L3. The AWS Shared Responsibility Model
Video generating
Check back soon for the video lesson on The AWS Shared Responsibility Model
The AWS Shared Responsibility Model defines the security boundary between AWS and the customer. Cloud Practitioner exam questions frequently test who owns which layer of security.
AWS: Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all AWS services. This includes:
- Physical security of datacenters (guards, biometric access, surveillance)
- Hardware: servers, storage, networking equipment
- Virtualization layer (hypervisor)
- Managed services infrastructure (AWS manages the OS for RDS, Lambda, etc.)
- AWS global network
Customer: Security IN the Cloud
Customers are responsible for everything they put IN the cloud:
- Data: encryption at rest and in transit, data classification
- Identity and access: IAM users, roles, policies; MFA configuration
- Operating systems: patching EC2 instance OS (for IaaS)
- Applications: code running on EC2 or in containers
- Network and firewall configuration: security groups, NACLs, VPC design
- Customer-side data encryption and client-side data integrity authentication
How Responsibility Shifts by Service Type
The shared responsibility boundary shifts based on the service: EC2 (IaaS):
- AWS: hardware, hypervisor, physical network
- Customer: OS patching, application security, firewall rules, data encryption
- AWS: hardware, OS patching, database software patching, backups
- Customer: database access control (users/passwords), data encryption settings, network access (security groups)
- AWS: hardware, OS, runtime environment
- Customer: function code, IAM permissions, environment variables (secrets)
Inherited vs. Shared Controls
Inherited controls (customer inherits from AWS): physical and environmental controls. Shared controls: patch management (AWS patches infrastructure; customer patches guest OS on EC2), configuration management, awareness and training. Customer-specific controls: service and communications protection, zone security.Common Exam Traps
| Scenario | Responsibility |
|---|---|
| EC2 OS has unpatched vulnerability | Customer |
| AWS datacenter has a power failure | AWS |
| S3 bucket left publicly accessible | Customer |
| AWS hardware fails | AWS |
| RDS database password not rotated | Customer |
- ✓AWS secures the cloud: physical datacenters, hardware, hypervisor, managed service infrastructure
- ✓Customers secure their data, identities, application code, OS (on EC2), and network configurations
- ✓The boundary shifts by service: more customer responsibility for IaaS (EC2), less for managed services (Lambda)
- ✓S3 bucket public access misconfiguration is always the customer's responsibility
- ✓EC2 OS patching is the customer's responsibility; RDS engine patching is AWS's responsibility
1. A company runs an application on Amazon EC2. A security audit reveals the operating system has not been patched in 6 months. Who is responsible for patching the EC2 operating system?
2. Which of the following security tasks is AWS ALWAYS responsible for, regardless of which services the customer uses?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.