Understanding the AWS Shared Responsibility Model

all aws aws architecture aws principles 101 Feb 28, 2024

Introduction

Navigating the cloud can sometimes feel like sailing through uncharted waters, especially regarding security. AWS simplifies this journey with its Shared Responsibility Model, which delineates what AWS manages and what we, the customer, need to handle. Let’s break it down into simpler terms and explore real examples to clarify our responsibilities and ensure our voyage in the cloud is smooth and secure.

The AWS Shared Responsibility Model: An Overview

The AWS Shared Responsibility Model is a policy that outlines who is responsible for what in the world of AWS cloud computing. It divides responsibilities into two main categories: "security of the cloud" (AWS’s responsibility) and "security in the cloud" (the customer's responsibility).

Think of AWS as the owner of a high-security apartment building (the cloud). AWS ensures that the building's structure is solid, the locks on the doors work (infrastructure security), and the common areas are safe (managed services). As a tenant, we decide who gets keys to our apartment (access management), how you decorate it (configuration), and how you protect your valuables (data encryption).

AWS Responsibilities: Security of the Cloud

AWS takes care of the infrastructure that runs all of the services offered in the AWS Cloud. This includes tasks such as:

  • Maintaining Data Center Security: AWS protects the buildings, servers, and networking equipment that make up the cloud.
  • Hardware and Software Maintenance: AWS ensures that the physical servers and the virtualization layer running the cloud services are up-to-date and secure.

Customer Responsibilities: Security in the Cloud

As a customer, we're responsible for securing the resources we deploy on AWS. For example, Data and Access Control are always the customer's responsibility:

  • Data Encryption: Whether it's at rest in Amazon S3 or in transit, encrypting our data is our responsibility.
  • Identity and Access Management: We must manage who can access our AWS resources (e.g., using IAM policies to control permissions).
  • Network Configuration and Firewalls: As the customer, it’s our job to configure firewalls (e.g., security groups in EC2) and manage network access to our resources

Special Cases

The responsibilities will also depend on whether the service is IaaS, PaaS or Serverless.

Infrastructure as a Service (IaaS)

  • Operating System (IaaS): For EC2 instances, we're responsible for managing the guest OS, including patching it. 

Platform as a Service (PaaS) / Managed Services

  • For managed services like Amazon RDS or DynamoDB, AWS handles physical infrastructure as well as the basic software (including the OS and the database) and even patches it regularly.
  • We, customers, manage access permissions to these services. 

Serverless / Function as a Service (FaaS)

  • In serverless architectures like AWS Lambda, AWS manages the underlying infrastructure,
  • We are responsible for the security of the code within the functions. This includes ensuring the code is free from vulnerabilities, managing each function's permissions to other AWS resources, and securing the data the functions process and output.

Shared Controls

Shared controls refer to security measures that are relevant to both the foundational infrastructure managed by AWS and the customer's operational layer, but from distinct viewpoints. Here, AWS is tasked with establishing the baseline requirements of the security infrastructure, and it is up to the customers to provide their own control implementations in alignment with their usage of AWS offerings. Examples of Shared Controls include:

  1. Patch Management: AWS ensures the security of the cloud infrastructure by patching and maintaining the components it controls, such as the physical servers and the hypervisor layer on EC2 instances. Conversely, customers are responsible for patching their guest operating systems and applications. 

  2. Configuration Management: AWS configures and secures its infrastructure devices to protect the cloud environment. On the other side, customers must configure their guest operating systems, databases, and any applications they deploy in AWS. 

  3. Awareness and Training: While AWS is responsible for training its employees on security protocols and best practices to maintain the integrity of the cloud infrastructure, customers must similarly educate their personnel. 

Real-World Examples

Let's see some examples of customer responsibilities:

  • Access to DynamoDB tables 
  • Configure the AWS-provided security group firewall.
  • Classify company assets in the AWS Cloud.
  • Managing the code within the Lambda function 
  • Perform client-side data encryption.  
  • Configure IAM credentials. 
  • Configuration of Amazon EC2 instance operating systems  
  • Enable client-side encryption for objects that are stored in Amazon S3.  
  •  Configure IAM security policies to comply with the principle of least privilege.  
  •  Patch the guest operating system on an Amazon EC2 instance.  
  • Manage encryption options for data that is stored on AWS.  
  • Rotating IAM user access and secret keys

Let's see some examples of customer responsibilities:

  • Physical security of data centers 
  • Apply updates to the Hypervisor
  • Maintain the configuration of infrastructure devices. 
  • Maintenance of underlying hardware of Amazon EC2 instances  
  • Maintenance of VPC component 
  •  Maintenance of the software that powers Availability Zones 
  • Patching the operating system on Amazon RDS instances 

Let's see some examples of shared controls:

  • Patch Management

Conclusion

Navigating the AWS Shared Responsibility Model doesn’t have to be complicated. By understanding and adhering to this division of responsibilities, we can effectively secure our assets in the cloud while leveraging AWS’s robust infrastructure and services. Remember, security in the cloud is a shared journey, and knowing our role is the first step towards a secure and compliant cloud environment.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.