Question 18
Domain 2: Security and ComplianceA company is training staff on the AWS shared responsibility model. They want an example of a security task where AWS and the customer each handle different layers of the same activity (a shared control). Which example best illustrates this?
Correct answer: D
Explanation
AWS says it is responsible for “the hardware, software, networking, and facilities,” while the customer handles “patching guest operating systems of EC2 instances.” That makes patch management a shared control: AWS patches the underlying infrastructure, and the customer patches the OS and applications in the instance.
Why each option is right or wrong
A. The customer encrypts application data before storing it locally on on-premises file servers.
B. The customer defines security groups and network ACL rules for their VPC.
C. AWS designs, builds, and operates the global network, including all routing and switching.
D. AWS patches the physical servers and networking devices, while the customer patches the guest operating systems and applications on Amazon EC2 instances.
AWS’s Shared Responsibility Model assigns AWS the security of the underlying cloud infrastructure—specifically the hardware, software, networking, and facilities—while the customer is responsible for security in the cloud, including patching the guest operating system on EC2 and the applications they deploy. Because patch management is explicitly listed as a shared control, this example correctly splits one activity across both parties: AWS patches the host-side infrastructure, and the customer patches the instance-level OS and application layer.