Security of the cloud – one concrete example

Physical security of AWS data centers, including guards, access controls, and secure destruction of storage media.

Security in the cloud – one concrete example

Configuring IAM roles and policies so that only authorized users and services can access an S3 bucket.

Who patches the OS on an EC2 instance?

The customer. OS-level patching and hardening are part of security in the cloud.

Who manages database engine patching for Amazon RDS?

AWS. RDS is a managed database service where AWS patches and maintains the database engine.

Meeting legal, regulatory, and organizational requirements (such as GDPR, HIPAA, PCI DSS) through appropriate controls in both AWS infrastructure and customer configurations.

What is Managed service?

An AWS service where AWS operates and maintains much of the underlying infrastructure and software (for example, RDS, S3, Lambda), while the customer focuses on configuration and data.

Shared Responsibility Model and Foundational Security Concepts — AWS Solutions Architect Associate (SAA-C03): Complete Exam-Ready Masterclass

Why Shared Responsibility Matters on AWS

The Core Exam Issue

In AWS, almost every security and architecture exam question hides the same issue: who is responsible for securing what? Mixing this up leads to wrong designs and wrong answers.

Canonical Definition

Memorize this: "The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data."

Link to Well-Architected

This model underpins the Security pillar: "The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture."

Mental Shortcut

Think: AWS secures what you cannot touch (data centers, hardware, managed control planes). You secure what you can configure or misconfigure (IAM, networks, policies, data).

Security OF the Cloud: What AWS Owns

Security OF the Cloud

Security of the cloud is everything AWS does so you can run workloads safely without managing data centers or hardware yourself.

Physical and Infrastructure Security

AWS secures data centers (guards, CCTV, access), manages hardware lifecycle, and designs Regions/AZs with redundant power, networking, and cooling.

Host and Virtualization

AWS patches and hardens physical hosts and hypervisors, ensuring isolation between EC2 instances and protection from hypervisor escape attacks.

Managed Service Foundations

AWS operates service control planes, durability mechanisms, and defaults like at-rest encryption in S3 and EBS. You do not patch or run these layers.

Security IN the Cloud: What Customers Own

Security IN the Cloud

Security in the cloud is everything you configure on top of AWS infrastructure: IAM, networks, data protection, logging, and app security.

Your IAM Responsibilities

You create and manage IAM users, roles, and policies, enforce least privilege, protect access keys, and configure MFA and federated access.

Network and Data Protection

You design VPCs, subnets, security groups, and NACLs, and decide what to encrypt, which keys to use, and how to back up and retain data.

Apps and Monitoring

You secure application code, enforce authz/authn, and enable CloudTrail, CloudWatch, and AWS Config with alarms and automated responses.

Layered Examples: EC2 vs S3 vs Lambda Responsibilities

EC2: You Manage the OS

On EC2, AWS handles data centers, hosts, and hypervisors. You patch and harden the OS, install software, set security groups, and configure EBS encryption.

S3: You Manage Access

For S3, AWS manages storage hardware and durability. You control bucket policies, ACLs, public access, encryption settings, and lifecycle rules.

Lambda: You Manage Code and IAM

With Lambda, AWS runs and patches servers and runtimes. You own the function code, IAM role, event source permissions, and any VPC configuration.

Pattern to Remember

The more managed the service, the more AWS owns under the hood. But configuration and data are always your responsibility.

Managed Services and Under-the-Hood Responsibilities

Managed Services Expand AWS’s Role

With managed services, AWS takes on more: patching engines, running servers, managing backups. But your configuration and data responsibilities remain.

RDS Split

AWS patches the DB engine and manages instances and backups. You design schemas, manage DB users, and configure VPC, security groups, and encryption.

Fargate Split

AWS runs servers and container runtime. You build container images, set IAM task roles, configure networking, and manage secrets and configs.

Exam Trap

Managed does not mean "AWS secures your data decisions". You still choose encryption, access controls, and network boundaries.

Compliance, Governance, and the Shared Responsibility Model

Shared Responsibility and Compliance

In regulated environments, the model clarifies who implements which control: AWS handles infrastructure; you handle workloads and data.

AWS’s Compliance Role

AWS is audited (ISO 27001, SOC, PCI scopes) for security of the cloud. It provides compliant-ready services and infrastructure.

Your Compliance Role

You choose what data to store, where, and how to secure it, using encryption, IAM, and logging to meet regulations like GDPR and HIPAA.

Shared Controls

Logging and encryption are shared: AWS offers features, you enable and configure them. Exam questions often test this split.

Thought Exercise: Who Owns This Control?

Work through these scenarios mentally. For each one, decide: AWS, Customer, or Shared responsibility. Then check your reasoning against the guidance.

Encrypting an S3 bucket that stores medical images for a healthcare app

Who decides whether to encrypt and which KMS key to use?
Who implements the actual encryption mechanism?

Restricting which IP addresses can SSH into an EC2 instance

Who controls the security groups and network ACLs?
Is AWS involved in deciding allowed IP ranges?

Maintaining physical access logs for an AWS data center in a given Region

Who manages doors, cameras, and visitor logs?

Ensuring CloudTrail is enabled across all Regions for an account

Who turns on CloudTrail and chooses log destinations and retention?
Who operates the CloudTrail service itself?

Compare with model answers:

Scenario 1: Customer decides to encrypt and configures S3/KMS. AWS provides the encryption features (shared capability), but compliance responsibility sits with the customer.
Scenario 2: Customer. You configure security groups and NACLs. AWS provides the network fabric but does not choose your IP rules.
Scenario 3: AWS. Physical access is part of security of the cloud.
Scenario 4: Shared. AWS runs the CloudTrail service; you must enable it, configure it, and use the logs for monitoring and audits.

