Jan 19 20243 min.

The AWS shared responsibility model

The model explains shared security and compliance between AWS and the Customer in the AWS ecosystem

Full-Stack Cloud Engineer

TABLE OF CONTENTS

Security of the Cloud
Security in the Cloud
IT controls in AWS shared responsibility model
References

The AWS shared responsibility model is part of Security Pillar of the AWS Well-Architected Framework (refer to references at the end).

The primary distinction is that AWS is responsible for the security of the cloud, whereas the customer is accountable for security in the cloud. A detailed table provided below further clarifies the specific responsibilities of each party.

Customer security in the Cloud	AWS security of the Cloud
Customer data	Software
Platform Applications Identity & Access Management	Compute	Storage	Database	Networking
Operating system Networking Firewall configuration	Hardware/ AWS Global Infrastructure
Client-side data Encryption & Data integrity Authentication	Regions		Availability Zones	Edge Locations
Server-side encryption (File system and/or data)
Networking traffic protection (Encryption, Integrity, Identity)

Security of the Cloud

AWS is tasked with safeguarding its global infrastructure that runs AWS Services including hardware, software, networking and physical facilities (like data centers or edge locations).

Is responsible for host operating systems, virtualization layer and physical components of EC2 but its not responsbile for guest operating systems and installed software on EC2 because its not a managed service.

Security in the Cloud

The customer bears responsibility for their data, including how it is stored and transmitted, with a focus on encryption both in transit and at rest.

They are also accountable for their applications and the configuration of services provided by AWS. For instance, the customer is responsible for encrypting their data, updating and patching their EC2 systems and any software installed on these systems (like databases), creating permissions and user accounts with access to their assets in AWS cloud.

The responsibility for AWS services varies depending on specific AWS service.

IT controls in AWS shared responsibility model

IT controls comprise various activities and measures executed in the field of Information Technology, essential for achieving business objectives.

The model extends to IT controls, with AWS managing physical infrastructure controls and customers managing specific application controls.

Controls are categorized into inherited (fully managed by AWS), shared (both AWS and customers have responsibilities) and customer-specific (solely managed by customers). The accompanying table outlines this clear division with examples.

	Customer	AWS
Inherited	None	Physical and Environmental controls Examples: Physical security of data centers against theft, unauthorized access etc. Protecting assets from fire, water, power disruption etc.
Shared	Controls related to infrastructure and customer layers but applied from separated context and perspecticves. Examples: Patch Management: AWS handles patching and repairing issues in the infrastructure, while customers must update their own guest operating systems and applications Configuration Management: AWS takes care of configuring its infrastructure devices, whereas customers need to configure their guest operating systems, databases, and applications Awareness and Training: AWS is responsible for training its own employees, while it is up to the customers to train their personnel
Customer-specific	Controls depends on application deployed in AWS services. Examples: The need to route data due to specific security environments, such as Zone Security or Service and Communication Protection.	None

Customer

AWS

Inherited

None

Physical and Environmental controls

Examples:

Physical security of data centers against theft, unauthorized access etc.

Protecting assets from fire, water, power disruption etc.

Shared

Controls related to infrastructure and customer layers but applied from separated context and perspecticves.

Examples:

Patch Management: AWS handles patching and repairing issues in the infrastructure, while customers must update their own guest operating systems and applications

Configuration Management: AWS takes care of configuring its infrastructure devices, whereas customers need to configure their guest operating systems, databases, and applications
Awareness and Training: AWS is responsible for training its own employees, while it is up to the customers to train their personnel

Customer-specific

Controls depends on application deployed in AWS services.

Examples:

The need to route data due to specific security environments, such as Zone Security or Service and Communication Protection.

None

References

The Security Pillar of the AWS Well-Architected Framework - Shared responsibility

Security: Shared Responsibility Model | AWS Partners

Shared Security Responsibility Model - GxP Systems on AWS

AWS Shared responsibility model - inherited controls

#design-secure-architectures-aws-certified-solutions-architect-associate-saa-c03-domain-1

Is AWS Certification worth it

Date undefined min.

Getting AWS certified is becoming a must have for anyone truly interested in working with AWS Cloud as a professional. There are 3 main reasons for that: requirements of AWS Partner program, learning process and your visibility on the market.

Access controls and management across multiple accounts in AWS

Managing and controlling access across various accounts involves navigating a myriad of services and features. This article aims to organize these elements for simpler understanding.

AWS federated access and identity services

AWS federated access isn't a standalone service but a feature integrated into various AWS Identity Services

AWS global infrastructure

AWS leads the global infrastructure among public cloud providers, with hundreds of data centers and over six hundred points of presence, exceeding all others in terms of scale and reach

AWS security best practices

Simplified overview of ALL AWS security best practices