WGU D485 CLOUD SECURITY IMPLEMENTATION PLAN
TASK 1 2026 | DGN2 Complete Solution | MSCSIA/BSCC |
Pass Guaranteed - A+ Graded
Section 1: Cloud Shared Responsibility Model & Compliance
Frameworks (Questions 1-12)
Q1. A healthcare organization migrating its electronic health records (EHR) system to
AWS EC2 instances must determine which party is responsible for operating system
patching under the shared responsibility model. Which statement accurately
describes this responsibility?
A. AWS is responsible for patching the guest operating system on all EC2 instances
[CORRECT]
B. The customer is responsible for patching the guest operating system on EC2
instances
C. AWS and the customer share equal responsibility for OS patching regardless of
service model
D. The customer is only responsible for application-level patching, not the OS
Rationale: Under AWS IaaS (EC2), the customer manages the guest OS, applications,
and data security, while AWS secures the underlying infrastructure (hardware,
hypervisor, physical data centers). Option A confuses provider/customer roles;
Option C ignores service model differentiation; Option D incorrectly narrows
customer responsibility.
Correct Answer: B
Q2. A financial services firm using Microsoft Azure App Service (PaaS) to host its
trading application needs to implement TLS 1.3 for data in transit. According to the
Azure shared responsibility model, who is primarily responsible for configuring and
managing this encryption protocol?
,A. Microsoft Azure manages TLS configuration entirely; the customer has no
configuration role
B. The customer is responsible for configuring TLS 1.3 at the application layer and
managing certificate rotation
C. Microsoft manages the platform runtime TLS, while the customer manages
application-level TLS and certificate binding
D. TLS configuration is a shared responsibility with Microsoft handling inbound traffic
and the customer handling outbound traffic [CORRECT]
Rationale: In Azure PaaS, Microsoft manages the underlying platform including
runtime security, but the customer must configure application-level TLS settings,
certificate binding, and rotation. Option A is incorrect because customers retain
application-layer control; Option B overstates customer responsibility for platform
runtime; Option D creates an artificial split not reflected in the actual model.
Correct Answer: C
Q3. Under NIST CSF 2.0, a cloud security architect is developing a governance
framework for a multi-cloud environment spanning AWS, Azure, and GCP. Which
function should be the FIRST priority when establishing organizational context and
cybersecurity risk management strategy?
A. Identify (ID)
B. Protect (PR)
C. Govern (GV) [CORRECT]
D. Detect (DE)
Rationale: NIST CSF 2.0 added Govern as the sixth core function, establishing it as
the foundational element for organizational context, risk management strategy, and
policy oversight before implementing other functions. Options A, B, and D represent
operational functions that should be informed by governance decisions, not precede
them.
Correct Answer: C
, Q4. A SaaS-based customer relationship management (CRM) vendor claims SOC 2
Type II compliance. A prospective client must evaluate whether this certification
satisfies their PCI DSS requirements for storing customer payment card data within
the CRM. Which assessment is MOST accurate?
A. SOC 2 Type II automatically satisfies all PCI DSS requirements for cardholder data
environments
B. SOC 2 and PCI DSS are equivalent standards with identical control requirements
C. SOC 2 Type II demonstrates operational security controls but does NOT
automatically satisfy PCI DSS; additional PCI DSS-specific controls must be validated
[CORRECT]
D. Since the vendor is SaaS, PCI DSS responsibility shifts entirely to the vendor,
eliminating the need for client assessment
Rationale: SOC 2 focuses on trust services criteria (security, availability, processing
integrity, confidentiality, privacy), while PCI DSS has specific, mandatory requirements
for cardholder data protection. Option A and B conflate distinct frameworks; Option
D incorrectly assumes SaaS transfers all PCI DSS liability to the vendor—customers
must still verify vendor compliance and may retain responsibility depending on their
merchant level.
Q5. A federal agency is migrating workloads to AWS GovCloud (US) and must
achieve FedRAMP High authorization. Which NIST CSF 2.0 function category BEST
aligns with the FedRAMP requirement for continuous monitoring and ongoing
authorization?
