Understanding the shared responsibility model is pivotal for any AWS Certified Cloud Practitioner (CLF-C02) candidate. This model divides security and compliance into two parts: those that AWS is responsible for and those that you, as the customer, must manage. Following this model provides better security and compliance, scaling benefits, and innovative opportunities.
I. AWS Responsibilities
Amazon Web Services (AWS) is responsible for the security ‘of’ the cloud. This essentially includes hardware, software, networking, and facilities provided as part of the AWS Cloud services. AWS also manages the infrastructure, the operating software, and the physical security of data centers.
For instance, AWS services that are classified under Infrastructure Services, such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Virtual Private Cloud (Amazon VPC), AWS operates all the components down to the hypervisor level managed by AWS.
II. Customer Responsibilities
On the other hand, customers are responsible for security ‘in’ the cloud. This means that you must ensure secure operating systems, platforms, and data. Your responsibilities fall into four categories:
- Client-side data encryption and data integrity authentication
- Server-side encryption (file system and/or data)
- Network traffic protection (encryption/integrity checks)
- Managing AWS provided IAM credentials and policy management
Depending on the AWS Cloud services you choose, your responsibility might differ. For example, if you run Amazon EC2 instances, you are accountable for managing the guest operating system (including patches and updates), any application software or utilities installed by you on the instances, and the configuration of the AWS-provided firewall on each instance.
III. Shared Responsibilities
There are certain areas of responsibilities that are shared by both AWS and the customers. These shared responsibilities are commonly categorized under AWS managed services. For instance, AWS RDS is a managed service where AWS manages the underlying infrastructure, the operating system, and the database software stack, whereas the customers are responsible for managing their data and database instance configurations.
This AWS Shared Responsibility Model allows customers to transfer certain tasks to AWS, thereby helping them to improve their security posture.
Responsibilities | AWS | Customer |
---|---|---|
Security ‘OF’ the Cloud | Yes | No |
Security ‘IN’ the Cloud | No | Yes |
Client-side data encryption and data integrity authentication | No | Yes |
Server-side encryption (file system and/or data) | Partial | Yes |
Network traffic protection (encryption/integrity checks) | Partial | Yes |
Managing AWS provided IAM credentials | No | Yes |
Managing data and database instance configurations | Partial | Yes |
Managing operating systems (including patches & updates) | Partial | Yes |
Managing application software or utilities installed | No | Yes |
In conclusion, understanding the shared responsibility model between AWS and the customers is crucial for not only a candidate preparing for AWS Certified Cloud Practitioner (CLF-C02) but also for anyone involved in cloud operations. The model provides guidelines to maximize security and compliance in the AWS cloud, enabling customers to focus on their core business.
Practice Test
True or False: Under the shared responsibility model, AWS is responsible for the security of the cloud, the customer is responsible for security in the cloud.
- True
- False
Answer: True
Explanation: AWS manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate, while the customer responsibility is determined by the AWS service that is used.
In the AWS shared responsibility model, who is responsible for managing data, including encryption options?
- The customer
- AWS
Answer: The customer
Explanation: The customer manages data including encryption options, and firewall configurations as a part of the shared responsibility with AWS.
True or False: AWS is responsible for patching and fixing flaws within the infrastructure, but not within the customer-created DB instances.
- True
- False
Answer: True
Explanation: AWS is responsible for the underlying infrastructure and services. But the customer is responsible for patching and fixing flaws within the guest operating systems and applications running on, or connected to, their DB instances.
Which of the following responsibilities fall under AWS’s jurisdiction? (Multiple Select)
- a) Physical access to data centers
- b) Decommissioning storage devices
- c) Encryption at rest
- d) Operating system patch management
Answer: a, b
Explanation: The AWS is responsible for physical and environmental protection such as physical access to the data centers and decommissioning storage devices. The customer is responsible for management of the guest operating systems including updates and security patches, and other associated application software.
In AWS, who is responsible for setting up proper firewall rules on their Amazon EC2 instances?
- The customer
- AWS
Answer: The Customer
Explanation: The customer is responsible for setting up proper firewall rules on their Amazon EC2 instances. It falls under the category of “Security in the Cloud”.
In the AWS shared responsibility model, is the customer responsible for controlling who can do what at the AWS Management Console level?
- Yes
- No
Answer: Yes
Explanation: Customer has a responsibility to properly configure their systems and online environment, including setting up access controls and permissions on the AWS Management Console.
True or False: AWS is responsible for properly configuring network segmentation, including Amazon VPC’s.
- True
- False
Answer: False
Explanation: The customer is responsible for configuring resources they control within AWS, including Amazon VPC’s.
Who is responsible for end-user access management and identity in AWS?
