SHARED RESPONSIBILITY MODEL

Overview: AWS Shared Responsibility Model

• Definition:
  The AWS Shared Responsibility Model defines which security tasks are handled by AWS and which are the customer’s responsibility. It is divided into two broad categories:

  • Security “of” the cloud: AWS manages the infrastructure that runs all of the services offered in the AWS Cloud (hardware, software, networking, and facilities).
  • Security “in” the cloud: Customers manage the security of their data, applications, operating systems, network configurations, and more.

• Why It Matters for Exams:
  AWS exam questions often ask, “Which of the following is a customer responsibility?” or “What does AWS manage in this scenario?” The key is understanding the boundary between AWS-managed services and what you must secure yourself.

• Skeptical Reminder:
  Don’t assume that because a service is “managed” by AWS, every detail is taken care of. Look closely at the service type (IaaS vs. PaaS) and know exactly what AWS handles versus what you must configure.

Detailed Breakdown by Service

1. Amazon EC2 (Elastic Compute Cloud)

• AWS Responsibilities:

  • Physical Infrastructure:
    AWS manages data center facilities, power, cooling, physical security, and hardware replacement.
  • Networking and Hypervisor:
    The hypervisor that abstracts physical resources is maintained and secured by AWS.

• Customer Responsibilities:

  • Guest Operating System:
    You must patch and update the operating system running on your EC2 instance. For example, if you run a Linux distribution, you are responsible for applying security patches and updates.
  • Application Software:
    Installing, configuring, and updating any applications or middleware on your instance.
  • Security Configurations:
    Configuring security groups, firewall rules, and network ACLs that protect the instance.
  • Data Encryption and Backup:
    Managing encryption of data stored on the instance (unless using AWS services that provide managed encryption) and configuring backup strategies.

• Exam Tip:
  Expect questions that ask which tasks (e.g., patching the OS, managing physical servers) fall under the customer’s responsibility. The key point is that AWS secures the physical and hypervisor layers, but you secure everything running on top.

2. Databases

A. Managed Database Services (e.g., Amazon RDS)

• AWS Responsibilities:

  • Infrastructure & OS:
    AWS takes care of the underlying hardware, operating system, and database engine patching for the managed service.
  • Automated Backups and Failover:
    Many RDS features, such as automated backups and Multi-AZ deployments, are managed by AWS.

• Customer Responsibilities:

  • Database Configuration:
    Configuring database parameters, managing users and roles, and setting access controls.
  • Data and Application-Level Security:
    Ensuring that encryption is configured properly (if using customer-managed keys), controlling network access (e.g., through VPC security groups), and managing SQL injection prevention.
  • Performance Tuning & Query Optimization:
    The customer is responsible for optimizing queries and schema design.

• Example:
  In an RDS MySQL deployment, while AWS ensures that the OS and DB engine receive patches, you must define the database’s security groups, manage database user accounts, and ensure that your applications access the database securely.

• Exam Tip:
  Questions may contrast RDS (a managed service) with self-managed databases on EC2. Know that in RDS, you do not patch the underlying OS or database engine software—but you do control configuration, access, and data protection.

B. Self-Managed Databases on EC2

• AWS Responsibilities:

  • Physical and Virtual Infrastructure:
    As with any EC2 instance, AWS manages the data center, hypervisor, and underlying hardware.

• Customer Responsibilities:

  • Complete Software Stack:
    You must install, patch, and maintain the database software, as well as the guest operating system.
  • Database Administration:
    This includes backups, recovery, performance tuning, and security hardening.
  • Access Control:
    Configure firewalls, security groups, and encryption mechanisms for the database.

• Exam Tip:
  Know that when you run your own database on EC2, you assume more responsibility compared to managed services like RDS.

3. AWS Identity and Access Management (IAM)

• AWS Responsibilities:

  • IAM Service Availability:
    AWS ensures that the IAM service is available, reliable, and up-to-date from an infrastructure perspective.
  • Underlying Platform Security:
    AWS secures the physical and underlying network layers that support IAM.

• Customer Responsibilities:

  • Policy Creation and Management:
    You design, create, and manage IAM policies, users, roles, and groups. For example, you must decide who has access to which AWS resources and what level of permissions they receive.
  • Credential Management:
    You are responsible for managing and rotating credentials, such as access keys and passwords.
  • Multi-Factor Authentication (MFA):
    Implementing MFA for critical IAM users is a customer responsibility.
  • Monitoring and Auditing:
    Customers should regularly review IAM policies and use AWS CloudTrail to audit actions.

• Example:
  When creating an IAM role for an EC2 instance to access S3, you must specify the exact permissions in the role’s policy. AWS provides the role service, but the rules and limitations are defined by you.

• Exam Tip:
  Expect detailed questions on IAM where you need to identify what a customer must manage versus what is automated by AWS. Emphasize that all identity and access configurations are customer-managed.

Additional Exam-Focused Points

• Service-Level Differences:
  Understand that AWS’s responsibilities differ by service type. For instance, in IaaS (like EC2), you manage a larger portion of the software stack compared to PaaS (like RDS).

• Shared Responsibility Misconceptions:

  • “Managed” does not mean “set and forget”: Even with managed services like RDS, you must carefully configure access, monitor performance, and handle application-level security.
  • Layered Security: Always think in layers. AWS secures the lower layers (physical, network, and hypervisor), but you must secure everything from the operating system upward.

