AWS Responsibilities
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Understanding the AWS Shared Responsibility Model
Introduction: Why Shared Responsibility Matters
When you migrate your infrastructure to the cloud, one of the most common misconceptions is that the cloud provider handles all aspects of security. Many organizations mistakenly believe that because they are paying for a cloud service, the provider is responsible for everything from firewall rules to data encryption and user access control. This misunderstanding often leads to significant security gaps, data breaches, and compliance violations. The Shared Responsibility Model is the framework that clarifies exactly where your responsibility ends and where the cloud provider’s responsibility begins.
Understanding this model is not just a theoretical exercise; it is the foundation of your entire cloud security strategy. If you do not know which parts of the stack you are responsible for, you cannot effectively secure them. By clearly defining the boundaries, AWS allows you to focus on the layers you control while leveraging the security investments AWS has made in the underlying infrastructure. This lesson will break down the components of this model, explore what falls under the "customer" domain versus the "AWS" domain, and provide actionable practices to ensure your cloud environment remains secure.
The Core Concept: "Security OF the Cloud" vs. "Security IN the Cloud"
To simplify the division of labor, AWS categorizes responsibilities into two distinct buckets: security of the cloud and security in the cloud. This simple distinction helps cloud architects and security engineers quickly identify who is responsible for a specific task.
Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Essentially, this is the "physical" and "foundational" layer. AWS manages the physical security of data centers, the decommissioning of hardware, the maintenance of the host operating systems, and the underlying virtualization layer that allows multiple customers to share physical hardware securely.
Security IN the Cloud
The customer is responsible for everything they put into the cloud. This includes the data you store, the operating systems you choose, the network configuration of your virtual private clouds (VPCs), and the identity and access management (IAM) policies you define. If you spin up an EC2 instance, you are responsible for patching the OS, configuring the firewall (Security Groups), and encrypting the data stored on the attached volumes. AWS does not have visibility into your data, nor do they manage your application code or user permissions.
Callout: The "Layered" Analogy Think of the Shared Responsibility Model like renting an apartment in a high-rise building. The landlord (AWS) is responsible for the building’s foundation, the structural integrity of the walls, the plumbing inside the walls, and the physical security of the lobby. However, you (the customer) are responsible for what happens inside your specific unit. You must lock your door, decide who to invite inside, keep your own apartment clean, and ensure your personal belongings are safe. If you leave your front door wide open, that is your responsibility, not the landlord’s.
Breakdown of Responsibilities by Service Type
The "split" in the Shared Responsibility Model is not static; it shifts depending on the type of service you are using. As you move from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) and finally to Software as a Service (SaaS), the amount of work you have to do changes.
Infrastructure as a Service (IaaS)
In an IaaS model, such as Amazon EC2, you have the most control and, consequently, the most responsibility. You must manage the operating system, network configuration, application software, and data. AWS manages the physical host and the virtualization software.
Platform as a Service (PaaS)
When using services like Amazon RDS (Relational Database Service) or AWS Lambda, your responsibilities decrease. For RDS, AWS manages the operating system, database patching, and hardware maintenance. You are still responsible for your data, database user permissions, and network access controls.
Software as a Service (SaaS)
In a SaaS model, such as Amazon Chime or AWS WorkMail, AWS manages almost everything. Your responsibility is primarily focused on user management and data classification. You do not need to worry about patching or server maintenance because those components are entirely abstracted away.
| Component | IaaS (EC2) | PaaS (RDS) | SaaS (WorkMail) |
|---|---|---|---|
| Physical Hardware | AWS | AWS | AWS |
| Network/Virtualization | AWS | AWS | AWS |
| Operating System | Customer | AWS | AWS |
| Database/App Patching | Customer | AWS | AWS |
| Data/Encryption | Customer | Customer | Customer |
| User Access/IAM | Customer | Customer | Customer |
Deep Dive: Customer Responsibilities
Since you are likely an architect or developer, your primary focus should be on the "Security IN the Cloud" side. This is where most security incidents occur. Let’s explore the critical domains you must manage.
1. Identity and Access Management (IAM)
This is the most critical area of responsibility. AWS provides the tools (IAM users, roles, policies), but you must configure them correctly. If you grant "AdministratorAccess" to a user who only needs read access, you have failed in your responsibility.
- Principle of Least Privilege: Always grant the minimum permissions necessary for a task.
- Multi-Factor Authentication (MFA): Enable MFA for all users, especially those with privileged access.
- Rotation: Regularly rotate access keys and passwords.
2. Network Configuration
When you create a Virtual Private Cloud (VPC), you are responsible for defining the boundaries of your network. You must configure Security Groups (which act as firewalls for instances) and Network Access Control Lists (NACLs).