As you continue, keep labeling each new control you see as AWS, Customer, or Shared. This habit pays off heavily in exam questions.

Quick Check: OF the Cloud vs IN the Cloud

Test your understanding of the shared responsibility split.

A company runs a web application on EC2 instances in a public subnet. A security review finds that the instances are missing critical OS patches. According to the AWS shared responsibility model, who is responsible for applying these patches?

AWS, because EC2 is an AWS service
The customer, because OS-level patching is part of security in the cloud
Shared, because both AWS and the customer must patch the OS
The company’s data center team, because EC2 runs on virtual hardware

Show Answer

Answer: B) The customer, because OS-level patching is part of security in the cloud

On EC2, AWS is responsible for security of the cloud (data centers, hardware, hypervisor). OS-level patching and hardening are the customer’s responsibility as part of security in the cloud.

Quiz: Identify the Misconfiguration Owner

Decide who must fix this issue.

An auditor discovers that an S3 bucket containing customer invoices is publicly readable over the internet. Which action best aligns with the AWS shared responsibility model?

Open a support ticket asking AWS to secure the bucket because S3 is fully managed
Move the data to on-premises storage because AWS cannot be trusted
Update the bucket policy and block public access settings to restrict access
Request AWS to rotate the physical disks storing the S3 data

Show Answer

Answer: C) Update the bucket policy and block public access settings to restrict access

S3 access control (bucket policies, ACLs, Block Public Access) is a customer configuration responsibility. The correct fix is to change the bucket policy and block public access, not to ask AWS to change infrastructure.

Key Terms: Shared Responsibility and Security Basics

Use these flashcards to reinforce core definitions and mappings. Try to recall the answer before flipping each card.

Canonical definition: shared responsibility model: The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
Security of the cloud – one concrete example: Physical security of AWS data centers, including guards, access controls, and secure destruction of storage media.
Security in the cloud – one concrete example: Configuring IAM roles and policies so that only authorized users and services can access an S3 bucket.
Who patches the OS on an EC2 instance?: The customer. OS-level patching and hardening are part of security in the cloud.
Who manages database engine patching for Amazon RDS?: AWS. RDS is a managed database service where AWS patches and maintains the database engine.
Who controls public vs private access to an S3 bucket?: The customer, via bucket policies, ACLs, and Block Public Access settings.
Shared control example: logging: AWS provides CloudTrail and CloudWatch; the customer must enable them, choose what to log, and store/analyze the logs.
Compliance mapping: physical access to data centers: AWS responsibility. It is part of security of the cloud and is covered by AWS’s own audits and certifications.
Compliance mapping: encrypting customer PII in S3: Customer responsibility. The customer must configure S3 and KMS to meet regulatory requirements for data protection.

Exam-Style Scenario Walkthrough

Work through this scenario as if you were in the exam. Focus on who owns which responsibility and what the best AWS-aligned action is.

Scenario:

A fintech startup processes credit card payments using an application hosted on AWS. They use:

API Gateway and Lambda for the public API
RDS for transaction records
S3 for log storage

A security assessment finds:

CloudTrail is enabled only in one Region, but the company uses multiple Regions.
RDS storage is encrypted with an AWS-managed key, but S3 logs are not encrypted.
The Lambda execution role allows `:` on all S3 buckets in the account.

Questions to think through:

For each issue, is this AWS’s responsibility or the customer’s?
What is the minimal change that aligns with the shared responsibility model and improves security?

Model reasoning:

Issue 1: Customer responsibility. AWS provides CloudTrail, but the customer must enable it in all needed Regions and configure central logging.
Issue 2: Customer responsibility. AWS offers encryption features; the customer must enable encryption on S3 logs (for example, with SSE-KMS) to meet compliance requirements.
Issue 3: Customer responsibility. IAM role permissions are fully under customer control. The role should be restricted to the specific S3 buckets and actions needed.

Notice that none of these findings require AWS to change its infrastructure. They are all configuration issues inside the customer’s account. This is exactly the pattern exam questions test.

Connecting Shared Responsibility to Well-Architected Decisions

Well-Architected Recap

The AWS Well-Architected Framework provides best practices and questions to evaluate architectures, organized into six pillars.

Pillars List

Pillars: Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability.

Shared Responsibility Across Pillars

Shared responsibility is clearest in Security but affects all pillars: you manage configuration and usage; AWS manages infrastructure and services.

Exam Mindset

On every question, ask: is this about AWS’s infrastructure or my configuration and data? The right answer respects that boundary.

Key Terms

Compliance: Meeting legal, regulatory, and organizational requirements (such as GDPR, HIPAA, PCI DSS) through appropriate controls in both AWS infrastructure and customer configurations.
Managed service: An AWS service where AWS operates and maintains much of the underlying infrastructure and software (for example, RDS, S3, Lambda), while the customer focuses on configuration and data.
Security pillar: The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Reliability pillar: The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Security in the cloud: Customer responsibilities for securing everything they configure in AWS, including IAM, network configuration, data protection, application security, and logging.
Security of the cloud: AWS’s responsibilities for protecting the infrastructure that runs all AWS services, including physical facilities, hardware, software, networking, and managed service foundations.
Sustainability pillar: The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads by maximizing utilization and minimizing the resources required, and by reducing the energy required to deliver business value.
Cost optimization pillar: The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.
Performance efficiency pillar: The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.
AWS Well-Architected Framework: The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
AWS shared responsibility model: The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
IAM (Identity and Access Management): AWS service for securely controlling access to AWS resources using users, groups, roles, and policies.