• Practical Scenarios:

  • EC2 Scenario: If a vulnerability is discovered in the OS of your EC2 instance, AWS won’t patch it for you—you must update your instance.
  • Database Scenario: If your RDS instance’s backup configuration is misconfigured, it’s your responsibility to correct it, even though AWS handles the backup process.
  • IAM Scenario: If an IAM user’s permissions are too broad and lead to a security breach, it’s the result of your policy design, not an AWS failure.

• Study Tip:
  When you see exam questions on the Shared Responsibility Model, look for keywords like “customer responsibility,” “patching,” “configuration,” or “access control.” These clues help you decide which actions fall under your purview.

Conclusion

In summary, the AWS Shared Responsibility Model is a critical concept that defines the security boundaries between AWS and the customer. For EC2, customers are responsible for securing the guest OS, applications, and data. For databases, the division depends on whether you use a managed service (like RDS) or a self-managed database on EC2. With IAM, the customer holds full responsibility for policies, access management, and credential security.

Keep these points in mind when studying for your exam, and always question any assumption that “AWS takes care of it all”—you are expected to secure everything that runs on top of the AWS-managed infrastructure.

Overview: AWS Management & Monitoring Services

AWS offers several services to help you monitor, audit, and secure your environment. Understanding each service’s role is critical when exam questions ask, for example, “Where would you go to check who deleted a security group?” or “Which service tracks configuration changes over time?” Below is a breakdown of the key services:

• CloudTrail
  Purpose: Auditing and recording API calls and actions made in your AWS account.
  Use Cases:

  • Tracking who made changes (e.g., security group modifications, resource deletions, IAM changes).
  • Forensic analysis and compliance audits.
    Exam Tip: If a question involves “who did what” in your account (like a security group change or resource deletion), think CloudTrail.

• CloudWatch
  Purpose: Monitoring operational metrics and logs for performance and health.
  Components:

  • CloudWatch Metrics: For collecting performance data (CPU, memory, etc.).
  • CloudWatch Logs: For application and system logs.
  • CloudWatch Alarms: To alert you when thresholds are breached.
    Use Cases:
  • Setting alarms when an EC2 instance’s CPU usage spikes.
  • Aggregating application logs for troubleshooting.
    Exam Tip: When a question involves performance issues or log analytics (not API-level events), lean toward CloudWatch.

• AWS Config
  Purpose: Recording and tracking the configuration history of your AWS resources.
  Use Cases:

  • Monitoring and recording configuration changes over time.
  • Evaluating compliance by comparing current configurations against desired rules (e.g., “Did someone change the security group settings?”).
    Exam Tip: For questions about configuration drift or changes over time (like a security group alteration or unauthorized resource modification), AWS Config is the answer.

• AWS Inspector
  Purpose: Security assessment of AWS workloads, especially for vulnerability scanning and best practice checks on EC2 instances.
  Use Cases:

  • Running automated security assessments against your EC2 instances.
  • Identifying vulnerabilities and deviations from security best practices.
    Exam Tip: When a question mentions vulnerability scans or security assessments (and it involves EC2 or container-based workloads), consider Inspector.

• AWS Security Hub
  Purpose: Centralizing and correlating security findings from various AWS services and third-party tools.
  Use Cases:

  • Aggregating alerts from GuardDuty, Inspector, and other security services.
  • Providing a comprehensive view of your security posture.
    Exam Tip: Use Security Hub when questions revolve around the overall security status of your environment or when multiple security findings need to be consolidated.

• AWS X-Ray
  Purpose: Tracing and debugging distributed applications.
  Use Cases:

  • Analyzing and visualizing requests as they travel through your application.
  • Identifying performance bottlenecks in microservices architectures.
    Exam Tip: If a question is focused on application performance and tracing the path of a request (rather than security or configuration changes), X-Ray is your service.

When to Use Which Service

Below is a quick-reference guide to help you decide which service is appropriate based on common exam scenarios:

Exam-Focused Examples

1. Security Group Change:

   • Question Scenario: “A security group was modified unexpectedly. Which service would you use to determine who made the change?”
   • Answer: CloudTrail (tracks API calls that modify security groups) and AWS Config (shows configuration changes over time).

2. Resource Deletion:

   • Question Scenario: “An important resource was deleted. Which service would you consult to understand the sequence of events leading up to this deletion?”
   • Answer: CloudTrail (provides detailed API logs showing who deleted the resource).

3. Performance Issue in an Application:

   • Question Scenario: “Your application is experiencing high latency. Which service should you use to monitor performance metrics and view application logs?”
   • Answer: CloudWatch (to monitor metrics and logs) and potentially X-Ray (if the issue is distributed across microservices).

4. Vulnerability Assessment:

   • Question Scenario: “You need to run a security assessment on your EC2 instances to identify potential vulnerabilities. Which service should you use?”
   • Answer: AWS Inspector (designed for vulnerability assessments on EC2 instances).

5. Overall Security Posture:

   • Question Scenario: “You want a consolidated view of all security alerts and best practice recommendations across your AWS environment. Which service provides this functionality?”
   • Answer: AWS Security Hub (aggregates findings from multiple security services).

Exam Tips

• Key Distinctions:

  • CloudTrail vs. AWS Config:
    • CloudTrail is about recording API calls (who did what, when, where).
    • AWS Config is about tracking resource configurations and changes over time.
  • CloudWatch vs. X-Ray:
    • CloudWatch monitors performance metrics and logs.
    • X-Ray is used specifically for tracing the flow of requests in complex applications.
  • Security Hub vs. Inspector:
    • Security Hub aggregates and correlates security findings.
    • Inspector actively assesses workloads for vulnerabilities.

