynamoDB, Amazon RDS, Amazon Redshift, Amazon Elastic MapReduce, and Amazon WorkSpaces. These services provide the scalability and flexibility of cloud-based resources with less operational overhead because we handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery. For most managed services, you only configure logical access controls and protect account credentials, while maintaining control and responsibility of any personal data.
All AWS users have access to which AWS Trusted Advisor check?
Core checks
All checks
Cost optimization checks
Fault tolerance checks
Answer is Core checks
What does Trusted Advisor check?
Trusted Advisor includes an ever-expanding list of checks in the following four categories:
Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.
Security – identification of security settings that could make your Amazon Web Services solution less secure.
Fault Tolerance – recommendations that help increase the resiliency of your Amazon Web Services solution by highlighting redundancy shortfalls, current service limits, and overutilized resources.
Performance – recommendations that can help to improve the speed and responsiveness of your applications.
Which of the following is an example of security in the AWS Cloud under the AWS shared responsibility model?
Managing edge locations
Physical security
Firewall configuration
Global infrastructure
Answer is Firewall configuration
The AWS Shared Responsibility Model – This specifies that AWS is responsible for security of the Cloud while the customer is responsible for security 'in' the Cloud.
Customer’s Responsibility – Patching the OS running on EC2 instances; creating security groups; configuring the firewall; managing user accounts, access rights, and permissions; securing AMIs; and encrypting data at the client and server side.
Question 94
Permissions for which of the following are managed by service control policies (SCPs)?
Availability Zones
AWS Regions
AWS Organizations
Edge locations
Answer is AWS Organizations
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
According to the AWS shared responsibility model, which job is shared between AWS and the customer?
Physical and environmental controls
Server hardware management and encryption
Application security
Patch management and configuration management
Answer is Patch management and configuration management
Shared Controls: Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include:
Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
Awareness & Training - AWS trains AWS employees, but a customer must train their own employees.
Which duty is the customer's responsibility while administering AWS Lambda functions under the AWS shared responsibility model?
Creating versions of Lambda functions
Maintaining server and operating systems
Scaling Lambda resources according to demand
Updating the Lambda runtime environment
Answer is Creating versions of Lambda functions
When customers use AWS Lambda, AWS manages the underlying infrastructure and foundation services, the operating system, and the application platform. Customers themselves are responsible for the security of their code, the storage and accessibility of sensitive data, and identity and access management (IAM) to the Lambda service and within their function.
A. Creating versions of Lambda functions: This falls under the customer's responsibility. The customer is responsible for the management and configuration of the Lambda function, which includes creating versions, deploying code, and setting environment variables.
B. Maintaining server and operating systems: AWS handles this. With Lambda, you don't manage the underlying servers or operating systems.
C. Scaling Lambda resources according to demand: AWS automatically scales the execution of your Lambda function in response to incoming traffic.
D. Updating the Lambda runtime environment: While AWS provides the runtime environments (like Node.js, Python, etc.), the responsibility to choose and, if necessary, update to a newer provided runtime is with the customer, especially if AWS deprecates an old runtime.
Which of the following is a duty of the client under the AWS shared responsibility model? (Select two.)
Decommissioning of physical storage devices
Security group and ACL configuration
Patch management of an Amazon RDS instance operating system
Controlling physical access to data centers
Patch management of an Amazon EC2 instance operating system
Answers are; Security group and ACL configuration
E. Patch management of an Amazon EC2 instance operating system
Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data.
Which of the following is included in the AWS Trusted Advisor checks? (Select two.)
Information on Amazon S3 bucket permissions
AWS service outages
Multi-factor authentication enabled on the AWS account root user
Available software patches
Number of users in the account
Answers are; Information on Amazon S3 bucket permissions
C. Multi-factor authentication enabled on the AWS account root user
If you have a Basic Support and Developer Support plan, you can use the Trusted Advisor console to access all checks in the Service limits category and the following checks in the security category:
-Amazon EBS Public Snapshots
-Amazon RDS Public Snapshots
-Amazon S3 Bucket Permissions
-IAM Use
-MFA on Root Account
-Security Groups – Specific Ports Unrestricted