Which security-related duty is aws accountable for under the aws shared responsibility model

In AWS’s Shared Responsibility Model is the concept that AWS and the customer share responsibilities for security and compliance of Amazon Web Services.  This allows AWS to support the customer by taking on the burden of operations control associated with the physical infrastructure so the customer can focus on securing and producing within the context of software.

AWS is responsible for security OF the cloud.
The customer is responsible for security IN the cloud.

Which security-related duty is aws accountable for under the aws shared responsibility model

(AWS Shared Responsibility Model)

AWS’s Responsibility

AWS is responsible for protecting the AWS infrastructure for all services that run on the AWS Cloud.  This can be hardware, software, networking, and facilities that help run the AWS Cloud.

Some services under AWS’s responsibility to secure are Compute, Storage, Database, Networking, and global infrastructures such as Regions, Availability Zones, and Edge Locations.

Customer’s Responsibility

The customer’s responsibility is determined by the services the customer uses, as the type of service determines the amount of configuration he must perform to help secure the system.

These include customer data, OS, network, firewall configuration, client-side data, encryption and data integrity, and server-side encryption.  Identity Access Management (IAM) is an important part as well.

As Kate says in the video below, there’s nothing AWS can do to protect you if you leave your door unlocked!

Shared Responsibility Model: Lock Your Door!

Good question to ask is: “Can I log in and adjust the security settings?” If yes, then it’s your responsibility.  If not, then it’s AWS’s responsibility.

Fully Controlled by AWS

  • Physical and Environmental Controls

Shared Controls

AWS provides requirements for infrastructure and customer provides own control implementation.

  • Patch Management: AWS patches and fixes flaws within the infrastructure; customers patch OS and applications
  • Configuration Management: AWS configures infrastructure devices; customers patch OS and applications
  • Awareness & Training: AWS trains AWS employees; customer trains its own employees

Fully Controlled by Customer

  • Service & Communications Protection/Zone Security: Customer routes or zones data within specific security environments

Resources

  • Shared Responsibility Model (AWS)
  • AWS Shared Responsibility Model (AWS Blog)

Which security-related duty is aws accountable for under the aws shared responsibility model

The AWS shared responsibility model defines what you (as an AWS account holder/user) and AWS are responsible for when it comes to security and compliance.

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer’s operational burdens as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.

AWS are responsible for “Security of the Cloud” .

  • AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud.
  • This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customers are responsible for “Security in the Cloud”.

  • For EC2 this includes network level security (NACLs, security groups), operating system patches and updates, IAM user access management, and client and server-side data encryption.

The following diagram shows the split of responsibilities between AWS and the customer:

Which security-related duty is aws accountable for under the aws shared responsibility model

Inherited Controls – Controls which a customer fully inherits from AWS.

  • Physical and Environmental controls.

Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in separate contexts or perspectives.

In the AWS shared security model, a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services.

Examples  of shared controls include:

  • Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
  • Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
  • Awareness & Training – AWS trains AWS employees, but a customer must train their own employees.

Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. .

Examples of customer specific controls include:

  • Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.

Which security-related duty is aws accountable for under the aws shared responsibility model

In this blog, we will learn about AWS Shared Responsibility Model.

Almost all the services and applications we see around are based on cloud technology. Many organizations and businesses use the cloud to host their data, applications and services. With this much demand, many learners are preparing themselves for cloud technologies. But without proper learning of cloud security, the knowledge is incomplete.

Various services are active in the cloud simultaneously. Both cloud vendor and customer shares some responsibility which we will learn with the following topics:

What is Shared Responsibility Model?

Which security-related duty is aws accountable for under the aws shared responsibility model

The Shared Responsibility Model is a cloud security framework that mandates the security obligations of cloud service providers and users to ensure accountability. In simple words, A cloud vendor provides various cloud services to its users. One provides the service, and the other uses it. Both vendor and user share some responsibilities, like the vendor is responsible for the service provided, and the user is responsible for the service usage.

Levels of Abstraction in Cloud Computing

Security responsibilities can’t be common for all scenarios. Each scenario can demand additional security and responsibility. So, levels of abstraction are the area that pertains to the responsibilities. The levels of abstraction are just the other name for cloud computing service models: IaaS, PaaS, and SaaS.