• Be Skeptical:
  Never assume a single service covers all scenarios. Read the question carefully to identify whether the focus is on audit logs, configuration history, performance monitoring, or vulnerability assessment.

• Remember the “Shared” Aspect:
  Some questions may even combine services (for example, using CloudTrail data within AWS Config rules or forwarding CloudWatch logs to Security Hub). Know that these services can be integrated, but each has a primary purpose.

Below are 50 exam‐style MCQs on AWS management and monitoring services—with a focus on differentiating when to use CloudTrail, CloudWatch, AWS Config, Inspector, Security Hub, and X‑Ray. Each question is presented in the format:

1. Question: Which AWS service logs API calls and events to help with forensic analysis of account activity?
   MCQ Options:
   A. CloudTrail
   B. CloudWatch
   C. AWS Config
   D. Inspector

2. Question: When you need to monitor EC2 instance metrics (e.g., CPU utilization, memory usage), which service should you use?
   MCQ Options:
   A. CloudTrail
   B. CloudWatch
   C. AWS Config
   D. Security Hub

3. Question: Which service records the configuration history of your AWS resources for compliance auditing?
   MCQ Options:
   A. CloudTrail
   B. CloudWatch
   C. AWS Config
   D. X‑Ray

4. Question: For automated vulnerability assessments on EC2 instances, which AWS service is designed for this purpose?
   MCQ Options:
   A. Inspector
   B. CloudTrail
   C. AWS Config
   D. Security Hub

5. Question: Which service provides a consolidated view of security alerts aggregated from multiple AWS security tools?
   MCQ Options:
   A. X‑Ray
   B. Security Hub
   C. CloudWatch
   D. CloudTrail

6. Question: To trace the execution path of a request across a microservices architecture, which service should you use?
   MCQ Options:
   A. AWS Config
   B. CloudWatch
   C. X‑Ray
   D. Inspector

7. Question: If you want to create an alarm that triggers when an EC2 instance’s CPU utilization exceeds a threshold, which service is appropriate?
   MCQ Options:
   A. CloudTrail
   B. AWS Config
   C. CloudWatch
   D. Security Hub

8. Question: To determine who deleted a resource in your AWS account, which service’s logs should you review first?
   MCQ Options:
   A. CloudTrail
   B. CloudWatch
   C. Inspector
   D. X‑Ray

9. Question: For tracking the configuration changes of AWS resources over time, which service provides a timeline of those changes?
   MCQ Options:
   A. CloudTrail
   B. AWS Config
   C. CloudWatch
   D. Security Hub

10. Question: Which AWS service is best suited for monitoring real‐time performance metrics and setting up alarms on them?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch
    C. AWS Config
    D. Inspector

11. Question: In a scenario where unauthorized modifications are suspected in security group rules, which two services would help identify both the “who” and the “what” of the change?
    MCQ Options:
    A. CloudTrail and AWS Config
    B. CloudWatch and X‑Ray
    C. Inspector and Security Hub
    D. CloudTrail and CloudWatch

12. Question: Which service gives you a historical record of API calls made in your AWS account?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. CloudTrail
    D. Inspector

13. Question: When troubleshooting application issues by analyzing log files from an EC2 instance, which service is most appropriate?
    MCQ Options:
    A. CloudWatch Logs
    B. AWS Config
    C. CloudTrail
    D. Security Hub

14. Question: For scanning your EC2 instances for vulnerabilities and deviations from security best practices, which service should you use?
    MCQ Options:
    A. CloudTrail
    B. Inspector
    C. X‑Ray
    D. AWS Config

15. Question: Which service allows you to continuously assess whether your resource configurations meet desired compliance policies?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. Inspector
    D. Security Hub

16. Question: To trace and debug the flow of requests in a serverless or microservices architecture, which service would you choose?
    MCQ Options:
    A. CloudTrail
    B. X‑Ray
    C. CloudWatch
    D. AWS Config

17. Question: Which service provides detailed log data regarding user activities—such as resource deletions or modifications?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch
    C. Security Hub
    D. Inspector

18. Question: To set up an alarm that triggers based on changes in DynamoDB table read/write capacity, which service should you use?
    MCQ Options:
    A. CloudWatch
    B. CloudTrail
    C. AWS Config
    D. Inspector

19. Question: To investigate slow response times in a microservices-based application, which service would help you trace the end-to-end request flow?
    MCQ Options:
    A. AWS Config
    B. X‑Ray
    C. CloudTrail
    D. CloudWatch

20. Question: Which service aggregates security findings (from tools like Inspector or GuardDuty) to provide a comprehensive security posture?
    MCQ Options:
    A. Security Hub
    B. CloudTrail
    C. AWS Config
    D. CloudWatch

21. Question: When you need to review historical changes made to an EC2 instance’s security group, which service should you consult?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. X‑Ray
    D. Inspector

22. Question: Which service is best used for collecting and monitoring log files from your applications running on EC2?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch Logs
    C. AWS Config
    D. Inspector

23. Question: To automate the process of vulnerability scanning on your EC2 instances, which service should be used?
    MCQ Options:
    A. Inspector
    B. Security Hub
    C. AWS Config
    D. CloudTrail

