1.7 The Shared Responsibility Model for Solutions Architects
Key Takeaways
- AWS is responsible for security OF the cloud (infrastructure, hardware, networking, hypervisor, managed service platforms).
- The customer is responsible for security IN the cloud (data, IAM, OS patching on EC2, encryption, network configuration).
- Responsibility varies by service: EC2 (IaaS) gives more customer responsibility than Lambda (serverless) or S3 (managed).
- Encryption of data is ALWAYS the customer's responsibility, regardless of service type.
- Solutions Architects must design architectures that clearly address both AWS and customer security responsibilities.
Last updated: March 2026
The Shared Responsibility Model for Solutions Architects
Quick Answer: AWS manages security OF the cloud (physical infrastructure, hypervisor, managed platforms). You manage security IN the cloud (data, IAM, encryption, OS patches on EC2, application code). The more managed the service, the less you manage — but encryption and data classification are ALWAYS yours.
The Core Model
| Responsibility | AWS | Customer |
|---|---|---|
| Physical security | Data centers, guards, environmental controls | N/A |
| Hardware | Servers, storage, networking equipment | N/A |
| Hypervisor | Virtualization layer | N/A |
| Network infrastructure | Global backbone, edge locations | VPC config, SGs, NACLs |
| Operating system | For managed services (RDS, Lambda) | For EC2 instances |
| Application | Managed service features | Your code, configuration |
| Data | N/A | Classification, encryption, backup |
| Identity | IAM service itself | IAM policies, MFA, credentials |
Responsibility by Service Type
IaaS (EC2) — Maximum Customer Responsibility
| Customer Manages | AWS Manages |
|---|---|
| Guest OS patches and updates | Physical hardware |
| Application installation and patches | Hypervisor |
| Security group and NACL configuration | Network infrastructure |
| IAM and access management | Data center security |
| Data encryption | Host OS and firmware |
| Firewall configuration |
Managed Services (RDS, ElastiCache) — Shared Responsibility
| Customer Manages | AWS Manages |
|---|---|
| IAM and database user management | OS patching |
| Security group configuration | Database software patches |
| Encryption settings (KMS keys) | Automated backups (if enabled) |
| Network configuration (VPC, subnets) | Multi-AZ failover |
| Data classification | Hardware and infrastructure |
Serverless (Lambda, S3, DynamoDB) — Minimal Customer Responsibility
| Customer Manages | AWS Manages |
|---|---|
| Function code and dependencies | Everything else |
| IAM execution roles | Scaling |
| Data encryption settings | Patching |
| VPC configuration (if applicable) | Infrastructure |
| Application-level security | Runtime environment |
On the Exam: "Who is responsible for patching the operating system on an EC2 instance?" → Customer. "Who is responsible for patching the operating system on an RDS instance?" → AWS. The key differentiator is the service type (IaaS vs. managed vs. serverless).
Test Your Knowledge
Who is responsible for patching the guest operating system on an Amazon EC2 instance?
A
B
C
D
Test Your Knowledge
Who is responsible for encrypting data stored in Amazon S3?
A
B
C
D