Ch13 Risk and Compliance

Question 1

AWS communicates with customers regarding its security and control environment
through a variety of different mechanisms. Which of the following are valid
mechanisms? (Choose 3 answers)
A. Obtaining industry certifications and independent third-party attestations
B. Publishing information about security and AWS control practices via the website,
whitepapers, and blogs
C. Directly providing customers with certificates, reports, and other documentation
(under NDA in some cases)
D. Allowing customers’ auditors direct access to AWS data centers, infrastructure, and
senior staff

Answer 1

A, B, C. Answers A through C describe valid mechanisms that AWS uses to communicate
with customers regarding its security and control environment. AWS does not allow
customers’ auditors direct access to AWS data centers, infrastructure, or staff.

Question 2

Which of the following statements is true when it comes to the AWS shared
responsibility model?
A. The shared responsibility model is limited to security considerations only; it does
not extend to IT controls.
B. The shared responsibility model is only applicable for customers who want to be
compliant with SOC 1 Type II.
C. The shared responsibility model is not just limited to security considerations; it also
extends to IT controls.
D. The shared responsibility model is only applicable for customers who want to be
compliant with ISO 27001.

Answer 2

C. The shared responsibility model can include IT controls, and it is not just limited to
security considerations. Therefore, answer C is correct.

Question 3

AWS provides IT control information to customers in which of the following ways?
A. By using specific control definitions or through general control standard compliance
B. By using specific control definitions or through SAS 70
C. By using general control standard compliance and by complying with ISO 27001
D. By complying with ISO 27001 and SOC 1 Type II

Answer 3

A. AWS provides IT control information to customers through either specific control
definitions or general control standard compliance.

Question 4

Which of the following is a valid report, certification, or third-party attestation for AWS?
(Choose 3 answers)
A. SOC 1
B. PCI DSS Level 1
C. SOC 4
D. ISO 27001

Answer 4

A, B, D. There is no such thing as a SOC 4 report, therefore answer C is incorrect.

Question 5

Which of the following statements is true?
A. IT governance is still the customer’s responsibility, despite deploying their IT estate
onto the AWS platform.B. The AWS platform is PCI DSS-compliant to Level 1. Customers can deploy their web
applications to this platform, and they will be PCI DSS-compliant automatically.
C. The shared responsibility model applies to IT security only; it does not relate to
governance.
D. AWS doesn’t take risk management very seriously, and it’s up to the customer to
mitigate risks to the AWS infrastructure.

Answer 5

A. IT governance is still the customer’s responsibility.

Question 6

Which of the following statements is true when it comes to the risk and compliance
advantages of the AWS environment?
A. Workloads must be moved entirely into the AWS Cloud in order to be compliant
with various certifications and third-party attestations.
B. The critical components of a workload must be moved entirely into the AWS Cloud
in order to be compliant with various certifications and third-party attestations, but
the non-critical components do not.
C. The non-critical components of a workload must be moved entirely into the AWS
Cloud in order to be compliant with various certifications and third-party
attestations, but the critical components do not.
D. Few, many, or all components of a workload can be moved to the AWS Cloud, but it
is the customer’s responsibility to ensure that their entire workload remains
compliant with various certifications and third-party attestations.

Answer 6

D. Any number of components of a workload can be moved into AWS, but it is the
customer’s responsibility to ensure that the entire workload remains compliant with
various certifications and third-party attestations.

Question 7

Which of the following statements best describes an Availability Zone?
A. Each Availability Zone consists of a single discrete data center with redundant power
and networking/connectivity.
B. Each Availability Zone consists of multiple discrete data centers with redundant
power and networking/connectivity.
C. Each Availability Zone consists of multiple discrete regions, each with a single data
center with redundant power and networking/connectivity.
D. Each Availability Zone consists of multiple discrete data centers with shared power
and redundant networking/connectivity.

Answer 7

B. An Availability Zone consists of multiple discrete data centers, each with their own
redundant power and networking/connectivity, therefore answer B is correct.

Question 8

With regard to vulnerability scans and threat assessments of the AWS platform, which of
the following statements are true? (Choose 2 answers)
A. AWS regularly performs scans of public-facing endpoint IP addresses for
vulnerabilities.
B. Scans performed by AWS include customer instances.
C. AWS security notifies the appropriate parties to remediate any identified
vulnerabilities.
D. Customers can perform their own scans at any time without advance notice.

Answer 8

A, C. AWS regularly scans public-facing, non-customer endpoint IP addresses and
notifies appropriate parties. AWS does not scan customer instances, and customers must
request the ability to perform their own scans in advance, therefore answers A and C are
correct.

Question 9

Which of the following best describes the risk and compliance communication
responsibilities of customers to AWS?
A. AWS and customers both communicate their security and control environment information to each other at all times.
B. AWS publishes information about the AWS security and control practices online,
and directly to customers under NDA. Customers do not need to communicate their
use and configurations to AWS.
C. Customers communicate their use and configurations to AWS at all times. AWS
does not communicate AWS security and control practices to customers for security
reasons.
D. Both customers and AWS keep their security and control practices entirely
confidential and do not share them in order to ensure the greatest security for all
parties.

Answer 9

B. AWS publishes information publicly online and directly to customers under NDA, but
customers are not required to share their use and configuration information with AWS,
therefore answer B is correct.

Question 10

When it comes to risk management, which of the following is true?
A. AWS does not develop a strategic business plan; risk management and mitigation is
entirely the responsibility of the customer.
B. AWS has developed a strategic business plan to identify any risks and implemented
controls to mitigate or manage those risks. Customers do not need to develop and
maintain their own risk management plans.
C. AWS has developed a strategic business plan to identify any risks and has
implemented controls to mitigate or manage those risks. Customers should also
develop and maintain their own risk management plans to ensure they are
compliant with any relevant controls and certifications.
D. Neither AWS nor the customer needs to worry about risk management, so no plan is
needed from either party.

Answer 10

C. AWS has developed a strategic business plan, and customers should also develop and
maintain their own risk management plans, therefore answer C is correct.

Question 11

The AWS control environment is in place for the secure delivery of AWS Cloud service
offerings. Which of the following does the collective control environment NOT explicitly
include?
A. People
B. Energy
C. Technology
D. Processes

Answer 11

B. The collective control environment includes people, processes, and technology
necessary to establish and maintain an environment that supports the operating
effectiveness of AWS control framework. Energy is not a discretely identified part of the
control environment, therefore B is the correct answer.

Question 12

Who is responsible for the configuration of security groups in an AWS environment?
A. The customer and AWS are both jointly responsible for ensuring that security
groups are correctly and securely configured.
B. AWS is responsible for ensuring that all security groups are correctly and securely
configured. Customers do not need to worry about security group configuration.
C. Neither AWS nor the customer is responsible for the configuration of security
groups; security groups are intelligently and automatically configured using traffic
heuristics.
D. AWS provides the security group functionality as a service, but the customer is
responsible for correctly and securely configuring their own security groups.

Answer 12

D. Customers are responsible for ensuring all of their security group configurations are
appropriate for their own applications, therefore answer D is correct.

Question 13

Which of the following is NOT a recommended approach for customers trying to achieve
strong compliance and governance over an entire IT control environment?
A. Take a holistic approach: review information available from AWS together with all
other information, and document all compliance requirements.
B. Verify that all control objectives are met and all key controls are designed and
operating effectively.
C. Implement generic control objectives that are not specifically designed to meet their
organization’s compliance requirements.
D. Identify and document controls owned by all third parties.

Answer 13

C. Customers should ensure that they implement control objectives that are designed to
meet their organization’s own unique compliance requirements, therefore answer C is
correct.