Chapter 13: AWS Risk and Compliance

1. A, B, C. Answers A through C describe valid mechanisms that AWS uses to communicate with customers regarding its security and control environment. AWS does not allow customers’ auditors direct access to AWS data centers, infrastructure, or staff.

• AWS是不允许客户直接审计aws的数据中心、架构和职员；

2. C. The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.

• 共享责任模型包括IT control，不仅仅限于安全考虑；

3. A. AWS provides IT control information to customers through either specific control definitions or general control standard compliance.

• AWS提供IT控制信息给客户，通过特定的安全定义或者通过的标准规范；

4. A, B, D. There is no such thing as a SOC 4 report, therefore answer C is incorrect.

• AWS的遵循的三方规范有：SOC1,PCI DSS Level 1，ISO27001

5. A. IT governance is still the customer’s responsibility.

• IT 控制仍旧是客户的责任，尽管他们已经将其设备部署到AWS

6. D. Any number of components of a workload can be moved into AWS, but it is the customer’s responsibility to ensure that the entire workload remains compliant with various certifications and third-party attestations.

• 任意数量的组件都可以迁移到AWS，但是保证整个负载保持遵循各种认证及三方评估是客户的责任；

7. B. An Availability Zone consists of multiple discrete data centers, each with their own redundant power and networking/connectivity, therefore answer B is correct.

• A region is a physical location in the world where we have multiple Availability Zones；
• 一个Region就是世界上的一个物理位置，里边有多个AZ；
• Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.
• AZ由一个或者多个分离的数据中心组成，每个都是有冗余的动力，网络和连接，在风火水电隔离的不同基础设施中；

8. A, C. AWS regularly scans public-facing, non-customer endpoint IP addresses and notifies appropriate parties. AWS does not scan customer instances, and customers must request the ability to perform their own scans in advance, therefore answers A and C are correct.

• AWS一般检查公网出口，非客户访问的API地址等
• AWS会在发现风险时适时的通知合作伙伴；

9. B. AWS publishes information publicly online and directly to customers under NDA, but customers are not required to share their use and configuration information with AWS, therefore answer B is correct.

• AWS会在网站面向客户直接发布安全信息。但是客户可以不需要必须遵循这些指导；

10. C. AWS has developed a strategic business plan, and customers should also develop and maintain their own risk management plans, therefore answer C is correct.

• AWS有自己的风险管理计划，客户也要有自己的风险管理计划；

11. B. The collective control environment includes people, processes, and technology necessary to establish and maintain an environment that supports the operating effectiveness of AWS control framework. Energy is not a discretely identified part of the control environment, therefore B is the correct answer.

• 环境控制的收集包括人员、流程和技术

12. D. Customers are responsible for ensuring all of their security group configurations are appropriate for their own applications, therefore answer D is correct.

• 安全组的控制，是AWS提供服务，客户自己进行配置；

13. C. Customers should ensure that they implement control objectives that are designed to meet their organization’s own unique compliance requirements, therefore answer C is correct.

• 客户应该保证所有的控制目标是为了满足所在组织的需求；

知识点总结

• Understand the shared responsibility model. The shared responsibility model is not just limited to security considerations; it also extends to IT controls. For example, the management, operation, and verification of IT controls are shared between AWS and the customer. AWS manages these controls where it relates to physical infrastructure.

• 共享安全模型不仅仅咸鱼安全考虑。他延伸到IT controls。例如 管理、运营、IT控制验证是AWS与客户双方的责任。AWS基于物理架构来管理这些控制。

• Remember that IT governance is the customer’s responsibility. It is the customer’s responsibility to maintain adequate governance over the entire IT control environment, regardless of how its IT is deployed (on-premises, cloud, or hybrid).

• IT 管理是客户的责任。客户有责任要对IT控制环境进行足够的管理，不管是离线数据中心、云或者混合云。

• Understand how AWS provides control information. AWS provides IT control information to customers in two ways: via specific control definition and through a more general control standard compliance.

• AWS提供控制信息给客户有两个方法：通过特定的控制定义和通过一个通用的控制准则。

• Remember that AWS is very proactive about risk management. AWS takes risk management very seriously, so it has developed a business plan to identify any risks and to implement controls to mitigate or manage those risks. An AWS management team reevaluates the business risk plan at least twice a year. As a part of this process, management team members are required to identify risks within their specific areas of responsibility and then implement controls designed to address and perhaps even eliminate those risks.

• AWS在风险管理领域非常积极而且非常严肃。所以他开发一个商业计划去识别任何风险，同时去转移或者控制这些风险。一个AWS的管理团队每隔两年去审视这些商业风险计划。作为流程的一部分，管理团队的成员被要求去识别这些风险在他们的专业责任领域内，同时去实现风险控制，设计定位并终结这些风险；

• Remember that the control environment is not just about technology. The AWS control environment consists of policies, processes, and control activities. This control environment includes people, processes, and technology.

• 环境控制不是简单的技术策略。AWS的环境控制由策略、流程、控制活动组成。参与者包括人员、流程和技术；

• Remember the key reports, certifications, and third-party attestations. The key reports, certifications, and third-party attestations include, but are not limited to, the following:
  FedRAMP
  FIPS 140–2
  FISMA and DIACAP
  HIPAA
  ISO 9001
  ISO 27001
  ITAR
  PCI DSS Level 1
  SOC 1/ISAE 3402
  SOC 2
  SOC 3

• 记录主要的报告、认证和第三方关注，包括不限于 FedRAMP、FIPS 140-2、 FISMA and DIACAP、HIPAA 、ISO 9001、ISO 27001、ITAR、PCI DSS Level1 SOC1/ISAE3402、SOC2、SOC3