AWS Shared Responsibility Model
Last updated
Last updated
The AWS Shared Responsibility Model defines the distribution of security responsibilities between AWS and the customer, ensuring that both parties understand their respective roles in securing the cloud environment. This model divides responsibilities into two primary areas: Security OF the Cloud and Security IN the Cloud.
AWS is responsible for securing the underlying infrastructure that runs the services offered in the AWS Cloud. This includes the physical, network, and hypervisor layers that support its cloud offerings. Some specific areas covered by AWS include:
Data Centers:
Security of physical locations (e.g., access control, surveillance, climate management).
Protection from disasters (e.g., power redundancy, environmental controls).
Hardware & Software Infrastructure:
Maintenance and security of the networking equipment, storage, and servers.
Securing virtualization layers like Amazon EC2 hypervisors.
Global Infrastructure:
Ensuring secure connectivity and high availability across Availability Zones and Regions.
Protection against DDoS attacks using AWS Shield.
Compliance Controls:
AWS maintains industry-standard compliance certifications such as SOC 1/2/3, ISO 27001, PCI DSS, and HIPAA.
Example AWS Responsibilities:
Patching and updating AWS-managed services (like RDS, DynamoDB).
Availability of compute, storage, and network services.
Securing the infrastructure and the management of physical assets.
Customers are responsible for managing the security of the workloads, data, and applications they deploy in the AWS Cloud. This responsibility varies based on the specific AWS service being used (IaaS, PaaS, or SaaS).
Customers have the flexibility to build their applications, configure their security settings, and store data, but they must ensure these are secured.
Identity and Access Management (IAM):
Creating and managing user accounts, roles, and permissions using IAM policies.
Applying least privilege principles to restrict access to resources.
Data Protection:
Encrypting data at rest (e.g., using AWS KMS) and in transit (e.g., with TLS).
Managing key rotation and lifecycle.
Network Security:
Configuring security groups, network ACLs, and VPC settings.
Setting up firewalls and using AWS WAF to prevent malicious access.
Application Security:
Hardening the application code and securing APIs.
Regularly testing for vulnerabilities using tools like Amazon Inspector.
Monitoring & Logging:
Monitoring the environment using CloudTrail and CloudWatch Logs.
Setting up GuardDuty to detect unusual activities or possible threats.
Patch Management:
Managing the updates and patches of OS and application software on EC2 instances.
Example Customer Responsibilities:
Encrypting sensitive data in an S3 bucket.
Ensuring secure configurations for virtual machines (EC2) or containers (ECS, EKS).
Defining backup policies and disaster recovery strategies.
Some controls require shared responsibility, where both AWS and the customer play a role. Examples include:
Patch Management:
AWS manages patching for managed services like Amazon RDS.
Customers manage patching for operating systems running on EC2 instances.
Configuration Management:
AWS provides tools like AWS Config to monitor and assess configurations.
Customers must configure these services according to their compliance needs.
Incident Response:
AWS ensures availability of tools like CloudTrail for auditing.
Customers are responsible for monitoring these logs and responding to incidents.
Responsibility
AWS
Customer
Infrastructure Security
Data center, hardware, hypervisors
Configuring secure workloads
Identity Management
IAM platform availability
Defining user roles and permissions
Data Encryption
Provides encryption tools
Configuring encryption & key rotation
Patch Management
Patching AWS-managed services
Patching OS and apps on EC2
Network Security
Global infrastructure security
Configuring VPC, security groups, NACLs
Monitoring
Provides CloudTrail, CloudWatch
Setting up alerts and monitoring logs