Under the shared responsibility model, which TWO items are ALWAYS the customer's responsibility regardless of the type of service used? (Choose TWO.)

1 / 1
Select all that apply
CorrectB, D

Explanation

Question Overview

A question asking to select the two areas that are always the customer's responsibility under the shared responsibility model, regardless of service type.

Requirements to satisfy
  • 1regardless of the type of service usedAsks about areas that remain on the customer side whether using IaaS, managed services, or SaaS
  • 2ALWAYS the customer's responsibilityAreas the customer must always decide and manage regardless of what AWS provides (data and permissions)
Per-option explanation
AIncorrect

Physical security of the data center

Physical security is the security of facilities owned and operated by AWS (security OF the cloud).

Customers cannot access the data center and cannot implement it, so this is not a customer responsibility and is incorrect.

BCorrect

Data itself (content, classification, and retention management)

This is correct. The content, classification, retention, and encryption choices for data are always the customer's asset and under the customer's control, regardless of what AWS service is used. AWS only provides the infrastructure to store the data and does not interact with its contents.

CIncorrect

Applying security patches to the hypervisor

The hypervisor is AWS's foundational infrastructure that isolates multiple tenants.

Customers cannot access this layer or apply patches to it, so this is not a customer responsibility and is incorrect.

DCorrect

Managing access permissions with IAM

This is correct. Deciding who is allowed access to which resources (IAM users, roles, and policy configuration) is always determined and managed by the customer, regardless of the service type. AWS provides the IAM mechanism, but designing and granting permissions is the customer's responsibility.

EIncorrect

Applying patches to the host OS (underlying OS)

The host OS (the underlying OS on which the hypervisor runs) is part of AWS's foundational layer managed by AWS.

Customers can only interact with the guest OS; the host OS is AWS's responsibility, so this is incorrect.

Key Takeaway

No matter which service is used, the two responsibilities that ALWAYS remain with the customer are (1) data and (2) IAM/access management. Guest OS and apps are the customer's responsibility under IaaS but shift to AWS under managed services, so they are NOT 'always' the customer's. Physical security, hypervisor, and host OS are always AWS.

Related Links