Understanding the AWS Shared Responsibility Model
A guide to one of the most fundamental concepts of cloud security: the AWS Shared Responsibility Model. Learn what AWS is responsible for (security OF the cloud) and what you are responsible for (security IN the cloud).
When you move your applications to the AWS cloud, one of the first and most important concepts you must understand is the Shared Responsibility Model. This model is the foundation of cloud security, and it clearly defines who is responsible for what when it comes to securing your environment.
In short, the model can be summarized as: AWS is responsible for the security of the cloud, while you, the customer, are responsible for security in the cloud.
Let's break down what this means in practice.
AWS's Responsibility: Security OF the Cloud
AWS is responsible for protecting the underlying infrastructure that runs all of the services offered in the AWS cloud. This includes the hardware, software, networking, and facilities that run AWS services.
This includes:
- Physical Security: AWS manages the physical security of its data centers, including access control, surveillance, and environmental controls.
- Hardware and Networking: AWS is responsible for the physical servers, storage devices, and the global network that connects them.
- Hypervisor: For services like EC2, AWS is responsible for the security of the virtualization layer (the hypervisor) that separates different customer instances running on the same physical hardware.
- Managed Services: For managed services like S3, DynamoDB, and Lambda, AWS is responsible for securing the underlying infrastructure and the operating system that the service runs on.
By using AWS, you inherit all the benefits of their years of experience and massive investment in building and securing a world-class infrastructure.
Your Responsibility: Security IN the Cloud
Your responsibility is determined by the AWS services you choose. The more control you have over the service, the more responsibility you have for securing it.
Your responsibilities always include:
- Data: You are always responsible for your data. This includes how you classify it, whether you encrypt it, and who has access to it.
- Identity and Access Management (IAM): You are responsible for defining and managing your users, groups, roles, and policies. Granting the right permissions to the right people (and applications) and following the principle of least privilege is a core customer responsibility.
- Network Configuration: You are responsible for configuring your Virtual Private Cloud (VPC), including subnets, route tables, and security groups.
The Model in Practice: IaaS vs. PaaS vs. SaaS
The level of your responsibility changes depending on the type of service you are using.
Infrastructure as a Service (IaaS)
- Example: Amazon EC2
- Your Responsibility: With EC2, you have the most responsibility. In addition to data and access management, you are responsible for:
- The guest operating system (including patches and security updates).
- Any applications or software you install on the instance.
- The configuration of the instance's firewall (the security group).
Platform as a Service (PaaS)
- Example: AWS Lambda, Amazon RDS
- Your Responsibility: With a service like RDS, AWS manages the operating system and the database software for you. Your responsibility is focused on:
- Managing the database settings.
- Configuring the network access (security groups).
- Controlling user access to the database itself.
Software as a Service (SaaS)
- Example: Amazon S3, Amazon DynamoDB
- Your Responsibility: With a service like S3, AWS manages the entire service. Your responsibility is almost entirely focused on:
- The data you put into S3.
- How you configure access to that data using IAM policies and S3 bucket policies.
A Simple Analogy
Think of it like owning a house versus renting an apartment.
- On-Premises: This is like owning a house. You are responsible for everything—the land, the foundation, the walls, the roof, the locks on the doors, and all your furniture inside.
- IaaS (EC2): This is like renting an unfurnished apartment. The landlord (AWS) is responsible for the building and the structure, but you are responsible for furnishing it and locking your own door.
- PaaS/SaaS (RDS/S3): This is like staying in a hotel. The hotel (AWS) manages almost everything for you. Your primary responsibility is to make sure you don't leave your room key (your IAM credentials) lying around.
Conclusion
The AWS Shared Responsibility Model is a critical concept for anyone working with the cloud. It provides a clear framework for understanding your security obligations. By taking ownership of your responsibilities—properly configuring IAM, securing your networks, and protecting your data—you can build highly secure and robust applications on top of the secure global infrastructure provided by AWS.