A. GV.OC (Organizational Context)
B. ID.AM (Asset Management)
C. DE.CM (Continuous Monitoring) [CORRECT]
D. RS.AN (Analysis)
TASK 1 2026 | DGN2 Complete Solution | MSCSIA/BSCC |
Pass Guaranteed - A+ Graded
Section 1: Cloud Shared Responsibility Model & Compliance
Frameworks (Questions 1-12)
Q1. A healthcare organization migrating its electronic health records (EHR) system to
AWS EC2 instances must determine which party is responsible for operating system
patching under the shared responsibility model. Which statement accurately
describes this responsibility?
A. AWS is responsible for patching the guest operating system on all EC2 instances
[CORRECT]
B. The customer is responsible for patching the guest operating system on EC2
instances
C. AWS and the customer share equal responsibility for OS patching regardless of
service model
D. The customer is only responsible for application-level patching, not the OS
Rationale: Under AWS IaaS (EC2), the customer manages the guest OS, applications,
and data security, while AWS secures the underlying infrastructure (hardware,
hypervisor, physical data centers). Option A confuses provider/customer roles;
Option C ignores service model differentiation; Option D incorrectly narrows
customer responsibility.
Correct Answer: B
Q2. A financial services firm using Microsoft Azure App Service (PaaS) to host its
trading application needs to implement TLS 1.3 for data in transit. According to the
Azure shared responsibility model, who is primarily responsible for configuring and
managing this encryption protocol?
,A. Microsoft Azure manages TLS configuration entirely; the customer has no
configuration role
B. The customer is responsible for configuring TLS 1.3 at the application layer and
managing certificate rotation
C. Microsoft manages the platform runtime TLS, while the customer manages
application-level TLS and certificate binding
D. TLS configuration is a shared responsibility with Microsoft handling inbound traffic
and the customer handling outbound traffic [CORRECT]
Rationale: In Azure PaaS, Microsoft manages the underlying platform including
runtime security, but the customer must configure application-level TLS settings,
certificate binding, and rotation. Option A is incorrect because customers retain
application-layer control; Option B overstates customer responsibility for platform
runtime; Option D creates an artificial split not reflected in the actual model.
Correct Answer: C
Q3. Under NIST CSF 2.0, a cloud security architect is developing a governance
framework for a multi-cloud environment spanning AWS, Azure, and GCP. Which
function should be the FIRST priority when establishing organizational context and
cybersecurity risk management strategy?
A. Identify (ID)
B. Protect (PR)
C. Govern (GV) [CORRECT]
D. Detect (DE)
Rationale: NIST CSF 2.0 added Govern as the sixth core function, establishing it as
the foundational element for organizational context, risk management strategy, and
policy oversight before implementing other functions. Options A, B, and D represent
operational functions that should be informed by governance decisions, not precede
them.
Correct Answer: C
, Q4. A SaaS-based customer relationship management (CRM) vendor claims SOC 2
Type II compliance. A prospective client must evaluate whether this certification
satisfies their PCI DSS requirements for storing customer payment card data within
the CRM. Which assessment is MOST accurate?
A. SOC 2 Type II automatically satisfies all PCI DSS requirements for cardholder data
environments
B. SOC 2 and PCI DSS are equivalent standards with identical control requirements
C. SOC 2 Type II demonstrates operational security controls but does NOT
automatically satisfy PCI DSS; additional PCI DSS-specific controls must be validated
[CORRECT]
D. Since the vendor is SaaS, PCI DSS responsibility shifts entirely to the vendor,
eliminating the need for client assessment
Rationale: SOC 2 focuses on trust services criteria (security, availability, processing
integrity, confidentiality, privacy), while PCI DSS has specific, mandatory requirements
for cardholder data protection. Option A and B conflate distinct frameworks; Option
D incorrectly assumes SaaS transfers all PCI DSS liability to the vendor—customers
must still verify vendor compliance and may retain responsibility depending on their
merchant level.
Q5. A federal agency is migrating workloads to AWS GovCloud (US) and must
achieve FedRAMP High authorization. Which NIST CSF 2.0 function category BEST
aligns with the FedRAMP requirement for continuous monitoring and ongoing
authorization?
A. GV.OC (Organizational Context)
B. ID.AM (Asset Management)
C. DE.CM (Continuous Monitoring) [CORRECT]
D. RS.AN (Analysis)
