2.1 The AWS Shared Responsibility Model
Key Takeaways
- AWS is responsible for security "OF" the cloud (physical infrastructure, hardware, networking, hypervisor, managed service infrastructure).
- The customer is responsible for security "IN" the cloud (data, IAM, OS patching on EC2, application configuration, network/firewall config).
- Responsibility varies by service type: EC2 (IaaS) gives customers more responsibility than RDS (managed) or Lambda (serverless).
- Encryption of data is ALWAYS the customer's responsibility, regardless of the service used.
- The Shared Responsibility Model is one of the most heavily tested concepts on the CLF-C02 exam.
The AWS Shared Responsibility Model
Quick Answer: AWS manages security OF the cloud (physical data centers, hardware, networking, hypervisor). You manage security IN the cloud (your data, IAM configuration, OS patches on EC2, encryption, network/firewall rules). This is the #1 most tested concept on the CLF-C02 exam.
The Shared Responsibility Model is arguably the single most important concept on the CLF-C02 exam. AWS and the customer share security responsibilities, and understanding exactly what each party is responsible for is critical.
The Core Concept
Think of it like renting an apartment:
- The landlord (AWS) is responsible for the building structure, roof, plumbing, electrical wiring, and common areas
- The tenant (you) is responsible for your furniture, belongings, locking the door, and not leaving the stove on
AWS Responsibilities: Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all AWS services. This includes:
| Category | What AWS Manages |
|---|---|
| Physical | Data centers, physical access control, environmental controls (fire, flood, power) |
| Hardware | Servers, storage devices, networking equipment |
| Networking | Global network infrastructure, backbone connectivity between Regions |
| Hypervisor | Virtualization layer that separates customer instances |
| Managed Service Infrastructure | The underlying platform for managed services (e.g., RDS engine, Lambda runtime) |
| Edge Locations | Physical infrastructure for CloudFront and other edge services |
Customer Responsibilities: Security IN the Cloud
The customer is responsible for everything they put IN the cloud and how they configure it:
| Category | What You Manage |
|---|---|
| Data | Your data, classification, and encryption |
| Identity & Access | IAM users, groups, roles, policies, MFA |
| Operating System | OS patching and maintenance on EC2 instances |
| Network Configuration | Security Groups, NACLs, routing tables, VPC design |
| Application | Application-level security, code, updates |
| Firewall | Host-based and network firewalls |
| Client-side Encryption | Encrypting data before sending to AWS |
| Server-side Encryption | Configuring encryption on AWS services |
How Responsibility Shifts by Service Type
The amount of customer responsibility varies depending on the type of AWS service:
IaaS (e.g., Amazon EC2)
Customer manages the most. You are responsible for:
- Guest operating system (patches, updates)
- Application software
- Security groups (firewall rules)
- Data encryption
- All configurations above the hypervisor
Managed Services (e.g., Amazon RDS)
Shared responsibility. AWS manages more:
- AWS handles: OS patching, database engine patching, hardware
- You handle: Database settings, security groups, IAM, data encryption, backups config
Serverless (e.g., AWS Lambda)
AWS manages the most. Your responsibilities shrink to:
- Your code and data
- IAM permissions
- Encryption configuration
| Responsibility | EC2 (IaaS) | RDS (Managed) | Lambda (Serverless) | S3 (Fully Managed) |
|---|---|---|---|---|
| Physical infrastructure | AWS | AWS | AWS | AWS |
| Hypervisor | AWS | AWS | AWS | AWS |
| Operating System | Customer | AWS | AWS | AWS |
| Database Engine | Customer | AWS | AWS | N/A |
| Network Config | Customer | Customer | Customer | Customer |
| Data Encryption | Customer | Customer | Customer | Customer |
| IAM Permissions | Customer | Customer | Customer | Customer |
Always Customer Responsibility (Regardless of Service)
No matter which AWS service you use, these are ALWAYS your responsibility:
- Data classification and encryption — Deciding what data to protect and enabling encryption
- IAM management — Creating users, assigning permissions, enabling MFA
- Security group / firewall configuration — Controlling inbound/outbound traffic
- Compliance — Meeting your regulatory requirements using AWS tools
- Data in transit and at rest protection — Choosing and configuring encryption
Always AWS Responsibility (Regardless of Service)
These are ALWAYS AWS's responsibility:
- Physical data center security — Guards, cameras, biometric access
- Hardware maintenance — Replacing failed drives, servers, network equipment
- Network infrastructure — Global backbone, DDoS protection at infrastructure level
- Hypervisor and host OS — Securing the virtualization platform
- Environmental controls — Power, cooling, fire suppression
On the Exam: When you see a Shared Responsibility Model question, ask: "Is this about the physical infrastructure or the software configuration?" Physical = AWS. Configuration = Customer. Data = Always Customer. If you are unsure, data and encryption are ALWAYS the customer's job.
Under the AWS Shared Responsibility Model, who is responsible for patching the operating system on an Amazon EC2 instance?
Under the Shared Responsibility Model, who is responsible for patching the database engine on Amazon RDS?
Which of the following is ALWAYS the customer's responsibility, regardless of the AWS service being used?
A company is using AWS Lambda to run its application code. Under the Shared Responsibility Model, what is the customer responsible for?