- The customer
- AWS
Answer: The customer
Explanation: The customer is responsible for managing data, including encryption options, and managing end-user access, including identity and access management.
In AWS, who is solely responsible for maintaining the security of their guest operating systems, databases, and applications?
- The customer
- AWS
Answer: The customer
Explanation: The customer shares the responsibility with AWS but is solely responsible for their customer data and for maintaining the security of their guest operating systems, databases, and applications.
Who is responsible for ensuring encryption and properly managing encryption keys in AWS?
- The customer
- AWS
Answer: The customer
Explanation: The customer is responsible for managing data, including ensuring encryption, properly managing encryption keys (if they choose to implement encryption), and other customer content.
True or False: AWS is responsible for the security of the services they offer.
- True
- False
Answer: True
Explanation: According to the shared responsibility model, AWS is responsible for protecting the infrastructure that runs all of the services offered, including the security of the services they offer.
Who is responsible for the security of application software in AWS?
- The customer
- AWS
Answer: The customer
Explanation: The customer is responsible for maintaining the security of their customer data and for the security of application software.
In the AWS shared responsibility model, does the customer have to comply with specific regulatory standards?
- Yes
- No
Answer: Yes
Explanation: The customer is responsible for evaluating regulations applicable to their industry and geography, then implementing and operating controls to meet their specific regulatory and business requirements.
True or False: AWS takes the responsibility for the life cycle management of AWS IAM credentials.
- True
- False
Answer: False
Explanation: In the shared responsibility model, customers are responsible for managing their IAM credentials. This includes responsibility for creating, rotating, and deleting credentials, consistent with their security best practices.
In AWS shared responsibility model, who is in charge of handling the software updates for the application running on AWS.
- The customer
- AWS
Answer: The customer
Explanation: It is the customer’s responsibility to handle the software updates for the application running. AWS is responsible only for the infrastructure aspects.
Interview Questions
What is the Shared Responsibility Model in AWS?
The Shared Responsibility Model in AWS is a conceptual framework which delineates the responsibilities of customer and AWS based on the services in use. It simplifies the security model as customers only need to focus on securing their use of the services, while AWS is responsible for the inherent security of the cloud.
Who is responsible for managing the guest operating system, including updates and security patches, in an Amazon EC2 instance?
The customer is responsible for managing the guest operating system, including updates and security patches, in an Amazon EC2 instance.
For the AWS database services like Amazon RDS, who is responsible for patching and fixing flaws within the database software?
AWS is responsible for patching and fixing flaws within the database software of Amazon RDS.
Who is in charge of the actual firewall rule-sets in the Amazon Virtual Private Cloud (VPC) service?
The customer is in charge of the actual firewall rule-sets in Amazon VPC service.
What responsibilities does AWS have in the Shared Responsibility Model for Amazon S3?
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, which includes hardware, software, networking, and facilities that run Amazon S3 services.
Who is responsible for maintaining the configuration of the Amazon GuardDuty service?
It is the customer’s responsibility to maintain the configuration of the Amazon GuardDuty service.
When it comes to encryption of data at rest, who is responsible within the AWS Shared Responsibility Model?
Both AWS and the customer share responsibility. AWS provides the capabilities to encrypt data at rest, while customers are responsible for implementing and managing the technology.
In the AWS Shared Responsibility Model, who is accountable for security group management?
The customer is accountable for security group management in the AWS Shared Responsibility Model.
What is the role of the customer regarding data classification and sensitivity in AWS Shared Responsibility Model?
The customer is responsible for classifying their own data based on its sensitivity and selectively encrypting, tokenizing, and anonymizing sensitive data.
Who is responsible for securing the cloud environment in the AWS Shared Responsibility model?
AWS is responsible for securing the cloud environment. This includes the physical security of the data centers, disposing of disks, and ensuring that the machines are comprehensively wiped clean.
Who is responsible for user access management as per AWS Shared Responsibility Model?
The customer is responsible for user access management including enabling Multi-Factor Authentication (MFA), setting up strong password policies, and regularly rotating credentials.
Who is responsible for platform and application management, including updates and security patches, in Amazon Elastic Beanstalk?
The customer is responsible for platform and application management, including updates and security patches, in Amazon Elastic Beanstalk.
Who is responsible for the security of applications that run on AWS?
The customer is responsible for the security of the applications that run on AWS.
Who is responsible for ensuring key management and protection in Amazon S3?
It is the customer’s responsibility to ensure key management and protection in Amazon S3.
What part do customers play in data integrity in AWS?
Customers are responsible for maintaining the data integrity in AWS by adopting appropriate measures, such as regular backups, enabling versioning in Amazon S3, and implementing data checksums.