Skip to Content

Amazon CLF-C02: Which tasks are responsibility of customer, according to AWS shared responsibility model

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

Table of Contents

Question

Which tasks are the responsibility of the customer, according to the AWS shared responsibility model? (Choose two.)

A. Patch the Amazon RDS operating system.
B. Upgrade the firmware of the network infrastructure.
C. Manage data encryption.
D. Maintain physical access control in an AWS Region.
E. Grant least privilege access to IAM users.

Answer

C. Manage data encryption.
E. Grant least privilege access to IAM users.

Explanation

The correct answers are C. Manage data encryption and E. Grant least privilege access to IAM users. Here is why:

  • The AWS shared responsibility model is a framework that defines the roles and responsibilities of AWS and the customer in ensuring the security and compliance of the AWS environment. According to this model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS provides and maintains the physical infrastructure, hardware, software, and network components that underlie the cloud services, while the customer configures and manages the cloud resources, data, and applications that run on top of the cloud services.
  • Data encryption is the process of transforming data into an unreadable format that can only be accessed by authorized parties who have the decryption key. Data encryption is a key aspect of data protection and compliance, as it prevents unauthorized access, modification, or disclosure of sensitive data. Data encryption is the responsibility of the customer, not AWS, according to the AWS shared responsibility model. The customer can use AWS services and tools, such as AWS Key Management Service (KMS), AWS Encryption SDK, or AWS CloudHSM, to encrypt data at rest and in transit, but the customer must decide which data to encrypt, how to encrypt it, and how to manage the encryption keys. Therefore, option C is correct.
  • Granting least privilege access to IAM users is the practice of giving each IAM user only the minimum permissions that they need to perform their tasks. IAM users are entities that represent people or applications that interact with AWS resources. Granting least privilege access to IAM users is a key aspect of identity and access management (IAM), as it reduces the risk of unauthorized or malicious actions on AWS resources. Granting least privilege access to IAM users is the responsibility of the customer, not AWS, according to the AWS shared responsibility model. The customer can use AWS services and tools, such as IAM policies, IAM roles, or AWS Organizations, to create and manage IAM users and their permissions, but the customer must decide who can access which resources and under what conditions. Therefore, option E is correct.
  • Patching the Amazon RDS operating system is the responsibility of AWS, not the customer, according to the AWS shared responsibility model. Amazon RDS is a managed service that provides relational database instances that run on Amazon EC2. AWS handles all the maintenance tasks for these instances, such as patching the operating system and database software, backing up data, and scaling capacity. The customer only needs to choose the database engine, instance type, and configuration options for their database instances. Therefore, option A is incorrect.
  • Upgrading the firmware of the network infrastructure is the responsibility of AWS, not the customer, according to the AWS shared responsibility model. The network infrastructure refers to the physical and logical components that enable network connectivity between AWS resources and between AWS and external networks. These components include routers, switches, firewalls, load balancers, gateways, DNS servers, etc. AWS provides and maintains these components as part of its global network infrastructure that spans multiple regions and availability zones. The customer only needs to use AWS services and tools, such as Amazon VPC, Amazon Route 53, or AWS Direct Connect, to configure and manage their network settings and connections. Therefore, option B is incorrect.
  • Maintaining physical access control in an AWS Region is the responsibility of AWS, not the customer, according to the AWS shared responsibility model. An AWS Region is a geographical area that consists of two or more availability zones that are isolated from each other but connected by low-latency network links. An availability zone is a physically distinct location that contains one or more data centers that host AWS resources. AWS ensures that these data centers are secured by multiple layers of physical security measures, such as fences, gates, guards, cameras, biometric scanners, etc., that prevent unauthorized entry or tampering. The customer does not have any direct access to these data centers or their hardware components. Therefore, option D is incorrect.

Which tasks are responsibility of customer, according to AWS shared responsibility model

Amazon AWS Certified Cloud Practitioner CLF-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Cloud Practitioner CLF-C02 exam and earn Amazon AWS Certified Cloud Practitioner CLF-C02 certification.