24. Question: If you need to correlate security findings from multiple AWS accounts into one centralized view, which service would you use?
    MCQ Options:
    A. AWS Config
    B. CloudWatch
    C. Security Hub
    D. CloudTrail

25. Question: Which AWS service is primarily designed for monitoring the health and performance of AWS resources using real‐time metrics?
    MCQ Options:
    A. CloudWatch
    B. CloudTrail
    C. AWS Config
    D. Inspector

26. Question: Which service provides an event history of configuration changes and relationships among AWS resources?
    MCQ Options:
    A. AWS Config
    B. CloudTrail
    C. CloudWatch
    D. X‑Ray

27. Question: A developer needs to debug a complex distributed application by tracing the path of individual requests. Which service should they use?
    MCQ Options:
    A. CloudTrail
    B. X‑Ray
    C. AWS Config
    D. Security Hub

28. Question: To receive alerts when an EC2 instance’s CPU usage exceeds a defined threshold (e.g., 80%), which service is best suited?
    MCQ Options:
    A. CloudWatch
    B. CloudTrail
    C. AWS Config
    D. Inspector

29. Question: For compliance auditing, which service helps verify that resource configurations adhere to your company’s policies?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. Inspector
    D. X‑Ray

30. Question: To analyze the logs of all API activities within your AWS account over a specific period, which service would you use?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch Logs
    C. AWS Config
    D. Inspector

31. Question: Which service offers a centralized view of security alerts along with remediation recommendations?
    MCQ Options:
    A. Security Hub
    B. CloudWatch
    C. AWS Config
    D. CloudTrail

32. Question: Which AWS service enables you to monitor operational performance and collect logs from your applications simultaneously?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch
    C. AWS Config
    D. X‑Ray

33. Question: To view a historical timeline of configuration changes for an Amazon RDS instance, which service should be used?
    MCQ Options:
    A. AWS Config
    B. CloudWatch
    C. Inspector
    D. CloudTrail

34. Question: In the event of a security incident involving unauthorized API calls, which service’s logs would be the best starting point for investigation?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch
    C. X‑Ray
    D. AWS Config

35. Question: Which service is best for monitoring resource utilization metrics (e.g., invocation counts, error rates) for AWS Lambda functions?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. CloudTrail
    D. Inspector

36. Question: If an exam question asks, “Which service would you use to monitor changes to an S3 bucket policy over time?” what is the most appropriate answer?
    MCQ Options:
    A. AWS Config
    B. CloudTrail
    C. Security Hub
    D. CloudWatch

37. Question: Which service is not typically used for auditing API calls in your AWS account?
    MCQ Options:
    A. CloudTrail
    B. AWS Config
    C. Security Hub
    D. CloudWatch

38. Question: If you suspect an EC2 instance is misconfigured affecting its compliance posture, which service would you use to verify its current configuration?
    MCQ Options:
    A. AWS Config
    B. CloudWatch
    C. CloudTrail
    D. Inspector

39. Question: Which service provides actionable insights into potential security issues detected on your EC2 instances?
    MCQ Options:
    A. Inspector
    B. CloudTrail
    C. CloudWatch
    D. X‑Ray

40. Question: To monitor error rates and latencies of your web application running on AWS Lambda, which service should you consult?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. Security Hub
    D. Inspector

41. Question: Which service integrates with AWS Config to allow you to create rules that evaluate resource compliance?
    MCQ Options:
    A. CloudTrail
    B. AWS Config Rules
    C. Security Hub
    D. CloudWatch

42. Question: A developer wants to build a dashboard to monitor the overall performance and health of their AWS services. Which service should they use?
    MCQ Options:
    A. CloudWatch
    B. CloudTrail
    C. AWS Config
    D. Inspector

43. Question: Where would you find detailed execution traces of requests through a microservices application?
    MCQ Options:
    A. CloudWatch
    B. X‑Ray
    C. Inspector
    D. CloudTrail

44. Question: For continuous monitoring of configuration compliance across your environment, which service is most appropriate?
    MCQ Options:
    A. AWS Config
    B. CloudTrail
    C. CloudWatch
    D. Security Hub

45. Question: Which service is best suited to provide real‑time alerts on anomalous configuration changes using predefined rules?
    MCQ Options:
    A. CloudTrail
    B. AWS Config (with Config rules)
    C. CloudWatch
    D. X‑Ray

46. Question: A security analyst is investigating an incident where an IAM policy was unexpectedly modified. Which service’s logs should they review?
    MCQ Options:
    A. CloudTrail
    B. CloudWatch
    C. AWS Config
    D. Inspector

47. Question: To correlate multiple security findings from different AWS services into one view, which service should be used?
    MCQ Options:
    A. Security Hub
    B. AWS Config
    C. CloudTrail
    D. CloudWatch

48. Question: Which service should you use to set alarms for performance degradation (e.g., increased latency) in your application?
    MCQ Options:
    A. CloudWatch
    B. AWS Config
    C. Inspector
    D. CloudTrail

49. Question: For auditing and tracking configuration changes in VPC settings, which service is most appropriate?
    MCQ Options:
    A. AWS Config
    B. CloudTrail
    C. CloudWatch
    D. X‑Ray

50. Question: Which AWS service provides an end‑to‑end view of application requests to assist in debugging and performance analysis?
    MCQ Options:
    A. CloudTrail
    B. X‑Ray
    C. Inspector
    D. AWS Config

