SkarpSkarp

Chapter 3 of 10

AWS Shared Responsibility, Security, and Compliance Foundations

Enter the security zone of AWS and uncover who is responsible for what, how AWS keeps infrastructure secure, and what you must know about compliance to ace the high‑weight security domain.

15 min readen

Big Picture: Why Security & Shared Responsibility Matter

Security on the CLF-C02

Security and compliance are high‑weight topics on the CLF‑C02 exam. You must know who does what, how AWS secures its cloud, and what you must secure yourself.

From Infrastructure to Security

Regions, Availability Zones, and edge locations are not just about performance. They are also the foundation for how AWS delivers secure, resilient services globally.

Core Idea: Shared Responsibility

AWS handles security of the cloud (data centers, hardware, global network). You handle security in the cloud (your data, configurations, and access).

Your Learning Goals

You will explain the shared responsibility model, apply concepts like least privilege and logging, and recognize key AWS security and compliance resources used in real workloads.

Step 1: The AWS Shared Responsibility Model

Two Buckets of Responsibility

AWS uses a shared responsibility model: AWS handles security of the cloud, while customers handle security in the cloud. Every exam scenario maps back to this split.

Security OF the Cloud (AWS)

AWS secures data centers, hardware, networking, power, cooling, and the core platform that runs services. Physical access and infrastructure uptime are AWS jobs.

Security IN the Cloud (You)

You configure services securely: IAM users and roles, S3 bucket permissions, security groups, encryption settings, backups, and application‑level security.

Service‑Dependent Split

With EC2 you manage OS patches and host firewalls. With S3 or Lambda, AWS manages more, but you still control access, data, and configuration.

Step 2: Comparing EC2 vs S3 Responsibilities

EC2 Responsibilities

With EC2, AWS handles the data center, hardware, and hypervisor. You handle the OS, patches, security groups, keys, and data encryption on your instances and volumes.

Visual: EC2 Stack

Picture a stack: bottom layers (facilities, hardware, hypervisor) are AWS‑blue. Top layers (OS, apps, data, IAM) are customer‑green. The green layers are your job.

S3 Responsibilities

With S3, AWS runs the storage infrastructure and durability. You configure bucket policies, Block Public Access, encryption options, and who can read or write objects.

Visual: S3 Stack

In S3, more layers are AWS‑blue (no OS to manage), but access control and data governance stay customer‑green. You always own how data is shared and protected.

Step 3: Classify Responsibilities (Thought Exercise)

Classify each item as AWS or Customer responsibility. Think first, then check the answers below.

  1. Replacing a failed hard drive in an AWS data center.
  2. Enabling MFA (multi‑factor authentication) for the AWS account root user.
  3. Enforcing S3 Block Public Access on all buckets.
  4. Maintaining physical security guards at AWS facilities.
  5. Configuring AWS WAF rules to block SQL injection.
  6. Ensuring the hypervisor is patched against new CPU vulnerabilities.

Scroll down for suggested answers.

Suggested answers

  1. AWS – Physical hardware maintenance is AWS responsibility.
  2. Customer – The account owner must enable MFA.
  3. Customer – S3 configuration is customer responsibility.
  4. AWS – Physical security of facilities is AWS responsibility.
  5. Customer – You design and manage WAF rules for your app.
  6. AWS – The virtualization layer is AWS responsibility.

Reflection: Notice how all configuration choices (MFA, S3, WAF) land on the customer side, while infrastructure and facilities tasks land on AWS.

Step 4: Core Security Concepts – IAM, Least Privilege, and Network Controls

IAM: Who Can Do What

IAM manages identities and permissions: users, groups, roles, and JSON policies. It controls who can call AWS APIs and what actions they can perform.

Least Privilege

Least privilege means granting only the exact permissions needed. Avoid broad policies like AdministratorAccess when a narrower policy will work.

Security Groups vs NACLs

Security groups are stateful instance‑level firewalls. Network ACLs are stateless subnet‑level filters. Both shape allowed network traffic in a VPC.

Where WAF Fits

AWS WAF protects web apps by filtering HTTP/HTTPS traffic for patterns like SQL injection or XSS. It sits in front of apps via CloudFront or load balancers.

Step 5: Data Protection – Encryption and Key Management

Encryption at Rest

Services like S3, EBS, and RDS support server‑side encryption. AWS runs the crypto, but you choose whether to use AWS managed keys or your own KMS keys.

Encryption in Transit

Use TLS/HTTPS to protect data while it moves between clients, applications, and AWS services. Many AWS APIs expect HTTPS by default.

AWS KMS Basics

AWS KMS lets you create and manage cryptographic keys. You control who can use each key through IAM and key policies, meeting stricter compliance needs.

Who Does What

AWS secures the KMS infrastructure. You decide what to encrypt, which keys to use, and which identities can encrypt or decrypt data.

Step 6: Logging, Monitoring, and Detective Controls

Why Logging Matters

Prevention is not enough. You need logs to see who did what, when, and from where. This is essential for audits and incident response.

CloudTrail: API Activity

AWS CloudTrail records AWS API calls and account activity. Use it to answer questions like: who changed this security group and at what time?

