AWS Certified Cloud Practitioner — Question 830

An auditor is preparing for an annual security audit. The auditor requests certification details for a company’s AWS hosted resources across multiple Availability Zones in the us-east-1 Region.

How should the company respond to the auditor’s request?

Answer options

• A. Open an AWS Support ticket to request that the AWS technical account manager (TAM) respond and help the auditor.
• B. Open an AWS Support ticket to request that the auditor receive approval to conduct an onsite assessment of the AWS data centers in which the company operates.
• C. Explain to the auditor that AWS does not need to be audited because the company’s application is hosted in multiple Availability Zones.
• D. Use AWS Artifact to download the applicable report for AWS security controls. Provide the report to the auditor.

Correct answer: D

Explanation

AWS Artifact is the dedicated, self-service portal where customers can download AWS compliance reports and security certifications, making it the correct tool for gathering audit evidence. AWS does not allow physical data center tours for customer audits, and technical account managers do not directly address external auditor requests. Additionally, hosting workloads across multiple Availability Zones provides high availability but does not bypass the need for compliance documentation.