Answer Key

1. A
2. B
3. C
4. A
5. B
6. C
7. C
8. A
9. B
10. B
11. A
12. C
13. A
14. B
15. B
16. B
17. A
18. A
19. B
20. A
21. B
22. B
23. A
24. C
25. A
26. A
27. B
28. A
29. B
30. A
31. A
32. B
33. A
34. A
35. A
36. A
37. D
38. A
39. A
40. A
41. B
42. A
43. B
44. A
45. B
46. A
47. A
48. A
49. A
50. B

MCQS

1. Question: Your company is migrating a multi-tier web application to AWS. To ensure high availability and fault tolerance (core aspects of the Reliability pillar), which design element should you implement?
   MCQ Options:
   A. Deploy all components in a single Availability Zone
   B. Use Auto Scaling groups spanning multiple Availability Zones
   C. Rely solely on scheduled manual backups
   D. Use a single on-premises data center for failover

2. Question: During your cloud migration, the IT team is assessing gaps between current practices and cloud best practices. Which perspective of the AWS Cloud Adoption Framework should be prioritized to align IT strategy with overall business objectives?
   MCQ Options:
   A. Business Perspective
   B. People Perspective
   C. Governance Perspective
   D. Platform Perspective

3. Question: A startup is deploying serverless functions on AWS Lambda. Which responsibility falls under AWS in the Shared Responsibility Model for Lambda?
   MCQ Options:
   A. Patching the underlying compute infrastructure
   B. Securing the function code
   C. Configuring function-level permissions
   D. Managing third-party libraries

4. Question: In designing a cost-efficient architecture, your team must balance performance with budget constraints. Which Well-Architected Framework pillar is primarily focused on optimizing expenses while delivering business value?
   MCQ Options:
   A. Performance Efficiency
   B. Cost Optimization
   C. Operational Excellence
   D. Security

5. Question: Your organization’s leadership wants to ensure that cloud adoption aligns with strategic business outcomes. Which perspective of the Cloud Adoption Framework focuses on defining and measuring business value?
   MCQ Options:
   A. Business Perspective
   B. Operations Perspective
   C. People Perspective
   D. Platform Perspective

6. Question: When launching an application on Amazon EC2, which component is managed by AWS under the Shared Responsibility Model?
   MCQ Options:
   A. Patching the guest operating system
   B. Maintaining the physical infrastructure and hypervisor
   C. Configuring security groups
   D. Installing application updates

7. Question: Your team is reviewing an architecture for a mission-critical application. Which AWS Well-Architected pillar advises regular operational reviews and incident response drills to improve resilience?
   MCQ Options:
   A. Operational Excellence
   B. Reliability
   C. Performance Efficiency
   D. Cost Optimization

8. Question: A financial institution is planning its cloud strategy with strict compliance requirements. Which perspective of the Cloud Adoption Framework should they emphasize to manage policies and risk?
   MCQ Options:
   A. Business Perspective
   B. Governance Perspective
   C. People Perspective
   D. Platform Perspective

9. Question: For a containerized application running on ECS, what is a customer responsibility under the Shared Responsibility Model?
   MCQ Options:
   A. Patching the container runtime environment provided by AWS
   B. Securing container images and application code
   C. Maintaining the underlying physical hosts
   D. Managing the AWS Fargate infrastructure

10. Question: A company needs to scale its application dynamically based on user load. Which Well-Architected Framework pillar should be a primary focus to ensure the architecture adapts under varying demand?
    MCQ Options:
    A. Reliability
    B. Performance Efficiency
    C. Security
    D. Cost Optimization

11. Question: In planning a cloud adoption journey, an organization needs to address workforce skills and cultural change. Which Cloud Adoption Framework perspective is most relevant here?
    MCQ Options:
    A. People Perspective
    B. Business Perspective
    C. Governance Perspective
    D. Operations Perspective

12. Question: Your team is migrating an application that processes sensitive customer data to AWS RDS. Under the Shared Responsibility Model, which task remains the customer’s responsibility?
    MCQ Options:
    A. Patching the underlying database engine software
    B. Configuring database backups and access controls
    C. Maintaining the physical security of the data center
    D. Managing hardware replacement

13. Question: To optimize costs without sacrificing performance, your architect is considering resource rightsizing and automation. This approach aligns with which AWS Well-Architected pillar?
    MCQ Options:
    A. Security
    B. Operational Excellence
    C. Cost Optimization
    D. Performance Efficiency

14. Question: In designing a cloud migration strategy, an enterprise must decide how to modernize its application portfolio. Which Cloud Adoption Framework perspective primarily helps determine the appropriate migration approach?
    MCQ Options:
    A. Platform Perspective
    B. People Perspective
    C. Business Perspective
    D. Governance Perspective

15. Question: A healthcare company deploying applications on AWS is subject to strict regulatory requirements. Under the Shared Responsibility Model, which responsibility is explicitly managed by the customer?
    MCQ Options:
    A. Physical security of AWS data centers
    B. Managing encryption keys for data at rest (if using customer-managed keys)
    C. Hardware maintenance
    D. Hypervisor patching

16. Question: Your operations team is tasked with ensuring that application performance remains optimal during unexpected traffic spikes. Which Well-Architected pillar should they reference to design for this elasticity?
    MCQ Options:
    A. Cost Optimization
    B. Performance Efficiency
    C. Security
    D. Operational Excellence