Which security-related duty is aws accountable for under the aws shared responsibility model

  • Infrastructure as a Service (IaaS) – Infrastructure as a Service is the lowest level of abstraction. Under IaaS, cloud vendors allow users to use their data centres, including the servers, storage, network, hardware and virtualization. The user has a great degree of control but with more responsibility for security.
  • Platform as a Service (PaaS) – Platform as a Service is the next level of abstraction that enables users to build and run applications. Under PaaS, including the Infrastructure, the cloud vendor also provides a platform to build, run and manage applications.
  • Software as a Service (SaaS) – Software as a Service is the highest level of abstraction. Under SaaS, the cloud vendor hosts applications to make them available for the end-users or customers. SaaS removes the need for organizations to host applications in their private data centres.
  • Bare Metal Service – It is the final level of abstraction where the customer can use the hardware provided by the cloud vendor. It helps developers access the physical resources for their applications intended to run directly on hardware. For example, organizations can deploy EC2 instances to the AWS hardware instead of the virtualized environment.

Read More: Cloud Computing Service Model: IaaS, PaaS and SaaS

The biggest challenge that organizations face is the confusion of the responsibilities leading to security compromisation. This confusion gives hackers a blind spot to attack, and many reports claimed the improperly shared security responsibilities as the culprit for various security incidents. Thus, Amazon Web Service (AWS) established the AWS Shared Responsibility Model to clarify responsibilities.

Which security-related duty is aws accountable for under the aws shared responsibility model

According to AWS Shared Responsibility Model, AWS is responsible for the Security of the Cloud and the customer is responsible for the Security in the Cloud.

  • AWS Responsibility: AWS is responsible for protecting the infrastructure that runs all the AWS services. In other words, AWS control, operate and manage the components from the host operating system and virtualization layer that is down to the physical layer in which the service operates.
  • Customer Responsibility: The customer’s responsibility depends on the AWS service used and the configuration they need to perform to secure that service. In other words, customers need to manage the guest operating system, including security patches and application software. Also, they need to configure the AWS provided security controls like security groups, network access control and IAM (Identity and Access Management).

The responsibility of both AWS and the customers varies with the service taken into use. So to make it more clear, we will discuss the shared responsibility model for some specific AWS services.

AWS Shared Responsibility Model for EC2

Which security-related duty is aws accountable for under the aws shared responsibility model

Elastic Compute Cloud or EC2 lies under infrastructure as a Service (IaaS), and the responsibility model for both cloud service provider and customer is as follows:

  • AWS Responsibility: AWS is responsible for the Infrastructure (Regions and Availability Domains) and services (compute, storage, database and network) used with EC2.
  • Customer Responsibility: The customer is responsible for the security configuration or firewall (like security groups), guest operating system (like Ubuntu & Windows), applications & tools installed, client and server-side encryption and customer data.

AWS Shared Responsibility for Containers

Which security-related duty is aws accountable for under the aws shared responsibility model

EC2 virtualize hardware whereas container virtualizes operating system and the responsibility model for both cloud service provider and customer is a follows:

  • AWS Responsibility: AWS is responsible for the Infrastructure (Regions and Availability Domains), services (compute, storage, database and network), platform and operating system.
  • Customer Responsibility: The customer is responsible for the security configuration or firewall (like security groups), Identity and Access Management (IAM), client and server-side encryption and customer data.

Now, apart from AWS services, AWS Shared Responsibility also extends to IT controls.

Also Check: Our blog post on AWS CloudHSM.

AWS Shared Responsibility of IT Controls

Just like the IT environment responsibility, the management, operation and verification of IT control are also shared between AWS and customers. AWS can help customers by managing the controls of the physical infrastructure to relieve their burden of operating controls. AWS control and compliance will help customers to evaluate and verify their controls.

Which security-related duty is aws accountable for under the aws shared responsibility model

The examples of controls managed by AWS, customers and both are as follows.

Inherited Controls: These Controls are fully inherited by customers from AWS.

  • Physical and Environmental controls

Shared Controls: These controls apply to both the infrastructure and customer layers, but in a completely separate perspective. AWS provides the infrastructure requirements, and the customer must provide their own control implementation within their use of AWS services. For example:

  • Patch ManagementHere, AWS is responsible for patching and fixing flaws within the infrastructure, whereas customers for patching their guest operating system and applications.
  • Configuration ManagementHere, AWS maintains the configuration of its infrastructure devices, whereas a customer takes responsibility for configuring their own guest operating systems, databases, and applications.
  • Awareness & Training – AWS trains AWS employees, whereas a customer must train their own employees.

Customer-Specific: These controls are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include:

  • Zone Security or Service and Communications Protection may require a customer to route or zone data within specific security environments.

Conclusion

Security should not be compromised at any cost, and AWS knows the importance of Cloud Security very well. We covered everything about the AWS Shared Responsibility Model and its importance in this blog and how it removes the confusion between the service provider and the customer.

Next Task For You

Our AWS Solution Architect Associate training program will create a Custom VPC  in detail and 30 other Hands-On Labs. If you want to begin your journey towards becoming an AWS Certified Solution Architect Associate, check our FREE CLASS.

Which security-related duty is aws accountable for under the aws shared responsibility model