In the Shared Responsibility Model, AWS differentiates between the security ‘of’ the cloud and the security ‘in’ the cloud.
Security ‘of’ the Cloud
Security ‘of’ the cloud encompasses the aspects of infrastructure and foundational services that AWS is responsible for. They are tasked with protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
The services fitting into this category include computing, storage, database and networking.
Security of the following layers is managed by AWS:
- Facilities: The physical security of data centres.
- Physical Infrastructure: Rack and servers, etc.
- Host Operating System: Basically, the OS on which guest OS or virtual machines run.
- Network Infrastructure: Including access to and from data centres.
- Virtualization Infrastructure: The hypervisor layer responsible for the isolation of different EC2 instances from each other.
Security ‘in’ the Cloud
Security ‘in’ the cloud comprises the security measures that the user must implement and operate, related to the security of their customer content and applications that make use of AWS services.
This area of responsibility includes managing secure operating systems, platforms, and data; application security; identity and access management; firewall and network configuration; client and end-point protection; and encryption.
The user is also responsible for staying up-to-date regarding the specific privacy and compliance responsibilities applicable to their industry and geography.
A table format helps to clarify the shared responsibilities:
AWS responsibility – Security ‘of’ the Cloud | Customer responsibility – Security ‘in’ the Cloud |
Protecting infrastructure (hardware, software, networking, facilities) | Protecting customer data |
Operating, managing and controlling the components from the host operating system and virtualization layer down to the physical security of the facilities | Configuration of AWS provided security group and network ACLs |
Configuration and vulnerability management of the host OS and guest OS | Maintenance of AWS provided platform applications and utilities |
Firewall configuration | Management of AWS Identity and Access Management (IAM) and user credentials |
This detailed understanding of the Shared Responsibility Model can immensely aid in the exam, particularly for questions around compliance, security, and risk mitigation. It is also actively beneficial in practical cloud management, clearly outlining the role AWS plays in securing your data and what’s on your security checklist. Overlooking customer-responsibilities or assuming AWS covers these can lead to a security lapse.
In conclusion, AWS’s responsibilities align more with providing a safe, secure, and compliant infrastructure base for the users to build upon, while customer responsibilities revolve around making the best use of these provisioned services and building secure applications within this provided environment. Both Amazon and the user share the goal of the most resilient, sturdy security achievable.
Practice Test
Secure physical hosting of AWS infrastructure is the user’s responsibility.
- True
- False
Answer: False
Explanation: The secure physical hosting of AWS infrastructure is Amazon’s responsibility. They ensure the security of the global infrastructure and facilities that run AWS services and store customer data.
AWS is responsible for the management, updates, and security of the physical servers.
- True
- False
Answer: True
Explanation: AWS is responsible for managing the underlying infrastructure, updating and hardening it to improve security and to deliver the services defined within the AWS Shared Responsibility Model.
Customer is responsible for managing OS patches in AWS.
- True
- False
Answer: True
Explanation: While AWS manages the underlying infrastructure, customers are responsible for anything they put on the infrastructure, including OS patches and updates.
AWS is responsible for managing on-premises data centre in customer’s location.
- True
- False
Answer: False
Explanation: AWS is responsible for managing AWS cloud infrastructure, but not customer’s on-premise data centres.
Who is responsible for controlling access to their AWS resources?
- AWS
- Customer
Answer: Customer
Explanation: Customers maintain full control and ownership over their data region and the ability to implement access control, including which data is moved into AWS services.
Network-level protection on AWS is a shared responsibility.
- True
- False
Answer: True
Explanation: Network-level protection is a shared responsibility. AWS is in charge of protecting the underlying infrastructure and customers are in charge of ensuring suitable firewalls and access controls are in place.
Customers can use AWS Identity and Access Management (IAM) to control access to their AWS services and resources.
- True
- False
Answer: True
Explanation: Yes, customers are free to use AWS IAM to manage and control access to their resources in the AWS cloud.
AWS shares responsibility for managing the guest operating system, including updates and security patches.
- True
- False
Answer: False
Explanation: Customers are responsible for setting up, managing, and securing their guest operating systems, applications, and data.
AWS is solely responsible for the security configuration of managed services like Amazon RDS and Amazon DynamoDB.
- True
- False
Answer: False
Explanation: While AWS is responsible for the security of the cloud and its services, customers share the responsibility by implementing rigorous security configuration practices.
AWS provides a firewall and private network access for customers over default.