17. Question: A retail company is evaluating the risk of moving from on-premises to AWS. Which Cloud Adoption Framework perspective would help them assess and mitigate potential business risks?
    MCQ Options:
    A. Business Perspective
    B. Governance Perspective
    C. People Perspective
    D. Platform Perspective

18. Question: When using Amazon S3, which of the following tasks is the customer responsible for under the Shared Responsibility Model?
    MCQ Options:
    A. Ensuring the physical security of the storage infrastructure
    B. Configuring bucket policies and access controls
    C. Operating the data center cooling systems
    D. Maintaining the underlying storage hardware

19. Question: To continuously improve and evolve a cloud architecture, your team needs to establish review cycles. This practice is emphasized by which AWS Well-Architected pillar?
    MCQ Options:
    A. Operational Excellence
    B. Reliability
    C. Cost Optimization
    D. Security

20. Question: An organization plans to migrate its legacy application to AWS and needs to integrate existing IT governance with cloud operations. Which Cloud Adoption Framework perspective addresses this integration?
    MCQ Options:
    A. Governance Perspective
    B. People Perspective
    C. Business Perspective
    D. Platform Perspective

21. Question: For a web application deployed on EC2, which security configuration is a customer responsibility under the AWS Shared Responsibility Model?
    MCQ Options:
    A. Securing the physical hardware
    B. Configuring the guest operating system’s firewall and updates
    C. Maintaining the hypervisor
    D. Ensuring facility security

22. Question: When planning for disaster recovery in AWS, which Well-Architected pillar should be most heavily emphasized?
    MCQ Options:
    A. Reliability
    B. Performance Efficiency
    C. Operational Excellence
    D. Cost Optimization

23. Question: A startup is trying to adopt AWS quickly while ensuring its teams are properly skilled. Which perspective in the Cloud Adoption Framework should they emphasize to build internal capabilities?
    MCQ Options:
    A. People Perspective
    B. Governance Perspective
    C. Platform Perspective
    D. Business Perspective

24. Question: In a multi-tier application deployed on AWS, who is responsible for managing patch updates on the application’s operating system within EC2 instances?
    MCQ Options:
    A. AWS
    B. The customer
    C. A managed service provider
    D. AWS Support

25. Question: A company wants to ensure that its AWS architecture is both secure and cost-efficient. Which two Well-Architected pillars should be jointly considered for a balanced design?
    MCQ Options:
    A. Security and Cost Optimization
    B. Performance Efficiency and Reliability
    C. Operational Excellence and Performance Efficiency
    D. Cost Optimization and Reliability

26. Question: Your team is tasked with designing an architecture that must support both rapid scaling and tight security controls. Which AWS service best exemplifies AWS managing part of the infrastructure, letting the customer focus on secure configuration?
    MCQ Options:
    A. AWS Lambda
    B. EC2 on dedicated hosts
    C. Self-managed databases on EC2
    D. On-premises servers

27. Question: A company is implementing a new workload in AWS and is evaluating security responsibilities. Under the Shared Responsibility Model, which action should the customer take for Amazon RDS?
    MCQ Options:
    A. Monitor the underlying hardware health
    B. Configure and manage database access and encryption settings
    C. Patch the database engine’s underlying infrastructure
    D. Ensure physical security of the data center

28. Question: To meet performance targets under unpredictable loads, your architecture design must incorporate elasticity. Which Well-Architected pillar directly addresses this requirement?
    MCQ Options:
    A. Performance Efficiency
    B. Cost Optimization
    C. Security
    D. Operational Excellence

29. Question: A global enterprise is planning its cloud strategy and needs to ensure regulatory compliance across regions. Which perspective of the Cloud Adoption Framework primarily addresses policy and compliance issues?
    MCQ Options:
    A. Governance Perspective
    B. People Perspective
    C. Business Perspective
    D. Platform Perspective

30. Question: For an application running on AWS Lambda that processes sensitive information, which responsibility does the customer have under the Shared Responsibility Model?
    MCQ Options:
    A. Patching the underlying infrastructure
    B. Managing function code security and permission settings
    C. Operating the physical hardware
    D. Controlling AWS-managed runtime environments

31. Question: When designing an architecture for rapid recovery from failures, which Well-Architected pillar should your team focus on?
    MCQ Options:
    A. Reliability
    B. Cost Optimization
    C. Performance Efficiency
    D. Operational Excellence

32. Question: A financial services firm is migrating workloads to AWS and must ensure that all cloud adoption decisions align with strict internal governance. Which Cloud Adoption Framework perspective is most relevant?
    MCQ Options:
    A. Governance Perspective
    B. Business Perspective
    C. People Perspective
    D. Platform Perspective

33. Question: In a scenario where an application uses Amazon S3 for storing sensitive documents, which of the following is a customer-controlled action?
    MCQ Options:
    A. Managing physical security of the storage hardware
    B. Setting up bucket encryption and access policies
    C. Ensuring the durability of S3 data
    D. Configuring the underlying infrastructure

34. Question: A company is continuously refining its operations through iterative improvements and feedback loops. This practice aligns with which AWS Well-Architected pillar?
    MCQ Options:
    A. Operational Excellence
    B. Reliability
    C. Cost Optimization
    D. Security

35. Question: To effectively manage the change process during cloud adoption, which Cloud Adoption Framework perspective should be emphasized?
    MCQ Options:
    A. People Perspective
    B. Platform Perspective
    C. Governance Perspective
    D. Business Perspective