- Example: If you open port 22 (SSH) to the entire internet (0.0.0.0/0) on a public EC2 instance, you have created a massive security risk. AWS provides the "door" (the Security Group), but you chose to leave it unlocked.
3. Data Protection
AWS provides encryption tools like AWS KMS (Key Management Service) and S3 bucket encryption. However, AWS will not automatically encrypt your data for you unless you configure it. You must ensure that data at rest is encrypted and that data in transit uses secure protocols like TLS.
Practical Examples and Code Snippets
Example 1: Securing an S3 Bucket
A common mistake is creating an S3 bucket that is publicly accessible. Even if the data is sensitive, if the bucket policy is public, anyone can access it.
The Wrong Way (Insecure Policy):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-company-data/*"
}
]
}
Explanation: This policy allows any user in the world to download any object from your bucket. This is entirely the customer’s responsibility to configure correctly.
The Right Way (Secure Policy):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/AuthorizedUser"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-company-data/*"
}
]
}
Explanation: By restricting the Principal to a specific IAM user or role, you ensure that only authorized entities can access your data.
Example 2: Patching EC2 Instances
In an IaaS model, AWS manages the hardware, but you manage the OS. If a critical vulnerability is found in the Linux kernel, you must update your instances.
Step-by-Step Patching Workflow:
- Monitor: Use AWS Systems Manager (SSM) Patch Manager to scan your instances for missing updates.
- Test: Create a staging environment and apply the patches to ensure they do not break your application.
- Automate: Use an SSM Maintenance Window to automatically apply patches during off-peak hours.
- Verify: After the window, check the compliance report in the AWS Console to ensure all instances were updated successfully.
Note: Even if you use AWS Systems Manager to automate the process, the responsibility for initiating and verifying the patching remains yours. AWS provides the automation tools, but you must configure them.
Common Pitfalls and How to Avoid Them
Pitfall 1: Over-Reliance on Default Settings
Many users assume that "default" means "secure." For example, default VPCs are helpful for getting started, but they are not designed for complex production workloads. Always review the default configurations and harden them according to your organization’s security policy.
Pitfall 2: Neglecting the "Shared" Aspect of Identity
Many organizations treat the root user as a shared account for their entire team. This is a severe security violation. The root account should be protected with a strong password and hardware MFA, and it should almost never be used for daily tasks. Instead, create individual IAM users or roles for each team member.
Pitfall 3: Ignoring Cloud Logs
AWS provides robust logging through CloudTrail (for API activity) and VPC Flow Logs (for network traffic). A common mistake is enabling these logs but never reviewing them. Security is an active process; if you aren't monitoring your logs, you won't know if your environment has been compromised.
Warning: The "Public" Setting Never set an S3 bucket or an RDS instance to "Public" unless you have a legitimate, documented business requirement for it to be accessible from the open internet. In 99% of cases, these resources should only be accessible within your VPC or through a VPN/Direct Connect.
Best Practices for Maintaining Compliance
Compliance is the result of consistently meeting the requirements of the Shared Responsibility Model. Here are the industry-standard best practices:
- Automate Everything: Use Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation. This ensures that your security configurations (like encrypted volumes and locked-down security groups) are consistent across every environment.
- Use AWS Config: This service monitors your resources for compliance. If a user tries to create an unencrypted S3 bucket, AWS Config can trigger an automated Lambda function to delete it or encrypt it immediately.
- Perform Regular Audits: Use services like AWS Security Hub to get a centralized view of your security posture. Compare your current setup against industry benchmarks like the CIS AWS Foundations Benchmark.
- Data Classification: Know what data you are storing. PII (Personally Identifiable Information) requires much stricter controls than public marketing assets. Encrypting everything by default is a great way to simplify this.
Comparison: AWS vs. Customer Responsibilities in Networking
| Network Element | AWS Responsibility | Customer Responsibility |
|---|---|---|
| Physical Networking | Cables, Switches, Routers | None |
| VPC Creation | Provided via API | Design, Subnetting, Routing |
| Security Groups | Infrastructure support | Define Inbound/Outbound rules |
| VPN/Direct Connect | Managed Gateways | Configuration of tunnels/on-prem |
| DNS Resolution | Route 53 Infrastructure | Configuring records/zones |
FAQ: Common Questions about Shared Responsibility
Q: If AWS is responsible for the physical security of the data center, does that mean I don't need to worry about audits? A: Not at all. AWS provides "Compliance Reports" (like SOC 1, SOC 2, and ISO 27001) that prove they are doing their job. You can use these reports as evidence during your own audits to prove that the underlying infrastructure is secure. However, you are still responsible for proving that your application and data handling processes are compliant.
