Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

AWS Certified Solutions Architect Exam Guide – Chapter-13

Understand the shared responsibility model. The shared responsibility model is not just limited security considerations; it also extends to IT controls. For example, the management, Operation, and verification of IT controls are shared between AWS and the customer. AWS manages these controls where it relates to physical infrastructure.

Remember that IT governance is the customer’s responsibility. It is the customer’s responsibility to maintain adequate governance over the entire IT control environment, regardless of how its IT is deployed (on-premises, cloud, or hybrid).

Understand how AWS provides control information. AWS provides IT control information to customers in two ways: via specific control definition and through a more general control standard compliance.

Remember that AWS is very proactive about risk management. AWS takes risk management very seriously, so it has developed a business plan to identify any risks and to implement controls to mitigate or manage those risks. An AWS management team reevaluates the business risk plan at least twice a year. As a part of this process, management team members are required to identify risks within their specific areas of responsibility and then implement controls designed to address and perhaps even eliminate those risks.

Remember that the control environment is not just about technology. The AWS control environment consists of policies, processes, and control activities. This control environment includes people, processes, and technology.

Remember the key reports, certifications, and third-party attestations. The key reports, certifications, and third-party attestations include, but are not limited to, the following:

  • FedRAMP
  • FIPS 140—2
  • FISMA and DIACAP
  • HIPAA
  • ISO 9001
  • IS0 27001
  • ITAR
  • PCI DSS Level 1
  • SOC 1/ISAE 3402
  • SOC 2
  • SOC 3

    Review Questions
    AWS communicates with customers regarding its security and control environment through a variety of different mechanisms. Which of the following are valid mechanism?(Choose 3 answers)
  • Obtaining industry certifications and independent third-party attestations
  • Publishing information about security and AWS control practices via the website, whitepapers, and blogs
  • Directly providing customers with certificates, reports, and other documentation (under NDA in some cases)
  • Allowing customers’ auditors direct access to AWS data centers, infrastructure, and senior staff

Which of the following statements is true when it comes to the AWS shared responsibility model?

  • The shared responsibility model is limited to security considerations only; it does not extend to IT controls.
  • The shared responsibility model is only applicable for customers who want to be compliant with SOC 1 Type II.
  • The shared responsibility model is not just limited to security considerations; it also extends to IT controls.
  • The shared responsibility model is only applicable for customers who want to be compliant with ISO 27001.

AWS provides IT control information to customers in which of the following ways?

  • By using specific control definitions or through general control standard compliance
  • By using specific control definitions or through SAS 70
  • By using general control standard compliance and by complying with ISO 27001
  • By complying with ISO 27001 and SOC 1 Type II

Which of the following is a valid report, certification, or third-party attestation for AWS? (Choose 3 answers)

  • SOC 1
  • PCI DSS Level 1
  • SOC 4
  • ISO 27001

Which of the following statements is true?

  • IT governance is still the customer‘s responsibility, despite deploying their IT estate onto the AWS platform.
  • The AWS platform is PCl DSS-compliant to Level 1. Customers can deploy their web applications to this platform, and they will be PCU DSS-compliant automatically.
  • The shared responsibility model applies to IT security only; it does not relate to governance.
  • AWS doesn’t take risk management very seriously, and it’s up to the customer to mitigate risks to the AWS infrastructure.

Which of the following statements is true when it comes to the risk and compliance advantages of the AWS environment?

  • Workloads must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations.
  • The critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the non-critical components do not.
  • The non-critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the critical components do not.
  • Few, many, or all components of a workload can be moved to the AWS Cloud, but it is the customer’s responsibility to ensure that their entire workload remains compliant with various certifications and third-party attestations.

Which of the following statements best describes an Availability Zone?

  • Each Availability Zone consists of a single discrete data center with redundant power and networking/connectivity.
  • Each Availability Zone consists of multiple discrete data centers with redundant power and networking connectivity.
  • Each Availability Zone consists of multiple discrete regions, each with a single data center with redundant power and networking/connectivity.
  • Each Availability Zone consists of multiple discrete data centers with shared power and redundant networking/connectivity.

With regard to vulnerability scans and threat assessments of the AWS platform, which of the following statements are true? (Choose 2 answers)

  • AWS regularly performs scans of public-facing endpoint IP addresses for vulnerabilities.
  • Scans performed by AWS include customer instances.
  • AWS security notifies the appropriate parties to remediate any identified vulnerabilities.
  • Customers can perform their own scans at any time without advance notice.

Which of the following best describes the risk and compliance communication responsibilities of customers to AWS?

  • AWS and customers both communicate their security and control environment information to each other at all times.
  • AWS publishes information about the AWS security and control practices online, and directly to customers under NDA. Customers do not need to communicate their use and configurations to AWS.
  • Customers communicate their use and configuration to AWS at all times. AWS does not communicate AWS security and control practices to Customers for security reasons.
  • Both customers and AWS keep their security and control practices entirely confidential and do not share them in order to ensure the greatest security for all parties.

When it comes to risk management, which of the following is true?

  • AWS does not develop a strategic business plan; risk management and mitigation is entirely the responsibility of the customer.
  • AWS has developed a strategic business plan to identify any risks and implemented controls to mitigate or manage those risks. Customers do not need to develop and maintain their own risk management plans.
  • AWS has developed a strategic business plan to identify any risks and has implemented controls to mitigate or manage those risks. Customers should also develop and maintain their own risk management plans to ensure they are compliant with any relevant controls and certifications.
  • Neither AWS nor the customer needs to worry about risk management, so no plan is needed from either party.

The AWS control environment is in place for the secure delivery of AWS Cloud service offerings. Which of the following does the collective control environment NOT explicitly include?

  • People
  • Energy
  • Technology
  • Processes

Who is responsible for the configuration of security groups in an AWS environment?

  • The customer and AWS are both jointly responsible for ensuring that security groups are correctly and securely configured.
  • AWS is responsible for ensuring that all security groups are correctly and securely configured. Customers do not need to worry about security group configuration.
  • Neither AWS nor the customer is responsible for the configuration of security groups; security groups are intelligently and automatically configured using traffic heuristics.
  • AWS provides the security group functionality as a service, but the customer is responsible for correctly and securely configuring their own security groups.

Which of the following is NOT a recommended approach for customers trying to achieve strong compliance and governance over an entire IT control environment?

  • Take a holistic approach: Review information available from AWS together with all other information, and document all compliance requirements.
  • Verify that all control objectives are met and all key controls are designed and operating effectively.
  • Implement generic control objectives that are not specifically designed to meet their organization’s compliance requirements.
  • Identify and document controls owned by all third parties.
Rajesh Kumar
Follow me