- True
- False
Answer: False
Explanation: While AWS does provide tools like security groups and network access control lists for firewalls, customers must configure these themselves.
Customers bear no responsibility in the AWS Shared Responsibility Model.
- True
- False
Answer: False
Explanation: The AWS Shared Responsibility Model splits responsibilities between AWS and customers. AWS is responsible for the security of the cloud, but customers share responsibility for security in the cloud.
Who carries responsibility in managing applications and data within AWS services?
- AWS
- Customer
Answer: Customer
Explanation: The customer is responsible for everything they put or build on the cloud—including their data, operating systems, platforms, and applications.
Is AWS responsible for encrypting customer’s sensitive data stored on AWS?
- Yes
- No
Answer: No
Explanation: Encryption for sensitive data is primarily customer’s responsibility. AWS provides the services and features to support encryption, but customers must implement and manage it.
In the AWS shared responsibility model, who is responsible for security in the cloud?
- AWS
- Customer
Answer: Customer
Explanation: While AWS does ensure the security of the cloud, it’s the customer who is responsible for security in the cloud—like managing their own data, applications, and services.
AWS provides all credentials, encryption, and lifecycle management for a customers’ data.
- True
- False
Answer: False
Explanation: AWS provides the tools and services to fulfill these responsibilities, but customers are required to manage their own credentials, data encryption, and data lifecycle correctly.
Interview Questions
What does AWS responsibility ‘security of the cloud’ mean?
‘Security of the cloud’ means AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This includes hardware, software, networking, and facilities that run AWS Cloud services.
What is the responsibility of a cloud user under the AWS Shared Responsibility model?
Under the AWS Shared Responsibility Model, the customer is responsible for security ‘in’ the cloud. This means they manage and configure their resources deployed in AWS, manage user access controls, and protect their data.
What is AWS’s responsibility when it comes to software patching?
AWS is responsible for patching and fixing flaws within the infrastructure, but it is the customer’s responsibility to patch their guest OS and applications.
How does AWS ensure physical security of its data centers?
Physical security is part of AWS’s responsibility. AWS employs a robust physical security model including access control, surveillance, and various security certifications. Only a small number of essential staff can access data centers.
Does AWS take responsibility for managing customer data stored in its services?
No, managing the data, including encrypting sensitive data, choosing the region where data is stored, and utilizing backup and restore functionalities, is the customer’s responsibility.
What responsibility does AWS have relating to the hardware of the servers and the physical data centers?
AWS is responsible for the critical part of the physical security of servers and data centers. This includes designing, building and maintaining the servers, and protecting and managing the physical environment in which these systems operate.
Are AWS customers responsible for securing their own customer data on AWS?
Yes, securing customer data is the customer’s responsibility in AWS’s Shared Responsibility Model. Customers are responsible for managing and securing their data, including implementing access control policies and encryption.
Is AWS responsible for the security configuration of its customers’ guest operating systems, databases, and applications?
No, within AWS’s Shared Responsibility model, the customer is responsible for security ‘in’ the cloud, which includes the security configuration of guest operating systems, databases, and applications.
What does AWS’s role in incident response include?
AWS’s responsibilities in incident response include offering tools and features for identifying, investigating, taking action on, and reporting security issues. AWS also provides guidance and assistance on how to leverage these tools effectively.
Are AWS users responsible for the security of their AWS accounts?
Yes, the security of the AWS account is the user’s responsibility. Users are responsible for managing their AWS credentials, including password strength and rotation policies, and enabling multi-factor authentication.
Who is responsible for firewalls and encryption in AWS?
AWS provides firewall and encryption services, but the configuration and management of these fall under the responsibility of the cloud user.
What is AWS’s responsibility for the device lifecycle?
AWS is responsible for the secure decommissioning, disposition, and destruction of storage devices at the end of their useful life, as part of its duty in ‘Security of the Cloud’.
Who is responsible for protecting applications from DDoS (Distributed Denial of Service) attacks in AWS?
While AWS provides services like AWS Shield for DDoS protection, the configuration and implementation of these services to protect applications falls under the cloud user’s responsibility.
What role does AWS play in maintaining Service Organisation Control (SOC) compliance?
AWS is responsible for maintaining the controls necessary for SOC compliance within its infrastructure. This includes logical security controls, system availability, and system processing integrity.
How does AWS handle data breaches?
AWS promptly notifies customers if their data has been compromised. However, the responsibility of what actions to take in response to a breach lies with the customer. AWS provides tools and services to secure the infrastructure and help customers comply with their own data breach policies.