AWS Cloud Practitioner Essentials T2.1

Questions and Answers

What is the main responsibility of customers when using Amazon EC2?

• Securing data on volumes (correct)
• Managing global network security
• Managing physical servers and networking
• Handling patches and updates for the underlying infrastructure

What aspect of security is AWS responsible for under the Shared Responsibility Model?

• Data encryption for customer data
• Physical security of data centers (correct)
• Managing user access permissions
• Configuration of applications hosted on AWS

Which of the following best describes the customer’s responsibilities in the Shared Responsibility Model?

• Ensuring global infrastructure availability
• Securing physical data center locations
• Protecting sensitive data stored in AWS (correct)
• Providing managed service updates

Which of the following statements about the Shared Responsibility Model is true concerning AWS Lambda?

Customers are responsible for the function code security. (B)

In the context of Patch Management, what is the responsibility of AWS?

Patching infrastructure and servers (B)

In the context of AWS services, patching responsibilities differ based on the service type. Which service has customers managing most patching responsibilities?

Amazon EC2 (C)

How are disaster recovery plans typically managed in the Shared Responsibility Model?

Customers must create and implement their own disaster recovery plans. (D)

Which responsibility varies based on the service model used (IaaS, PaaS, SaaS)?

Handling operating system updates (C)

What shared responsibility regarding Data Encryption exists between AWS and its customers?

Customers must decide what data to encrypt and manage encryption keys (D)

Regarding role-based access in AWS, what is the primary responsibility of customers?

Defining and assigning roles based on user responsibilities (B)

Which of the following best describes the primary difference in customer responsibilities between IaaS and SaaS models in AWS?

In IaaS, customers handle data security; in SaaS, AWS is responsible for most security. (D)

Which of the following tasks is specifically the customer's responsibility in the context of AWS services?

Configuring Elastic Compute Cloud (EC2) firewall rules (B)

Which statement about the AWS Shared Responsibility Model is false?

AWS provides no security guidance to customers. (A)

Which of the following aspects of customer responsibility is crucial to understand when utilizing AWS services?

Implementing encryption for data without AWS input (A)

In which service model does AWS take on the least amount of responsibility?

Infrastructure as a Service (IaaS) (C)

What characteristic clearly differentiates the shared responsibilities across IaaS, PaaS, and SaaS?

SaaS requires the least customer input compared to IaaS. (A)

Which of the following correctly describes AWS's role in securing data when utilizing Amazon RDS?

AWS manages the database engine but not the customer data security. (D)

Which of the following is not part of AWS's responsibilities?

Maintaining data privacy policies (D)

What defines the 'Security in the cloud' responsibilities of customers?

Applying security measures to customer-specific data and applications (D)

Flashcards

AWS Shared Responsibility Model

A framework that outlines how security responsibilities are divided between AWS and its customers.

AWS Responsibilities (Security of the Cloud)

Physical Security: secures data centres (e.g., guards, cameras, controlled access).

Hardware Management: AWS maintains and updates servers, storage devices, and networking equipment.

Global Infrastructure: AWS ensures the security and availability of regions, availability zones, and edge locations.

Managed Services Security: For managed services like Amazon RDS (Relational Database Service), AWS handles tasks like operating system updates and patching.

Shared Responsibilities

Patch Management: AWS patches the infrastructure, but you must patch your applications if you’re using services like EC2.

Data Encryption: AWS offers encryption tools, but you decide what data to encrypt and manage encryption keys.

How Responsibilities Shift Based on Service

depending on whether you’re using Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS)

Define the security responsibility when using Amazon EC2 (IaaS - Infrastructure as a Service).

AWS: Manages physical infrastructure (data centers, servers, storage).

Customer: operating system upwards, including applications, Configures network firewalls (security groups). Encrypts data stored on volumes.

Define the security responsibility when using Amazon RDS (Relational Database Service) (PaaS -Platform as a Service)

AWS: Handles infrastructure, operating system. Manages the underlying database engine. Handles patches and updates for the database software.

Customer: Manages data (Ensures data is secure (e.g., encrypting sensitive fields).) Manages database access (users, passwords). application-level security. (database queries - database credentials)

Define the security responsibility when using AWS Lambda (SaaS - Software as a Service)

AWS: Manages infrastructure, operating systems, runtime environment.

Customer: Ensures the function code is secure and performs intended tasks securely. Configures triggers securely (e.g., event sources like S3 or API Gateway). data provided to the service.

Customer Responsibilities (Security in the Cloud) with examples

Data: Protecting sensitive data stored in AWS. Example: Encrypting customer data stored in Amazon S3 using AWS Key Management Service (KMS).

Applications: Securing applications running in the cloud. Example: Applying security patches to an application hosted on an Amazon EC2 instance.

