A startup is migrating a web application to AWS. The application runs on Amazon EC2 instances that use a custom Amazon Machine Image (AMI) with the company's proprietary software. The security team needs to understand which security tasks the company must perform. Under the AWS Shared Responsibility Model, which of the following is the customer's responsibility?
Configuring security groups is the customer's responsibility. Security groups act as virtual firewalls for EC2 instances, and customers define the rules for allowed traffic, making this a task the customer must perform.
Why this answer
Configuring security groups is a customer responsibility because security groups act as a virtual firewall for EC2 instances, controlling inbound and outbound traffic at the instance level. Under the AWS Shared Responsibility Model, the customer is responsible for configuring network access controls, while AWS manages the underlying infrastructure. This includes defining rules based on IP protocols, ports, and source/destination CIDR ranges.
Exam trap
The trap here is that candidates often confuse 'patching the hypervisor' (AWS responsibility) with 'patching the guest OS' (customer responsibility), leading them to incorrectly select Option A as a customer task.
How to eliminate wrong answers
Option A is wrong because patching the hypervisor is an AWS responsibility, as the hypervisor is part of the virtualization layer that AWS manages to isolate customer instances. Option C is wrong because physical security of the data center is entirely AWS's responsibility under the model, covering guards, access controls, and environmental systems. Option D is wrong because maintaining the underlying network infrastructure, including routers, switches, and cabling, is AWS's responsibility as part of the 'Security of the Cloud'.