3 min.

The AWS shared responsibility model

The model explains shared security and compliance between AWS and the Customer in the AWS ecosystem

The AWS shared responsibility model is part of Security Pillar of the AWS Well-Architected Framework (refer to references at the end). 


The primary distinction is that AWS is responsible for the security of the cloud, whereas the customer is accountable for security in the cloud. A detailed table provided below further clarifies the specific responsibilities of each party.



security in the Cloud


security of the Cloud 

Customer data


Identity & Access Management





Operating system
Firewall configuration

Hardware/ AWS Global Infrastructure

Client-side data

Encryption & Data integrity


Availability Zones

Edge Locations

Server-side encryption
(File system and/or data)

Networking traffic protection
 (Encryption, Integrity, Identity)



Security of the Cloud


AWS is tasked with safeguarding its global infrastructure that runs AWS Services including hardware, software, networking and physical facilities (like data centers or edge locations). 


Is responsible for host operating systems, virtualization layer and physical components of EC2 but its not responsbile for guest operating systems and installed software on EC2 because its not a managed service.



Security in the Cloud


The customer bears responsibility for their data, including how it is stored and transmitted, with a focus on encryption both in transit and at rest. 


They are also accountable for their applications and the configuration of services provided by AWS. For instance, the customer is responsible for encrypting their data, updating and patching their EC2 systems and any software installed on these systems (like databases), creating permissions and user accounts with access to their assets in AWS cloud.


The responsibility for AWS services varies depending on specific AWS service.



IT controls in AWS shared responsibility model


IT controls comprise various activities and measures executed in the field of Information Technology, essential for achieving business objectives. 


The model extends to IT controls, with AWS managing physical infrastructure controls and customers managing specific application controls.


Controls are categorized into inherited (fully managed by AWS), shared (both AWS and customers have responsibilities) and customer-specific (solely managed by customers). The accompanying table outlines this clear division with examples.








Physical and Environmental controls




  • Physical security of data centers against theft, unauthorized access etc.


  • Protecting assets from fire, water, power disruption etc.




Controls related to infrastructure and customer layers but applied from separated context and perspecticves.



  • Patch Management: AWS handles patching and repairing issues in the infrastructure, while customers must update their own guest operating systems and applications


  • Configuration Management: AWS takes care of configuring its infrastructure devices, whereas customers need to configure their guest operating systems, databases, and applications
  • Awareness and Training: AWS is responsible for training its own employees, while it is up to the customers to train their personnel




Controls depends on application deployed in AWS services.



  • The need to route data due to specific security environments, such as Zone Security or Service and Communication Protection.







The Security Pillar of the AWS Well-Architected Framework - Shared responsibility

Security: Shared Responsibility Model | AWS Partners

Shared Security Responsibility Model - GxP Systems on AWS

AWS Shared responsibility model - inherited controls