User Access Management: Managing who can access your AWS environment. Example: Creating IAM roles to restrict access to an Amazon RDS database.

Configuration: Ensuring services like Amazon EC2 (Elastic Compute Cloud) are configured securely. Example: Configuring Security Groups in Amazon EC2 to allow only HTTPS traffic (port 443).

Responsibilities Encryption Level

AWS provides tools, but you decide what to encrypt.

Responsibilities Firewalls Level

AWS provides security tools like Security Groups, but you must configure these tools to allow or deny specific traffic to your resources.

Responsibilities Backup and Recovery Level

AWS ensures the durability of storage systems like Amazon S3, but you must configure backups and recovery plans to protect your data.

Responsibilities Data Responsibility Level

AWS secures the physical infrastructure, but customers are responsible for securing the data they store, such as enabling encryption and restricting access using IAM.

Responsibilities Configuration Management Level

AWS provides tools like AWS Config to track configuration changes, but you are responsible for defining and enforcing compliance policies.

Responsibilities Disaster Recovery Level

AWS offers services like AWS Elastic Disaster Recovery to replicate workloads, but you must create and implement disaster recovery plans that suit your business needs.

Responsibilities Role-Based Access Level

AWS allows the creation of roles using IAM, but you must define and assign roles to users or applications to restrict access based on their responsibilities.

Study Notes

AWS Shared Responsibility Model

• A framework defining security responsibilities between AWS and customers.
• AWS Responsibility: Securing the cloud infrastructure (physical security, hardware management, global infrastructure, managed service security).
• Customer Responsibility: Securing resources within the cloud (data, applications, user access management, configuration).

Key Concepts

• AWS Responsibility (Cloud Security):
  • Physical security: data centers (guards, cameras, access control).
  • Hardware management: servers, storage, networking maintenance and updates.
  • Global infrastructure: regions, availability zones, edge locations.
  • Managed service security: services like Amazon RDS (operatingsystem updates, patching).
• Customer Responsibility (In-cloud Security):
  • Data protection: sensitive data stored in AWS.
  • Application security: securing applications in the cloud.
  • User access management: controlling AWS environment access (IAM roles, policies).
  • Configuration security: secure service configurations (e.g., firewall rules, encryption for Amazon EC2).

Shared Responsibilities

• Patch Management: AWS patches infrastructure; Customers patch applications (e.g., EC2).
• Data Encryption: AWS offers tools; Customers decide what to encrypt and manage keys.

Responsibilities by Service Type

• Infrastructure as a Service (IaaS) - Example: Amazon EC2:
  • AWS: Manages physical infrastructure (data centers, servers, storage).
  • Customer: Manages everything above the infrastructure (operating system, applications, data, user access).
• Platform as a Service (PaaS) - Example: Amazon RDS:
  • AWS: Manages infrastructure, OS, and database engine.
  • Customer: Manages data, database access, and application-level security.
• Software as a Service (SaaS) - Example: AWS Lambda:
  • AWS: Manages everything (infrastructure, OS, runtime environment).
  • Customer: Focuses on code and data security provided to the service.

Responsibilities by Example

• Amazon EC2 (IaaS):
  • AWS: Secures physical servers, networking, hypervisors.
  • Customer: Installs, secures OS, configures security groups, encrypts data volumes.
• Amazon RDS (PaaS):
  • AWS: Manages database engine, handles patches and updates.
  • Customer: Manages database access, ensures data security (encryption).
• AWS Lambda (SaaS):
  • AWS: Manages infrastructure, scaling, runtime environment.
  • Customer: Secures function code, configures triggers securely (e.g., S3, API Gateway).

Importance of the Model

• Secure Environment: Clear understanding of responsibilities.
• Prevent Security Breaches: Avoid omissions and ensure comprehensive security measures.

Study Tips

• Memorize Responsibilities: Distinguish AWS and customer responsibilities.
• Use Examples: Understand how responsibilities change with EC2, RDS, Lambda.
• Understand Key Terms:
  • Encryption: Customers decide what to encrypt; AWS provides tools.
  • Firewalls (Security Groups): Customers configure for specific traffic.
  • Patching: AWS manages infrastructure; customers manage applications.
  • Backup and Recovery: AWS secures storage; customers configure data backups.
  • Data Responsibility: AWS secures infrastructure; customers secure data stored.
  • Configuration Management: AWS provides tools; customers define compliance.
  • Disaster Recovery (DR): Services provided by AWS; customers implement DR plans.
  • Role-Based Access (IAM): AWS provides tools; customers define user/application access.
• Visualize: AWS as building owner; customer as tenant responsible for its space.

Description

Explore the AWS Shared Responsibility Model and understand the division of security responsibilities between AWS and its customers. This quiz covers key concepts related to cloud security provided by AWS and the responsibilities customers must uphold to secure their resources effectively.