AWS Shared Responsibility Model: Areas of Shared Controls | Exam CLF-C01

Not an Area of Shared Controls within the AWS Shared Responsibility Model

Question

Which of the following is NOT an area of shared controls (Shared between AWS & Customer in different contexts) within the AWS Shared responsibility Model? (Select TWO.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: B and D.

Shared controls are applicable in both the infrastructure & customer layers but in completely separate contexts.

Under shared controls, AWS provides requirements for infrastructure while customers must provide their own control implementation for the AWS services that they use.

Option A is incorrect since configuration management has shared controls.

AWS is responsible for configuring infrastructure devices while the customer is responsible for configuring their guest OS & applications.

Option B is CORRECT since Services communication may be subject to data zoning & protection within specific security environments.

This is primarily the responsibility of the customer & AWS does not play any role in this.

This may take the form of configuring NACL's, Security Groups, Data encryption etc…

Option C is incorrect since AWS is responsible for detecting & patching flaws within the infrastructure while the customer is responsible for patching their guest OS & applications.

Option D is CORRECT since IAM and user management refers to security “In” the cloud and are best managed by the customer.

Option E is incorrect since AWS trains its own employees while customers need to train their own employees.

Reference:

https://aws.amazon.com/compliance/shared-responsibility-model/

The AWS Shared Responsibility Model is a security framework that outlines the division of responsibilities between AWS and its customers. It defines which security controls are the responsibility of AWS and which are the responsibility of the customer.

AWS is responsible for the security "of" the cloud, which includes the underlying infrastructure, network, and hardware. On the other hand, customers are responsible for the security "in" the cloud, which includes the security of their data, applications, and systems.

The areas of shared controls refer to the security controls that are shared between AWS and the customer. These controls require both parties to work together to ensure security in the cloud.

Now let's analyze the options:

A. Configuration Management: This area includes the management of configurations for both AWS and customer-owned resources. It involves the configuration and maintenance of settings and parameters for various resources. This area is a shared control, as both AWS and the customer have responsibilities related to configuration management.

B. Service & communication protection: This area includes the protection of communication channels between different resources in the cloud, as well as the protection of AWS services. Both AWS and the customer have responsibilities related to service and communication protection. This area is a shared control.

C. Patch Management: This area includes the management of patches and updates for operating systems and applications on both AWS and customer-owned resources. Both parties have responsibilities related to patch management, making this area a shared control.

D. IAM User Management: This area includes the management of user identities and permissions for accessing AWS resources. This area is the responsibility of the customer, not AWS. Therefore, IAM User Management is not a shared control.

E. Training & Awareness: This area includes the training and awareness of personnel regarding security practices and policies. While AWS provides security training to its employees, it is the responsibility of the customer to provide training and awareness to their employees. Therefore, this area is not a shared control.

Therefore, the two options that are not areas of shared controls within the AWS Shared Responsibility Model are D. IAM User Management and E. Training & Awareness.