The Shared Responsibility Model is a critical aspect of AWS environment. In this, AWS is responsible for the security “OF” the cloud while the customer responsibility is the security “IN” the cloud.
AWS is responsible for protecting the infrastructure such as hardware, software, networking, and facilities that run AWS cloud services. On the other hand, customers are generally responsible for anything they put on the cloud or connect to the cloud, including customer data, identity and access management, operating system patches and updates, network and firewall configurations, client-side data encryption and data integrity authentication.
II. Customer Responsibilities
Depending on the AWS services you select, your responsibilities vary, but generally include the following:
- Customer Data – AWS customers maintain ownership of their content, which means they’re responsible for the content’s security, including encryption methods and securing access to AWS services and resources.
- Client-side Data Encryption and Data Integrity – AWS customers may choose to add an additional layer of security by implementing client-side data encryption or data integrity mechanisms prior to uploading their data on AWS.
- Identity and Access Management (IAM) – Clients are responsible for setting up appropriate IAM permissions for each of their users. This includes managing permissions that determine who is authenticated (signed in) and authorized (have permissions) to use resources and how they use the resources.
- Operating System, Network and Firewall Configurations – Clients are also responsible for managing their guest operating systems (including updates and patches), other associated applications, and for configuring the AWS-provided firewall appliance.
- Platform Management: Resource and Instance Management – Customers are responsible for their own resource scaling actions, which include launching, stopping, and retiring instances as required.
II. Best Practices
- Setting up IAM Policies – Set up least privilege access – each user should have only those permissions necessary to perform their work.
Example:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [“ec2:Describe*”, “s3:ListBucket”],
“Resource”: “*”
}
]
}This policy allows the user to describe EC2 instances and list the S3 buckets.
- Regularly Audit and Rotate Credentials – Regularly rotate and remove old AWS credentials and implement strong password policies.
- Analyze Access Patterns – Look for abnormal or unexpected access patterns or usage behaviors using AWS CloudAudit or AWS CloudWatch.
- Encrypt Data at rest – Utilize AWS Key Management Service or AWS CloudHSM to protect sensitive data.
Understanding these responsibilities ensures you can best make use of AWS’s secure cloud platform, while also maintaining the security and privacy of your data. Remember, security and compliance is a shared responsibility between AWS and the customer.
Practice Test
True or False: The customer is responsible for the physical security of the AWS data centers.
- True
- False
Answer: False
Explanation: AWS is responsible for the physical security of its data centers. This is part of the “security of the cloud” that AWS is responsible for, as stated in the AWS Shared Responsibility Model.
True or False: Customers are responsible for managing their data, including its classification.
- True
- False
Answer: True
Explanation: Customers keep control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site data center.
Which of these are the customer’s responsibility on AWS? (Multiple Select)
- A) Managing the security group settings
- B) Patch management and configuration management
- C) Encryption of customer-created content
- D) Maintaining physical servers
Answer: A, B, C
Explanation: These are part of customer’s responsibility while managing security ‘in’ the cloud as per the AWS Shared Responsibility Model. AWS is responsible for physical servers (‘security of the cloud’).
On AWS, who is responsible for ensuring that the operating systems are updated and secure?
- A) AWS
- B) Customer
Answer: Customer
Explanation: Customers are responsible for patch management and configuration management of their servers according to the AWS Shared Responsibility Model.
True or False: The customer is responsible for protecting the AWS global infrastructure.
- True
- False
Answer: False
Explanation: The security and maintenance of AWS’s global infrastructure is the responsibility of AWS as part of their “security of the cloud” concept.
True or False: AWS manages system security vulnerabilities for the customer.
- True
- False
Answer: False
Explanation: While AWS is responsible for the infrastructure, customers are responsible for managing system-level vulnerabilities within their own instances.
On AWS, is the customer responsible for securing root user and IAM credentials?
- True
- False
Answer: True
Explanation: In the AWS environment, customers own their data and it’s their responsibility to secure root user and IAM credentials.
Who is responsible for the security of applications running on AWS?
- A) AWS
- B) Customer
Answer: Customer
Explanation: While AWS provides a secure infrastructure and services, the customer is responsible for making sure their applications running on AWS are secure.
Is the customer responsible for maintaining the guest operating system (including updates and security patches) in the AWS cloud?
- True
- False
Answer: True
Explanation: AWS does not have access to the customers’ instances and hence cannot maintain the guest operating systems. It falls under the customers’ responsibility.
Who is responsible for managing user access within an AWS account?
- A) AWS
- B) Customer
Answer: Customer
Explanation: Customers manage user access to AWS services and resources, through methods including AWS Identity and Access Management (IAM).
Interview Questions
What is the customer’s responsibility in the AWS shared responsibility model?
In the shared responsibility model, AWS manages the security of the cloud (hardware, software, networking, and facilities), while customers are responsible for security in the cloud (customer data, applications, operating systems, and other assets).
What role does a customer play in managing Identity and Access Management (IAM) in AWS?
Customers are responsible for managing IAM, which includes creating and managing AWS users or groups, assigning security credentials, and managing permissions to control which operations a user can perform.
Who is responsible for patching and fixing flaws within the customer-controlled software on AWS?
The customer is responsible for patching and fixing flaws within the software they control. AWS is not responsible for these tasks.
What is a customer’s responsibility in terms of data encryption on AWS?
Customers are responsible for managing data encryption. This includes data at rest, in transit, and in use. AWS provides services to assist with encryption, but customers are responsible for using those services correctly.
What’s the customer’s responsibility when it comes to managing AWS instances?
Customers are responsible for managing their AWS instances, which includes choosing an instance type optimized for their workload, scaling instances, and monitoring performance.
Who is responsible for ensuring customers’ AWS services are properly configured?
The customers themselves are responsible for ensuring their AWS services and resources are properly configured to meet their specific security and compliance requirements.
Who is responsible for managing firewall and networking settings on AWS?
Customers are responsible for managing firewall and other networking settings. AWS provides the tools and services to do this (like security groups and VPCs), but it’s up to the customer to use them correctly.
What customer responsibilities are involved when using AWS S3 for storage?
When using AWS S3, customers are responsible for managing the data they store, which involves ensuring proper access controls are in place, classifying data sensitively, and encrypting sensitive data.
Who is in charge of monitoring resources in AWS?
The customer bears the responsibility for monitoring resources. AWS provides monitoring tools like CloudWatch, but customers have to set up and manage alerts, metrics and logs.
Are customers responsible for conducting vulnerability scans on their AWS infrastructure?
Yes, customers are responsible for conducting vulnerability scans to ensure compliance with their own security policies and any applicable regulations.
Who is responsible for data integrity in AWS?
The customer is responsible for ensuring data integrity. This includes using services like versioning in S3 and taking regular backups.
Do customers have responsibilities in Disaster Recovery and Business Continuity Planning on AWS?
Yes, customers are responsible for their Disaster Recovery and Business Continuity Planning. They must architect their AWS solutions to be resilient and have backup and recovery processes in place.
Who is responsible for the classification of data stored in AWS?
The customer is responsible for the classification of their data in AWS. This includes ensuring appropriate controls are place for sensitive data.
Who is responsible for compliance in AWS?
Both AWS and the customer share responsibilities for ensuring compliance. AWS provides a compliant infrastructure and customers are responsible for using that infrastructure in a compliant way.
Who is responsible for cost management in AWS?
The customer is responsible. AWS provides cost management tools like AWS Budgets and Cost Explorer, but it’s up to the customer to use them to monitor and control their costs.