SkarpSkarp

Chapter 6 of 20

Foundations of AWS Security: The AWS Shared Responsibility Model

Before touching IAM policies or encryption keys, clarify who secures what in the cloud so you never confuse AWS’s duties with the customer’s obligations.

27 min readen

Why the Shared Responsibility Model Comes First

Why This Comes First

Before IAM policies or keys, you must know who secures what in AWS. That is the purpose of the AWS shared responsibility model.

Canonical Definition

AWS shared responsibility model: "Security and compliance are shared responsibilities between AWS and the customer." Memorize this exact wording.

From On-Prem to AWS

On-premises, your org owns everything: building, servers, OS, apps, data. In AWS, you build on top of AWS infrastructure instead of owning it.

A Partnership

Security becomes a partnership: AWS handles security of the cloud; you handle security in the cloud. Both sides must do their part.

Apartment Analogy

AWS is like the apartment building owner; you are the tenant. AWS secures the building; you still lock your door and protect your belongings.

Security OF the Cloud vs Security IN the Cloud

Two Phrases to Memorize

You must distinguish security of the cloud (AWS) from security in the cloud (customer). Many exam questions hinge on this split.

Security OF the Cloud

AWS secures data centers, hardware, global network, hypervisors, and the core infrastructure powering services like S3, RDS, and Lambda.

What You Cannot Control

You cannot manage building access, server racks, or hypervisors. AWS owns and audits these layers; you consume them as a service.

Security IN the Cloud

You secure how you use AWS: IAM, data classification, encryption, VPC and security groups, OS patching on EC2, and app-level security.

Common Exam Trap

If the issue is misconfigured S3, IAM, or security groups, that is a customer responsibility. AWS provided secure tools; the customer misused them.

Where the Line Moves: Service Models (IaaS, PaaS, SaaS-like)

The Line Can Move

The shared responsibility boundary shifts with the service type. The more AWS manages, the less you manage—but you always own your data.

IaaS Example: EC2

With EC2, AWS manages hardware and hypervisor. You manage the OS, installed software, security groups, and the data and apps you run.

Exam Focus: EC2

If a question mentions OS patching, anti-malware, or web server config on EC2, that is squarely a customer responsibility.

PaaS-like Example: RDS

RDS: AWS handles DB software and patching. You handle schemas, DB users, query security, network access, and how data is used.

SaaS-like Example: S3

S3: AWS runs all underlying systems. You configure bucket policies, IAM, encryption, lifecycle, and who can read or write your objects.

Real-World Scenarios: Who Is Responsible?

Scenario Practice

For each scenario, decide: AWS or customer? This mirrors how exam questions test the shared responsibility model.

Scenario 1: Failed Disk

AWS replaces a failed disk and ensures wiped data cannot be recovered. That is AWS: hardware lifecycle and media sanitization.

Scenario 2: Public S3 Bucket

A dev makes an S3 bucket public and leaks data. That is the customer: misconfigured security in the cloud.

Scenario 3 & 4

Data center flood resilience is AWS, but using multiple AZs is your design choice. Unpatched Apache on EC2 is purely a customer issue.

Scenario 5: Dangerous IAM Role

An overly powerful IAM role deletes production data. Designing and approving IAM permissions is a customer responsibility.

Customer Responsibilities: Identity, Data, and Configuration

Three Customer Buckets

Think of customer security duties as three buckets: identity, data, and configuration. These appear often on the exam.

Identity and Access

You create IAM users, groups, roles, and policies; enforce least privilege; enable MFA; and integrate SSO or federation if needed.

Data Protection

You decide what data goes where, classify its sensitivity, choose encryption options, and manage backups and retention policies.

Secure Configuration

You design VPCs, subnets, and security groups; configure logging and monitoring; harden EC2; and enable service-level security features.

Exam Hint

If the question is about IAM, S3 policies, security groups, or OS patching, the responsible party is almost always the customer.

AWS Responsibilities: Global Infrastructure and Managed Services

Global Infrastructure Basics

AWS owns the global infrastructure: Regions and Availability Zones, with all their power, cooling, and connectivity.

Canonical Region Definition

AWS Region: "An AWS Region is a physical location in the world where we cluster data centers."

Canonical AZ Definition

Availability Zone: "An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region."

What AWS Manages

AWS secures buildings, hardware, hypervisors, and the control planes and base software for managed services like S3, RDS, and Lambda.

Compliance Evidence

AWS is independently audited. AWS proves its side of the model; you must prove correct configuration and data handling on your side.

Drag-the-Responsibility Thought Exercise (Mentally)

Mentally perform a “drag and drop” exercise. For each item, assign it to AWS or Customer in your head (or jot it down). Then check the answers.

Items:

  1. Guarding data center entrances.
  2. Enabling MFA for the AWS root user.
  3. Encrypting data at rest in an S3 bucket.
  4. Applying OS security patches on an EC2 instance.
  5. Ensuring the hypervisor is secure.
  6. Configuring VPC subnets and security groups.
  7. Designing a cross-AZ architecture for high availability.
  8. Maintaining power and cooling in AWS data centers.
  9. Setting IAM policies that follow least privilege.
  10. Managing the physical destruction of retired storage media.

Check yourself:

  • AWS: 1, 5, 8, 10
  • Data center guards, hypervisor security, power/cooling, and secure media destruction are all security of the cloud.
  • Customer: 2, 3, 4, 6, 7, 9
  • MFA on root, S3 encryption choices, EC2 OS patching, VPC and security groups, cross-AZ design, and IAM policies are all security in the cloud.

