3 min.

The AWS shared responsibility model

The model explains shared security and compliance between AWS and the Customer in the AWS ecosystem

The AWS shared responsibility model is part of Security Pillar of the AWS Well-Architected Framework (refer to references at the end). 

 

The primary distinction is that AWS is responsible for the security of the cloud, whereas the customer is accountable for security in the cloud. A detailed table provided below further clarifies the specific responsibilities of each party.

 

Customer

security in the Cloud

AWS

security of the Cloud 

Customer data

Software

Platform
 Applications
Identity & Access Management

Compute

Storage

Database

Networking

Operating system
Networking
Firewall configuration

Hardware/ AWS Global Infrastructure

Client-side data

Encryption & Data integrity
Authentication

Regions

Availability Zones

Edge Locations

Server-side encryption
(File system and/or data)

Networking traffic protection
 (Encryption, Integrity, Identity)

 

 

Security of the Cloud

 

AWS is tasked with safeguarding its global infrastructure that runs AWS Services including hardware, software, networking and physical facilities (like data centers or edge locations). 

 

Is responsible for host operating systems, virtualization layer and physical components of EC2 but its not responsbile for guest operating systems and installed software on EC2 because its not a managed service.

 

 

Security in the Cloud

 

The customer bears responsibility for their data, including how it is stored and transmitted, with a focus on encryption both in transit and at rest. 

 

They are also accountable for their applications and the configuration of services provided by AWS. For instance, the customer is responsible for encrypting their data, updating and patching their EC2 systems and any software installed on these systems (like databases), creating permissions and user accounts with access to their assets in AWS cloud.

 

The responsibility for AWS services varies depending on specific AWS service.

 

 

IT controls in AWS shared responsibility model

 

IT controls comprise various activities and measures executed in the field of Information Technology, essential for achieving business objectives. 

 

The model extends to IT controls, with AWS managing physical infrastructure controls and customers managing specific application controls.

 

Controls are categorized into inherited (fully managed by AWS), shared (both AWS and customers have responsibilities) and customer-specific (solely managed by customers). The accompanying table outlines this clear division with examples.

 

 

Customer

AWS

Inherited

None

 

Physical and Environmental controls

 

Examples:

 

  • Physical security of data centers against theft, unauthorized access etc.

 

  • Protecting assets from fire, water, power disruption etc.

 

Shared

 

Controls related to infrastructure and customer layers but applied from separated context and perspecticves.

Examples:

 

  • Patch Management: AWS handles patching and repairing issues in the infrastructure, while customers must update their own guest operating systems and applications

 

  • Configuration Management: AWS takes care of configuring its infrastructure devices, whereas customers need to configure their guest operating systems, databases, and applications
     
  • Awareness and Training: AWS is responsible for training its own employees, while it is up to the customers to train their personnel

 

Customer-specific

 

Controls depends on application deployed in AWS services.

Examples:

 

  • The need to route data due to specific security environments, such as Zone Security or Service and Communication Protection.

 

None

 

 

References