AWS Shared Responsibility Model

Security and Compliance are a shared responsibility between AWS and the customer. This shared responsibility model can help reduce the customer’s responsibility on the AWS Cloud. What it means is that AWS operates, manages, and controls the components in the host operating system, in the virtualization layer, and in the physical security of data centers. The customer assumes management responsibility of the guest operating system, including updates, security patches, and other associated application software; however, AWS provides a security group firewall. It is essential for AWS customers to carefully consider the services they choose, as their responsibilities vary depending on the services used and applicable laws and regulations. This differentiation of responsibility between AWS and AWS Customers is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.

Table of Contents

Security of the Cloud

AWS is responsible for “Security of the cloud.” What it means is that AWS is responsible for the infrastructure that runs the Cloud. The infrastructure includes physical hardware, software, network, and physical facilities that host infrastructure and run Cloud services. Based on the AWS Responsibility Model, AWS is responsible for AWS's global infrastructure, which means the hardware and software of AWS Regions, AWS Availability Zones, and Edge Locations. AWS is responsible for computing, storage, databases, and networking infrastructure along with physical facilities hosting data centers for the AWS global infrastructure.

Security in the Cloud

“Security in the Cloud” is the responsibility of the customer. AWS Customer responsibilities depend on the AWS services. For example, the customer has more responsibility and control when the customer is using EC2. In the case of EC2, the customer is responsible for securing the instance by configuring Security Groups and Network ACLs, along with applying updates and security patches. “For abstracted services like Amazon S3, AWS operates the infrastructure layer, the operating system, and platforms” – For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. It includes the disposal and the replacement of disk drives as well as data center security.

Inherited Controls

Physical and Environmental controls

Physical and Environmental controls are part of the inherited controls, and hence these are the responsibility of AWS. AWS is responsible for protecting its infrastructure, which is composed of the hardware, software, networking, and facilities that run AWS Cloud services. For example, replacing faulty hardware of Amazon EC2 instances comes under the infrastructure maintenance “of” the cloud. This is the responsibility of AWS.

Shared Control

As we have discussed above, how AWS operations in an IT environment are shared between AWS and its customers. Likewise, management and verification of IT control on AWS are handled between AWS and the AWS customers. I have added a screenshot that shows examples of controls that are managed by AWS, AWS Customers, and/or both.

Patch Management

The customers must provide their own control implementation within their use of AWS services. The customers are responsible for patching their guest OS as well as for configuring their applications. AWS is responsible for fixing flaws within the infrastructure.

Configuration Management

Configuration Management forms a part of shared controls – AWS maintains the configuration of its infrastructure devices. However, AWS customer is responsible for configuring their own guest operating systems, databases, and applications. Customers are responsible for the management of the guest operating system, which includes updates and security patches, any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (which is called Security Group) on each instance. For example, AWS services such as Amazon EC2 are categorized as IaaS, and as such, it requires that the customer performs all of the necessary security configuration and management tasks.

Training AWS And Customer Employees

Awareness & Training is also a shared responsibility. For example, AWS trains AWS employees, but a customer must train their employees.

OS Configuration

OS configuration as a whole is a shared responsibility but be careful: the host OS configuration is the responsibility of AWS, and the guest OS configuration is the customer's responsibility.

Data Security and Encryption

Under the shared model, customers are responsible for managing their data, including data encryption. AWS is responsible for keeping data on AWS Cloud Secure, Durable, Available, and Reliable. AWS is responsible for keeping the data safe from hardware and software failure.

Enabling Multi-Factor Authentication for AWS accounts in your organization is the AWS customer's responsibility. On the other hand, AWS is responsible for making sure that the user data created and their relationships and policies are stored on fail-proof infrastructure.

Creating bucket policies for Amazon S3 data access is the responsibility of the customer. The customer decides who gets access to the data he stores on S3 and will use AWS tools to implement these requirements. Creating user roles and policies is the responsibility of the customer. Customers will decide “which” resources get “what” access. In the Shared Responsibility Model, customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply for the appropriate permissions.

Customer Specific Responsibility

Customers are responsible for Service and Communications Protection or Zone Security which may require the customers to route or zone data within specific security environments.

• Customer is responsible for maintaining versions of a lambda function.
• Under the AWS Shared Responsibility Model, customers are responsible for enabling MFA on all accounts, analyzing access patterns, and reviewing permissions.


Leave a Comment

Your email address will not be published. Required fields are marked *

four − three =

This site uses User Verification plugin to reduce spam. See how your comment data is processed.
Scroll to Top