Review - Chapter 13 AWS
1. AWS communicates with customers regarding its security and control environment through a variety of different mechanisms. Which of the following are valid mechanisms? (Choose 3 answers) A. Obtaining industry certifications and independent third-party attestations B. Publishing information about security and AWS control practices via the website, whitepapers, and blogs C. Directly providing customers with certificates, reports, and other documentation (under NDA in some cases) D. Allowing customers' auditors direct access to AWS data centers, infrastructure, and senior staff
1. A, B, C. Answers A through C describe valid mechanisms that AWS uses to communicate with customers regarding its security and control environment. AWS does not allow customers' auditors direct access to AWS data centers, infrastructure, or staff.
10. When it comes to risk management, which of the following is true? A. AWS does not develop a strategic business plan; risk management and mitigation is entirely the responsibility of the customer. B. AWS has developed a strategic business plan to identify any risks and implemented controls to mitigate or manage those risks. Customers do not need to develop and maintain their own risk management plans. C. AWS has developed a strategic business plan to identify any risks and has implemented controls to mitigate or manage those risks. Customers should also develop and maintain their own risk management plans to ensure they are compliant with any relevant controls and certifications. D. Neither AWS nor the customer needs to worry about risk management, so no plan is needed from either party.
10. C. AWS has developed a strategic business plan, and customers should also develop and maintain their own risk management plans, therefore answer C is correct.
11. The AWS control environment is in place for the secure delivery of AWS Cloud service offerings. Which of the following does the collective control environment NOT explicitly include? A. People B. Energy C. Technology D. Processes
11. B. The collective control environment includes people, processes, and technology necessary to establish and maintain an environment that supports the operating effectiveness of AWS control framework. Energy is not a discretely identified part of the control environment, therefore B is the correct answer.
12. Who is responsible for the configuration of security groups in an AWS environment? A. The customer and AWS are both jointly responsible for ensuring that security groups are correctly and securely configured. B. AWS is responsible for ensuring that all security groups are correctly and securely configured. Customers do not need to worry about security group configuration. C. Neither AWS nor the customer is responsible for the configuration of security groups; security groups are intelligently and automatically configured using traffic heuristics. D. AWS provides the security group functionality as a service, but the customer is responsible for correctly and securely configuring their own security groups.
12. D. Customers are responsible for ensuring all of their security group configurations are appropriate for their own applications, therefore answer D is correct.
13. Which of the following is NOT a recommended approach for customers trying to achieve strong compliance and governance over an entire IT control environment? A. Take a holistic approach: review information available from AWS together with all other information, and document all compliance requirements. B. Verify that all control objectives are met and all key controls are designed and operating effectively. C. Implement generic control objectives that are not specifically designed to meet their organization's compliance requirements. D. Identify and document controls owned by all third parties.
13. C. Customers should ensure that they implement control objectives that are designed to meet their organization's own unique compliance requirements, therefore answer C is correct.
2. Which of the following statements is true when it comes to the AWS shared responsibility model? A. The shared responsibility model is limited to security considerations only; it does not extend to IT controls. B. The shared responsibility model is only applicable for customers who want to be compliant with SOC 1 Type II. C. The shared responsibility model is not just limited to security considerations; it also extends to IT controls. D. The shared responsibility model is only applicable for customers who want to be compliant with ISO 27001.
2. C. The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.
3. AWS provides IT control information to customers in which of the following ways? A. By using specific control definitions or through general control standard compliance B. By using specific control definitions or through SAS 70 C. By using general control standard compliance and by complying with ISO 27001 D. By complying with ISO 27001 and SOC 1 Type II
3. A. AWS provides IT control information to customers through either specific control definitions or general control standard compliance.
4. Which of the following is a valid report, certification, or third-party attestation for AWS? (Choose 3 answers) A. SOC 1 B. PCI DSS Level 1 C. SOC 4 D. ISO 27001
4. A, B, D. There is no such thing as a SOC 4 report, therefore answer C is incorrect.
5. Which of the following statements is true? A. IT governance is still the customer's responsibility, despite deploying their IT estate onto the AWS platform. B. The AWS platform is PCI DSS-compliant to Level 1. Customers can deploy their web applications to this platform, and they will be PCI DSS-compliant automatically. C. The shared responsibility model applies to IT security only; it does not relate to governance. D. AWS doesn't take risk management very seriously, and it's up to the customer to mitigate risks to the AWS infrastructure.
5. A. IT governance is still the customer's responsibility.
6. Which of the following statements is true when it comes to the risk and compliance advantages of the AWS environment? A. Workloads must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations. B. The critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the non-critical components do not. C. The non-critical components of a workload must be moved entirely into the AWS Cloud in order to be compliant with various certifications and third-party attestations, but the critical components do not. D. Few, many, or all components of a workload can be moved to the AWS Cloud, but it is the customer's responsibility to ensure that their entire workload remains compliant with various certifications and third-party attestations.
6. D. Any number of components of a workload can be moved into AWS, but it is the customer's responsibility to ensure that the entire workload remains compliant with various certifications and third-party attestations.
7. Which of the following statements best describes an Availability Zone? A. Each Availability Zone consists of a single discrete data center with redundant power and networking/connectivity. B. Each Availability Zone consists of multiple discrete data centers with redundant power and networking/connectivity. C. Each Availability Zone consists of multiple discrete regions, each with a single data center with redundant power and networking/connectivity. D. Each Availability Zone consists of multiple discrete data centers with shared power and redundant networking/connectivity.
7. B. An Availability Zone consists of multiple discrete data centers, each with their own redundant power and networking/connectivity, therefore answer B is correct.
8. With regard to vulnerability scans and threat assessments of the AWS platform, which of the following statements are true? (Choose 2 answers) A. AWS regularly performs scans of public-facing endpoint IP addresses for vulnerabilities. B. Scans performed by AWS include customer instances. C. AWS security notifies the appropriate parties to remediate any identified vulnerabilities. D. Customers can perform their own scans at any time without advance notice.
8. A, C. AWS regularly scans public-facing, non-customer endpoint IP addresses and notifies appropriate parties. AWS does not scan customer instances, and customers must request the ability to perform their own scans in advance, therefore answers A and C are correct.
9. Which of the following best describes the risk and compliance communication responsibilities of customers to AWS? A. AWS and customers both communicate their security and control environment information to each other at all times. B. AWS publishes information about the AWS security and control practices online, and directly to customers under NDA. Customers do not need to communicate their use and configurations to AWS. C. Customers communicate their use and configurations to AWS at all times. AWS does not communicate AWS security and control practices to customers for security reasons. D. Both customers and AWS keep their security and control practices entirely confidential and do not share them in order to ensure the greatest security for all parties.
9. B. AWS publishes information publicly online and directly to customers under NDA, but customers are not required to share their use and configuration information with AWS, therefore answer B is correct.