36. Question: For an EC2-based application, which of the following tasks is the customer responsible for under the AWS Shared Responsibility Model?
    MCQ Options:
    A. Maintaining the physical security of the servers
    B. Installing security patches on the guest operating system
    C. Updating the hypervisor
    D. Managing AWS facility access controls

37. Question: An architect wants to incorporate security best practices into the initial design of a new AWS solution. Which Well-Architected pillar emphasizes the need to “shift left” on security?
    MCQ Options:
    A. Security
    B. Cost Optimization
    C. Operational Excellence
    D. Performance Efficiency

38. Question: A multinational company is defining its cloud strategy and must reconcile its existing financial models with cloud cost structures. Which Cloud Adoption Framework perspective addresses these concerns?
    MCQ Options:
    A. Business Perspective
    B. Operations Perspective
    C. People Perspective
    D. Governance Perspective

39. Question: In the context of AWS EC2, which component’s security is managed by AWS rather than the customer?
    MCQ Options:
    A. Patching the guest OS
    B. Maintenance of the hypervisor and physical host
    C. Configuring instance security groups
    D. Installing anti-virus on instances

40. Question: A company’s architecture needs to ensure that service disruptions are minimized during peak usage. Which Well-Architected pillar directly supports designing for high availability?
    MCQ Options:
    A. Reliability
    B. Cost Optimization
    C. Performance Efficiency
    D. Operational Excellence

41. Question: During daily operations, your IT team is focused on monitoring and incident response. This operational focus is highlighted in which Cloud Adoption Framework perspective?
    MCQ Options:
    A. Operations Perspective
    B. People Perspective
    C. Governance Perspective
    D. Business Perspective

42. Question: For an application utilizing AWS IAM for access control, which of the following is the customer's responsibility?
    MCQ Options:
    A. Managing physical security of IAM hardware
    B. Defining and managing IAM policies and roles
    C. Patching the IAM service
    D. Maintaining the underlying network infrastructure

43. Question: To optimize performance and reduce latency in a distributed application, which AWS Well-Architected practice should be implemented?
    MCQ Options:
    A. Relying solely on vertical scaling
    B. Implementing caching strategies and content delivery networks
    C. Using on-premises hardware exclusively
    D. Disabling auto scaling to maintain consistency

44. Question: A technology company is undergoing a digital transformation and must realign its workforce capabilities with cloud technology. Which Cloud Adoption Framework perspective addresses this need?
    MCQ Options:
    A. People Perspective
    B. Platform Perspective
    C. Governance Perspective
    D. Business Perspective

45. Question: For an Amazon RDS deployment, which of the following tasks is a customer responsibility under the Shared Responsibility Model?
    MCQ Options:
    A. Configuring database access controls and backup schedules
    B. Patching the underlying host OS of the physical server
    C. Maintaining data center facilities
    D. Operating RDS physical hardware

46. Question: In designing an AWS solution to handle varying load conditions efficiently, which Well-Architected pillar emphasizes the use of elasticity and scalability?
    MCQ Options:
    A. Performance Efficiency
    B. Cost Optimization
    C. Operational Excellence
    D. Security

47. Question: An enterprise needs guidance on how to approach the migration of legacy applications and decide between rehosting, replatforming, or refactoring. Which Cloud Adoption Framework perspective offers this strategic advice?
    MCQ Options:
    A. Platform Perspective
    B. People Perspective
    C. Governance Perspective
    D. Business Perspective

48. Question: For an AWS service that provides server-side encryption by default, who is responsible for managing the encryption keys if using AWS-managed keys?
    MCQ Options:
    A. The customer
    B. AWS
    C. A third-party vendor
    D. The customer and AWS equally

49. Question: To reduce unnecessary spending while maintaining required performance levels, which Well-Architected pillar should guide your cost-reduction strategy?
    MCQ Options:
    A. Cost Optimization
    B. Operational Excellence
    C. Reliability
    D. Security

50. Question: In the context of cloud security, which Cloud Adoption Framework perspective specifically includes establishing identity and access management as a key objective?
    MCQ Options:
    A. Security Perspective
    B. People Perspective
    C. Governance Perspective
    D. Platform Perspective

51. Question: For an AWS Lambda-based solution processing financial transactions, which of the following remains a customer responsibility?
    MCQ Options:
    A. Securing the function’s code and managing vulnerabilities
    B. Patching the underlying AWS infrastructure
    C. Maintaining the physical data center
    D. Managing AWS’s runtime environment

52. Question: Your team is planning periodic reviews of the cloud environment to incorporate new AWS best practices and operational lessons. Which Well-Architected pillar emphasizes this continuous improvement?
    MCQ Options:
    A. Operational Excellence
    B. Cost Optimization
    C. Security
    D. Performance Efficiency

53. Question: An organization needs to establish policies that enforce cloud resource usage and manage risk. Which Cloud Adoption Framework perspective is primarily responsible for setting these policies?
    MCQ Options:
    A. Governance Perspective
    B. People Perspective
    C. Business Perspective
    D. Platform Perspective

54. Question: For an Amazon S3 deployment used to store confidential data, which task is under the customer's control?
    MCQ Options:
    A. Configuring bucket-level access policies and encryption options
    B. Operating the physical storage devices
    C. Ensuring facility security for data centers
    D. Managing the durability settings of S3