Q: Does the Shared Responsibility Model change if I use a Managed Service like Amazon ECS? A: Yes. With Amazon ECS (Elastic Container Service) on Fargate, you don't manage the EC2 instances. AWS handles the container runtime and the underlying OS. However, you are still responsible for the security of the container image itself, the application code inside the container, and the IAM roles assigned to the task.
Q: Why does AWS keep pushing "Zero Trust"? A: Zero Trust is a security model that assumes no entity (inside or outside the network) is trusted by default. In the context of Shared Responsibility, it means you should not trust that your internal network is safe. You must apply security controls at every layer—identity, device, and application—regardless of where the resource is hosted.
Detailed Implementation: A Security-First Workflow
To truly embody the Shared Responsibility Model, your team should adopt a "Security-First" workflow. This means security is not a final check-off before deployment, but a core part of the development lifecycle.
Step 1: Design Phase
During the design phase, identify the security requirements. Ask:
- Does this application handle sensitive data? If yes, it must use KMS for encryption.
- Which services need to talk to each other? Only open the specific ports required for those services in the Security Groups.
- Who needs access to the resources? Create specific IAM roles, not shared users.
Step 2: Implementation Phase (IaC)
Use Terraform or CloudFormation to codify your security. Instead of clicking through the console, define your infrastructure in files. This creates a "Source of Truth" that can be audited.
# Example Terraform: Ensuring an S3 bucket is private and encrypted
resource "aws_s3_bucket" "secure_bucket" {
bucket = "my-secure-data-bucket"
}
resource "aws_s3_bucket_public_access_block" "block_public" {
bucket = aws_s3_bucket.secure_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.secure_bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
Explanation: By using code like this, you ensure that every bucket created by your team is secure by default. You are fulfilling your responsibility as a customer by proactively configuring these settings.
Step 3: Deployment and Monitoring
Use CI/CD pipelines to deploy your infrastructure. Integrate security scanning tools (like tfsec or checkov) into your pipeline to catch misconfigurations before they are deployed to your AWS account. Once deployed, turn on CloudTrail and GuardDuty. If an unauthorized attempt is made to access your resources, you will be notified immediately.
Advanced Considerations: The Evolution of Responsibility
As AWS introduces more "serverless" and "managed" services, the line of responsibility is moving further toward AWS. For instance, with AWS Lambda, you no longer manage the OS, the runtime environment, or the server patching. This allows you to focus almost entirely on your code and your business logic.
However, this does not mean the customer responsibility disappears; it just changes focus. In a serverless world, the risk shifts to Application Logic and Identity. If your Lambda function has an overly permissive IAM role, an attacker could potentially use that function to steal data from other parts of your infrastructure. The model remains constant: AWS secures the platform, you secure your logic and access.
Callout: The "Human" Element No matter how secure the AWS platform is, the human element remains the weakest link. Phishing, social engineering, and accidental misconfigurations are still the primary causes of data breaches. The Shared Responsibility Model includes a hidden third pillar: the human responsibility. Training your developers, following least-privilege principles, and fostering a culture of security is just as important as configuring the correct firewall rules.
Key Takeaways
- Understand the Boundary: AWS is responsible for the "Security OF the Cloud" (hardware, physical facilities, global infrastructure), while you are responsible for the "Security IN the Cloud" (data, identity, network configuration, and OS patching).
- Service Type Matters: Your responsibilities shift depending on the service. IaaS (EC2) requires you to manage the most, while SaaS (WorkMail) requires you to manage the least.
- Identity is Paramount: IAM is your first line of defense. Never share root credentials, always use MFA, and strictly adhere to the principle of least privilege.
- Security is Code: Use Infrastructure as Code to enforce security settings consistently. This prevents "configuration drift" and makes it easier to audit your environment.
- Data Protection is Yours: AWS provides the encryption tools (KMS, S3 encryption), but it is your responsibility to ensure they are actually enabled and that keys are managed securely.
- Monitoring is Not Optional: Enable logging (CloudTrail, VPC Flow Logs) and actively monitor them. Security is a continuous process of observation and response.
- Automation is the Best Practice: Use AWS services like Config, GuardDuty, and Systems Manager to automate your compliance and patching. Manual processes are prone to error and scale poorly.
By embracing these principles, you move from a reactive posture—where you are constantly fixing security holes—to a proactive one, where your cloud environment is secure by design. The Shared Responsibility Model is not a burden; it is a powerful tool that allows you to offload the heavy lifting of physical infrastructure to AWS, freeing you to build secure, high-performance applications for your users. Remember, AWS gives you the tools, but you are the architect of your own security.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons