Question 11
Domain 2: Security and ComplianceWhich of the following is NOT an example of a security responsibility that AWS manages under the AWS shared responsibility model?
Correct answer: C
Explanation
AWS says customers handle “Network Traffic and Firewall Configuration” and “configuring group firewall settings,” so security groups and network ACLs are customer responsibilities in the cloud. AWS is responsible “of the cloud,” not for configuring each customer’s VPC security controls.
Why each option is right or wrong
A. Maintaining and patching the virtualization layer (hypervisor) that runs customer instances
B. Controlling physical access to AWS data center facilities
C. Configuring security groups and network ACLs for each customer’s Amazon VPC
Under the AWS Shared Responsibility Model, AWS is responsible for security **of** the cloud (the underlying infrastructure, including hardware, networking, and facilities), while customers are responsible for security **in** the cloud. The AWS documentation specifically places **network traffic and firewall configuration** on the customer side, which includes security groups and network ACLs for a customer’s VPC; therefore, that activity is not an AWS-managed security duty.
D. Protecting the global network infrastructure that connects AWS data centers