CloudWatch: Metrics and Logs

CloudWatch gathers metrics and logs and can trigger alarms. It helps you detect performance and availability issues in near real time.

AWS Config: Configuration History

AWS Config tracks resource configuration changes and can check them against rules, such as 'no public S3 buckets', for continuous compliance.

Step 7: Governance, Compliance, and AWS Resources

AWS Compliance Programs

AWS maintains certifications and attestations (ISO, SOC, PCI, and more). These prove AWS controls, but you must still design compliant workloads.

AWS Artifact

AWS Artifact is a console portal where you can download AWS compliance reports and agreements on demand, such as SOC reports and ISO certificates.

Well‑Architected Security Pillar

The Security Pillar of the AWS Well‑Architected Framework outlines best practices for identity, detection, infrastructure, data protection, and incident response.

Governance with Organizations

AWS Organizations and Control Tower help you manage multiple accounts and apply guardrails using Service Control Policies and prebuilt controls.

Quick Check 1: Shared Responsibility and Services

Test your understanding of the shared responsibility model and core services.

Which task is MOST clearly a customer responsibility when using Amazon S3?

  1. Ensuring the physical security of the storage devices where objects are stored
  2. Configuring S3 bucket policies and Block Public Access settings
  3. Maintaining the durability of objects across multiple Availability Zones
  4. Patching the underlying storage servers that run the S3 service
Show Answer

Answer: B) Configuring S3 bucket policies and Block Public Access settings

For S3, AWS handles physical security, durability, and server patching. Customers must configure access controls such as bucket policies and S3 Block Public Access, which directly affect data exposure.

Quick Check 2: Logging and Compliance

Apply what you know about logging and compliance resources.

An auditor asks your team to provide AWS’s latest SOC report. Which AWS service should you use to obtain it?

  1. AWS CloudTrail
  2. AWS Artifact
  3. AWS Config
  4. Amazon CloudWatch
Show Answer

Answer: B) AWS Artifact

AWS Artifact is the self‑service portal for AWS compliance reports and agreements, including SOC reports. CloudTrail, Config, and CloudWatch are logging and monitoring services for your own account activity.

Step 8: Flashcard Review – Key Terms and Ideas

Use these flashcards to reinforce the most important terms for the CLF‑C02 exam.

AWS shared responsibility model
A framework that defines how AWS and the customer divide security and compliance duties. AWS handles security OF the cloud; the customer handles security IN the cloud.
Security of the cloud
AWS’s responsibilities: physical data centers, hardware, networking, facilities, and the foundational services infrastructure, including the hypervisor.
Security in the cloud
Customer responsibilities: service configuration, IAM, network settings, data protection, application security, and compliance of workloads.
Least privilege
The practice of granting identities only the permissions they need to perform required tasks and no more, reducing potential damage from misuse or compromise.
AWS Identity and Access Management (IAM)
Core AWS service for managing users, groups, roles, and permissions via policies that control who can access which AWS resources.
Security group
A stateful virtual firewall at the instance or resource level in a VPC that controls inbound and outbound traffic based on rules.
AWS CloudTrail
Service that records AWS API calls and account activity, providing an audit trail of who did what, when, and from where.
AWS Key Management Service (AWS KMS)
Managed service for creating and controlling cryptographic keys used to encrypt data at rest and sometimes in transit.
AWS Artifact
On‑demand portal for AWS compliance reports and agreements, such as SOC reports and ISO certifications.
AWS Config
Service that tracks configuration changes to AWS resources and can evaluate them against compliance rules for continuous governance.

Key Terms

AWS WAF
AWS Web Application Firewall that protects web applications from common web exploits by filtering HTTP/HTTPS traffic.
AWS Config
Service that tracks configuration changes of AWS resources and evaluates them against rules for compliance.
AWS Artifact
Self‑service portal for accessing AWS compliance documentation and agreements.
AWS CloudTrail
Logging service that records AWS API calls and related events for auditing and troubleshooting.
Security group
Stateful virtual firewall that controls inbound and outbound traffic for resources like EC2 instances within a VPC.
Least privilege
Security principle of granting only the minimum permissions required for a user, role, or service to perform its tasks.
AWS Organizations
Service for centrally managing and governing multiple AWS accounts, including policies and consolidated billing.
Amazon CloudWatch
Monitoring service for AWS resources and applications, providing metrics, logs, and alarms.
Network ACL (NACL)
Stateless, subnet‑level network filter in a VPC that allows or denies traffic based on rules.
Security in the cloud
Customer responsibilities such as configuring services securely, managing identities and access, protecting data, and meeting regulatory requirements.
Security of the cloud
AWS responsibilities such as physical security of data centers, hardware, networking, and foundational service infrastructure.
AWS shared responsibility model
AWS framework that divides security and compliance tasks between AWS and the customer: AWS secures the cloud infrastructure, customers secure their workloads in the cloud.
AWS Key Management Service (AWS KMS)
Managed service that enables you to create, manage, and use cryptographic keys for encrypting data.
AWS Identity and Access Management (IAM)
AWS service used to create and manage users, groups, roles, and policies that control access to AWS resources.
AWS Well‑Architected Framework – Security Pillar
A set of AWS best practices focused on designing and operating secure workloads in the cloud.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself