The AWS shared responsibility model is part of Security Pillar of the AWS Well-Architected Framework (refer to references at the end).
The primary distinction is that AWS is responsible for the security of the cloud, whereas the customer is accountable for security in the cloud. A detailed table provided below further clarifies the specific responsibilities of each party.
security in the Cloud
security of the Cloud
Hardware/ AWS Global Infrastructure
Encryption & Data integrity
Networking traffic protection
Security of the Cloud
AWS is tasked with safeguarding its global infrastructure that runs AWS Services including hardware, software, networking and physical facilities (like data centers or edge locations).
Is responsible for host operating systems, virtualization layer and physical components of EC2 but its not responsbile for guest operating systems and installed software on EC2 because its not a managed service.
Security in the Cloud
The customer bears responsibility for their data, including how it is stored and transmitted, with a focus on encryption both in transit and at rest.
They are also accountable for their applications and the configuration of services provided by AWS. For instance, the customer is responsible for encrypting their data, updating and patching their EC2 systems and any software installed on these systems (like databases), creating permissions and user accounts with access to their assets in AWS cloud.
The responsibility for AWS services varies depending on specific AWS service.
IT controls in AWS shared responsibility model
IT controls comprise various activities and measures executed in the field of Information Technology, essential for achieving business objectives.
The model extends to IT controls, with AWS managing physical infrastructure controls and customers managing specific application controls.
Controls are categorized into inherited (fully managed by AWS), shared (both AWS and customers have responsibilities) and customer-specific (solely managed by customers). The accompanying table outlines this clear division with examples.
Controls related to infrastructure and customer layers but applied from separated context and perspecticves.
Controls depends on application deployed in AWS services.