Cyber Intelligence
Cloud Concepts · 24% of exam

L3. The AWS Shared Responsibility Model

Video generating

Check back soon for the video lesson on The AWS Shared Responsibility Model

The AWS Shared Responsibility Model defines the security boundary between AWS and the customer. Cloud Practitioner exam questions frequently test who owns which layer of security.

AWS: Security OF the Cloud

AWS is responsible for protecting the infrastructure that runs all AWS services. This includes:

  • Physical security of datacenters (guards, biometric access, surveillance)
  • Hardware: servers, storage, networking equipment
  • Virtualization layer (hypervisor)
  • Managed services infrastructure (AWS manages the OS for RDS, Lambda, etc.)
  • AWS global network

Customer: Security IN the Cloud

Customers are responsible for everything they put IN the cloud:

  • Data: encryption at rest and in transit, data classification
  • Identity and access: IAM users, roles, policies; MFA configuration
  • Operating systems: patching EC2 instance OS (for IaaS)
  • Applications: code running on EC2 or in containers
  • Network and firewall configuration: security groups, NACLs, VPC design
  • Customer-side data encryption and client-side data integrity authentication

How Responsibility Shifts by Service Type

The shared responsibility boundary shifts based on the service: EC2 (IaaS):

  • AWS: hardware, hypervisor, physical network
  • Customer: OS patching, application security, firewall rules, data encryption
RDS (Managed PaaS):
  • AWS: hardware, OS patching, database software patching, backups
  • Customer: database access control (users/passwords), data encryption settings, network access (security groups)
Lambda (Serverless):
  • AWS: hardware, OS, runtime environment
  • Customer: function code, IAM permissions, environment variables (secrets)

Inherited vs. Shared Controls

Inherited controls (customer inherits from AWS): physical and environmental controls. Shared controls: patch management (AWS patches infrastructure; customer patches guest OS on EC2), configuration management, awareness and training. Customer-specific controls: service and communications protection, zone security.

Common Exam Traps

ScenarioResponsibility
EC2 OS has unpatched vulnerabilityCustomer
AWS datacenter has a power failureAWS
S3 bucket left publicly accessibleCustomer
AWS hardware failsAWS
RDS database password not rotatedCustomer
Exam tip: Anything related to data, identity, application code, or OS configuration is the customer's responsibility. Physical hardware, network infrastructure, and managed service runtimes belong to AWS.

Exam Focus Points
  • AWS secures the cloud: physical datacenters, hardware, hypervisor, managed service infrastructure
  • Customers secure their data, identities, application code, OS (on EC2), and network configurations
  • The boundary shifts by service: more customer responsibility for IaaS (EC2), less for managed services (Lambda)
  • S3 bucket public access misconfiguration is always the customer's responsibility
  • EC2 OS patching is the customer's responsibility; RDS engine patching is AWS's responsibility
Knowledge Check

1. A company runs an application on Amazon EC2. A security audit reveals the operating system has not been patched in 6 months. Who is responsible for patching the EC2 operating system?

2. Which of the following security tasks is AWS ALWAYS responsible for, regardless of which services the customer uses?

Recommended: Pluralsight

Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.

Start CLF-C02 prep free10-day free trial available