If you misplaced any items, reread the explanations from earlier steps and try to explain to yourself why each belongs to AWS or the customer. Being able to justify the boundary is exactly what the exam expects.

Basic AWS Security Best Practices (Cloud Practitioner Level)

From Model to Practice

The model explains who does what. Best practices explain how you, as the customer, should secure your side of the cloud.

Account Security

Protect the root user with MFA, avoid daily root use, create individual IAM users or SSO identities, and use IAM roles instead of access keys.

Least Privilege

Grant only needed permissions; separate prod and test accounts; use security groups to tightly control traffic to EC2 instances.

Data Protection

Enable encryption at rest and in transit, back up critical data, and regularly test that you can restore from backups.

Visibility

Use CloudTrail, CloudWatch, AWS Config, and GuardDuty to gain visibility and detect misconfigurations or suspicious activity.

Key Term Review: Shared Responsibility and Infrastructure

Flip these cards mentally (or cover the back with your hand) and test your recall before checking the answer.

AWS shared responsibility model
Security and compliance are shared responsibilities between AWS and the customer.
AWS Region
An AWS Region is a physical location in the world where we cluster data centers.
Availability Zone
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
Security OF the cloud (who and what?)
AWS is responsible for security of the cloud: physical data centers, hardware, global network, hypervisors, and managed service foundations.
Security IN the cloud (who and what?)
The customer is responsible for security in the cloud: IAM, data classification and encryption, OS and application security, and service configuration.
Example of a customer responsibility on EC2
Patching the guest operating system and securing installed applications like web servers or databases.
Example of an AWS responsibility for S3
Maintaining the underlying storage infrastructure and ensuring durability and availability of the S3 service itself.
Least privilege
A security principle where users and workloads receive only the minimum permissions they need to perform their tasks, and no more.

Quiz 1: Who Is Responsible?

Answer this Cloud Practitioner-style question to check your understanding of the shared responsibility model.

A company hosts a web application on Amazon EC2 instances. Which task is the company (customer) responsible for under the AWS shared responsibility model?

  1. Maintaining physical security for the data centers where the EC2 instances run
  2. Patching the operating system running on the EC2 instances
  3. Ensuring redundant network connectivity between AWS Regions
  4. Securing the underlying hypervisor that runs the EC2 instances
Show Answer

Answer: B) Patching the operating system running on the EC2 instances

For EC2, AWS secures the physical data centers, hardware, and hypervisor (security of the cloud). The customer is responsible for security in the cloud, including patching and hardening the guest operating system on the EC2 instances. Therefore, patching the OS is the correct customer responsibility.

Quiz 2: Security OF vs IN the Cloud

Another quick check. Focus on the wording: “of” vs “in” the cloud.

Which of the following is an example of AWS being responsible for security OF the cloud?

  1. Configuring Amazon S3 bucket policies to block public access
  2. Enabling multi-factor authentication (MFA) for the AWS account root user
  3. Managing the physical destruction of decommissioned storage devices
  4. Creating IAM policies that follow the principle of least privilege
Show Answer

Answer: C) Managing the physical destruction of decommissioned storage devices

Managing the physical destruction of decommissioned storage devices is part of securing the underlying infrastructure (security of the cloud), which is AWS’s responsibility. The other options are customer responsibilities related to security in the cloud.

Apply It: Mini Design Exercise for a Simple App

Imagine you are helping a small startup move a simple web app to AWS. The app stores user profiles (names, emails, hashed passwords) and serves them via a web interface.

They choose this design:

  • Amazon EC2 for the web server.
  • Amazon RDS for the database.
  • Amazon S3 for storing profile pictures.

For each decision below, identify what you (the customer) must do and what AWS does.

  1. Storing profile pictures in S3
  • AWS: Runs the S3 service, maintains the storage infrastructure.
  • You: Decide bucket names, configure bucket policies, choose encryption, and control who can upload/download.
  1. Protecting the RDS database
  • AWS: Installs and patches the database engine, manages the underlying OS and storage.
  • You: Design schemas and DB users, configure network access (VPC, security groups), choose encryption, and secure queries.
  1. Hardening the EC2 web server
  • AWS: Provides the virtualized hardware and hypervisor.
  • You: Patch the OS and web server, configure firewalls/security groups, secure application code.
  1. Account-level security
  • AWS: Provides IAM, MFA, CloudTrail, and Organizations features.
  • You: Create IAM users/roles, enable MFA, define policies, and review CloudTrail logs.

If you can clearly state the split for each of these, you are thinking like the exam expects. Any time you design an AWS solution in later modules, mentally run this same checklist.

Key Terms

AWS Region
An AWS Region is a physical location in the world where we cluster data centers.
AWS CloudTrail
An AWS service that records API calls and account activity to help with security analysis, resource tracking, and compliance auditing.
Least privilege
A security principle where users and workloads receive only the minimum permissions they need to perform their tasks, and no more.
Availability Zone
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
Encryption at rest
Protecting stored data by encrypting it on disk so that it cannot be read without the appropriate keys.
Encryption in transit
Protecting data as it moves across networks, typically using protocols like TLS/HTTPS.
Security in the cloud
Customer responsibilities for securing how AWS services are used, including IAM, data protection, OS and application security, and configuration of services.
Security of the cloud
AWS’s responsibilities for securing the underlying infrastructure, including physical facilities, hardware, global network, hypervisors, and managed service foundations.
AWS shared responsibility model
Security and compliance are shared responsibilities between AWS and the customer.
Identity and Access Management (IAM)
The AWS service that lets you securely control access to AWS resources via users, groups, roles, and policies.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself