Lesson 13

Shared Responsibility Model

Security 'of' the cloud vs. security 'in' the cloud — and how responsibilities shift by service type

The Shared Responsibility Model

Security and compliance are a shared responsibility between AWS and the customer. This model relieves the customer's operational burden while giving them the flexibility and control to deploy solutions on AWS. The distinction is commonly phrased as:

AWS is responsible for
Security of the Cloud

Customer is responsible for
Security in the Cloud

AWS Responsibility: Security of the Cloud

AWS operates, manages, and controls the components from the hypervisor virtualization layer down to the physical security of facilities where services operate. AWS protects the global infrastructure that runs all Cloud services.

Physical Infrastructure

Nondescript facilities with 24/7 security guards
Two-factor authentication for all physical access
Access logging and review, video surveillance
Disk degaussing and destruction for decommissioned storage

Hardware & Software Infrastructure

Servers, storage devices, networking appliances
Host operating systems, service applications, virtualization software
Routers, switches, load balancers, firewalls, cabling
Network monitoring at external boundaries, redundant infrastructure
Intrusion detection systems

AWS Global Infrastructure

Regions, Availability Zones, and edge locations are all AWS-managed. Third-party auditors verify AWS compliance with computer security standards and regulations — audit reports are available to customers.

Customer Responsibility: Security in the Cloud

Customers are responsible for security of everything they put in the cloud. The specific steps depend on the services used and the complexity of the system.

Customer-Managed Security

Area	Customer Responsibilities
Compute	Guest OS patching and maintenance, application software, security group configuration
Network	VPC configuration, subnet design, NACLs, firewall rules, intrusion detection/prevention systems
Data	What content to store, which AWS services to use with it, which country it resides in, encryption (at rest and in transit), data format and masking
IAM	User/group/role management, permission policies, password policies, MFA, access key rotation
Account	Login settings, root user protection, billing reports

Key principle: Customers maintain complete control over their content. They decide who has access, how access rights are granted/managed/revoked, and what security controls to implement.

Responsibility by Service Type

The level of customer responsibility shifts depending on how much the service abstracts away the underlying infrastructure.

Type	Services	Customer Manages	AWS Manages
IaaS	EC2, EBS, VPC	Guest OS, applications, security groups, firewall configurations	Physical, hypervisor, network up to the compute instance
PaaS	Lambda, RDS, Elastic Beanstalk	Code or data, permissions, data classification	OS, database patching, firewall config, disaster recovery
SaaS	Trusted Advisor, Shield, Chime	Usage configuration, subscription, data input	Entire infrastructure and application stack

Exam rule of thumb: The more "managed" the service, the more AWS handles. EC2 (IaaS) = customer handles OS patching. RDS (PaaS) = AWS handles database patching, customer handles data. Lambda (also PaaS) = AWS handles everything below the code.

Primary Source: AWS Academy Module 4: AWS Cloud Security (module-4.txt) — Section 1: AWS Shared Responsibility Model.