55. Question: A design team is focused on ensuring that an application can maintain high throughput and low latency under load. Which AWS Well-Architected pillar is most relevant for this requirement?
    MCQ Options:
    A. Performance Efficiency
    B. Operational Excellence
    C. Cost Optimization
    D. Reliability

56. Question: In aligning cloud initiatives with corporate strategy, which Cloud Adoption Framework perspective ensures that IT investments translate into measurable business outcomes?
    MCQ Options:
    A. Business Perspective
    B. People Perspective
    C. Governance Perspective
    D. Platform Perspective

57. Question: For an EC2 instance running a critical application, who is responsible for patching and updating the guest operating system?
    MCQ Options:
    A. AWS
    B. The customer
    C. A third-party service
    D. Managed Service Provider

58. Question: A development team is designing a new application with security built into every stage of the development lifecycle. Which Well-Architected pillar best captures this “shift-left” approach?
    MCQ Options:
    A. Security
    B. Operational Excellence
    C. Performance Efficiency
    D. Cost Optimization

59. Question: In day-to-day cloud operations, your team focuses on monitoring system performance and responding to incidents. Which Cloud Adoption Framework perspective emphasizes these activities?
    MCQ Options:
    A. Operations Perspective
    B. Business Perspective
    C. Governance Perspective
    D. People Perspective

60. Question: For a SaaS application deployed on AWS, which AWS service responsibility is clearly handled by AWS under the Shared Responsibility Model?
    MCQ Options:
    A. Managing the underlying compute infrastructure for AWS-managed services
    B. Securing application code
    C. Configuring custom network ACLs
    D. Managing encryption of customer data stored in the application

61. Question: When implementing data security measures in your AWS solution, which Well-Architected pillar emphasizes the importance of using encryption and access controls?
    MCQ Options:
    A. Security
    B. Cost Optimization
    C. Operational Excellence
    D. Performance Efficiency

62. Question: As part of cloud transformation, your organization is investing in upskilling employees on AWS technologies. This initiative best aligns with which Cloud Adoption Framework perspective?
    MCQ Options:
    A. People Perspective
    B. Governance Perspective
    C. Platform Perspective
    D. Business Perspective

63. Question: In a scenario where an enterprise leverages AWS global infrastructure, which element is managed solely by AWS as part of the Shared Responsibility Model?
    MCQ Options:
    A. Physical security of data centers
    B. Customer data classification
    C. Configuring security settings in customer applications
    D. Managing data retention policies

64. Question: To improve operational workflows through automation and process standardization, which AWS Well-Architected pillar should your team reference?
    MCQ Options:
    A. Operational Excellence
    B. Reliability
    C. Cost Optimization
    D. Performance Efficiency

65. Question: An enterprise planning a migration strategy must decide on the best approach for each workload (e.g., rehosting, refactoring). Which Cloud Adoption Framework perspective provides guidance on this?
    MCQ Options:
    A. Platform Perspective
    B. People Perspective
    C. Governance Perspective
    D. Business Perspective

66. Question: For an Amazon DynamoDB deployment, which task remains under the customer’s control in the Shared Responsibility Model?
    MCQ Options:
    A. Designing the data model and configuring access policies
    B. Patching the underlying hardware
    C. Managing physical data center operations
    D. Maintaining the hypervisor

67. Question: A startup is looking to minimize costs while ensuring their solution scales with demand. Which Well-Architected pillar is most relevant for balancing these needs?
    MCQ Options:
    A. Cost Optimization
    B. Operational Excellence
    C. Security
    D. Performance Efficiency

68. Question: To ensure robust identity and access management in its AWS environment, which Cloud Adoption Framework perspective should an organization emphasize?
    MCQ Options:
    A. Governance Perspective
    B. Business Perspective
    C. People Perspective
    D. Platform Perspective

69. Question: When designing a secure AWS environment, which activity is the customer responsible for under the Shared Responsibility Model?
    MCQ Options:
    A. Implementing proper data classification and access control
    B. Managing the physical security of AWS facilities
    C. Maintaining the hypervisor’s security patches
    D. Operating the underlying AWS network infrastructure

70. Question: To continuously validate that the architecture remains aligned with AWS best practices and evolving business needs, your team schedules periodic assessments. This approach is recommended by which Well-Architected pillar?
    MCQ Options:
    A. Operational Excellence
    B. Reliability
    C. Cost Optimization
    D. Performance Efficiency

Answer Key

1. B
2. A
3. A
4. B
5. A
6. B
7. A
8. B
9. B
10. B
11. A
12. B
13. C
14. A
15. B
16. A
17. A
18. B
19. A
20. A
21. B
22. A
23. A
24. B
25. A
26. A
27. B
28. A
29. A
30. B
31. A
32. A
33. B
34. A
35. A
36. B
37. A
38. A
39. B
40. A
41. A
42. B
43. B
44. A
45. A
46. A
47. A
48. B
49. A
50. A
51. A
52. A
53. A
54. A
55. A
56. A
57. B
58. A
59. A
60. A
61. A
62. A
63. A
64. A
65. A
66. A
67. A
68. A
69. A
70. A

References

• AWS Well-Architected Framework:
  AWS Well-Architected Framework Whitepaper

• AWS Cloud Adoption Framework:
  AWS Cloud Adoption Framework

• AWS Shared Responsibility Model:
  AWS Shared Responsibility Model Overview

These scenario-based questions are for practice purposes only. Use them as a tool to deepen your understanding and prepare for the exam, but always refer to official AWS resources and current documentation for the most accurate guidance.