1. Overview

The AWS Shared Responsibility Model defines who is responsible for what in the cloud. Security and compliance are shared between AWS and the customer.

The Golden Rule
AWS is responsible for security OF the cloud (infrastructure). The customer is responsible for security IN the cloud (data, configuration, access management).

2. AWS Responsibility — Security OF the Cloud

AWS manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities.

  1. Physical data centers — building security, environmental controls
  2. Hardware and global infrastructure — servers, networking equipment
  3. Regions, AZs, Edge Locations
  4. Managed services infrastructure (e.g., the underlying platform of RDS, DynamoDB, Lambda)
  5. Hypervisor and host OS for managed services
  6. Network infrastructure — routers, switches, load balancers

3. Customer Responsibility — Security IN the Cloud

The customer is responsible for managing their data, classifying their assets, and using IAM tools to apply the appropriate permissions.

  1. Customer data — encryption, backup, classification
  2. Identity and Access Management (IAM) — users, groups, roles, policies
  3. Operating system on EC2 instances — patching, updates
  4. Network and firewall configuration — Security Groups, NACLs
  5. Application-level security
  6. Client-side and server-side encryption

4. Shared Controls

Some controls are shared between AWS and the customer:

  1. Patch Management: AWS patches the infrastructure. Customer patches guest OS and applications.
  2. Configuration Management: AWS configures its infrastructure. Customers configure their own OS, databases, and applications.
  3. Awareness & Training: AWS trains its employees. Customers train their employees.

5. Responsibility by Service Type


Exam Tip
The Shared Responsibility Model is one of the MOST tested topics. Remember: If you can configure it or see it in the console, it’s likely YOUR responsibility. If it’s invisible infrastructure (hardware, global network, data center), it’s AWS’s responsibility. Data is ALWAYS the customer’s responsibility.