When preparing for the AWS Certified Cloud Practitioner (CLF-C02) exam, understanding the shared responsibility model that AWS operates under is vital. In general terms, this means that AWS is responsible for the security ‘of’ the cloud, while the customer is responsible for security ‘in’ the cloud. However, depending on the specific service used, this model can shift, with AWS taking on more or less responsibility.
AWS’s Responsibility: Security ‘of’ the Cloud
AWS is primarily responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure includes the hardware, software, networking, and facilities that run AWS services. For example, AWS is in charge of the physical security of its data centers, the maintenance of its server hardware, and the protection of its network backbone.
Customer’s Responsibility: Security ‘in’ the Cloud
Customers using AWS services are responsible for securing their data and applications in the cloud. This can involve several tasks such as managing access controls, ensuring network configurations are secure, and encrypting data.
For example, if you’re using Amazon EC2, you’re responsible for managing the guest operating system (including updates and security patches), any applications or utilities installed by the customer on these instances, and the configuration of the AWS-provided firewall on each instance.
The Shifting Shared Responsibility Based on Service Used
Let’s look at three AWS services – Amazon RDS, AWS Lambda, and Amazon EC2 – to see how responsibility shifts.
Amazon RDS
Amazon RDS is a managed relational database service that offloads much of the administrative burden to AWS. This includes tasks like hardware provisioning, database setup, patching, and backups.
With RDS, AWS retains responsibility for much of the underlying infrastructure and software. However, the customer retains responsibility for the data, and for managing database settings – for example, which IP addresses can access the database.
| AWS Responsibility | Customer Responsibility |
|---|---|
| Hardware and Software maintenance | Data Management |
| Database Setup and Patching | Database Settings Configuration |
AWS Lambda
AWS Lambda is an event-driven, serverless computing service which runs your code in response to events. The customer is essentially just responsible for writing and uploading their code. AWS takes care of all the infrastructure needed to run and scale the applications.
In this case, AWS assumes even more responsibility.
| AWS Responsibility | Customer Responsibility |
|---|---|
| Hardware and Software Maintenance | Application Code |
| Server Provisioning and Scaling | – |
Amazon EC2
Amazon EC2 offers scalable computing capacity in the AWS cloud, essentially allowing you to run applications on AWS’s computing environment.
With EC2, AWS is responsible for the foundation services, such as the physical hardware, virtualization layer and network infrastructure. The customer, meanwhile, is responsible for the operating system, firewall configuration, network traffic management, etc.
| AWS Responsibility | Customer Responsibility |
|---|---|
| Hardware Maintenance | Firewall Configuration |
| Virtualization Layer Management | Applications Installed on EC2 instances |
In conclusion, the responsibility between AWS and the customer shifts based on the level of abstraction of the service used. The higher the level of abstraction (e.g., AWS Lambda), the more responsibilities AWS takes on, making it easier for the customer to focus on their core application rather than infrastructure management.
Practice Test
True or False: When using Amazon RDS, it is the responsibility of the customer to manage the underlying infrastructure.
- True
- False
Answer: False
Explanation: With Amazon RDS, AWS manages the underlying infrastructure and customers are responsible for managing their data, configuring their instances and classes.
Multiple choice: What is the key responsibility of AWS when you are using AWS Lambda?
- a. Code reusability
- b. Scaling
- c. Execution of your code
- d. All of the above
Answer: c. Execution of your code
Explanation: While code reusability and scaling are benefits to using AWS Lambda, the key responsibility of AWS is to execute your code in response to events.
True or False: With Amazon EC2, AWS is responsible for patching, repairing, and maintaining the EC2 instances.
- True
- False
Answer: False
Explanation: For Amazon EC2, AWS manages the underlying infrastructure, but the customer is responsible for patching, repairing and maintaining their own EC2 instances.
Multiple select: What are the shared responsibilities with Amazon S3?
- a. Encryption and access control
- b. Data consistency
- c. Data recovery
- d. Data durability
Answer: a. Encryption and access control, c. Data recovery
Explanation: With Amazon S3, user data consistency, durability, and availability is AWS’s responsibility, but users are responsible for management and security, including encryption, access control and data recovery.
When managing an Amazon RDS database, AWS ensures that the database software remains up to date. True or False?
- True
- False
Answer: True
Explanation: AWS manages the underlying infrastructure of Amazon RDS and also takes care of database software patching.
Single select: With AWS Lambda, who is responsible for capacity planning and monitoring?
- a. AWS
- b. Customer
Answer: a. AWS
Explanation: AWS is responsible for capacity planning, monitoring, logging and scaling in AWS Lambda.
True or False: With Amazon EC2, customers have to maintain the server, operating system and network controls.
- True
- False
Answer: True
Explanation: Although, the infrastructural and physical controls are handled by AWS, customers have a great deal of control on the virtual aspect such as EC2’s operating system, server and even the network configurations.
Single select: Who is responsible for managing the operating system and application in the EC2 instance?
- a. AWS
- b. Customer
Answer: b. Customer
Explanation: With Amazon EC2, customers are responsible for the management of the operating system and the applications they install in the EC2 instance.
True or false: In AWS Lambda, AWS is responsible for performance optimization.
- True
- False
Answer: True
Explanation: In AWS Lambda, AWS is responsible for everything from capacity planning, performance optimization to system patching.
Multiple select: When using the Elastic Load Balancing service, which of these is a shared responsibility?
- a. Building a scalable infrastructure
- b. Distributing incoming traffic
- c. Applying security rules
- d. Generating SSL certificates
Answer: c. Applying security rules, d. Generating SSL certificates
Explanation: While AWS is responsible for maintaining and distributing the traffic among multiple target instances, the customers are responsible for generating SSL certificates and applying appropriate security rules.
Interview Questions
What does the AWS Shared Responsibility Model aim to establish?
The AWS Shared Responsibility Model aims to establish a mutual commitment to the security and compliance of cloud computing. AWS is responsible for the security “of” the cloud, such as hardware, software, networking, and facilities. Customers are responsible for the security “in” the cloud, such as customer data and applications.
Who is responsible for patching and fixing flaws within the system or application being used on a service like Amazon RDS?
AWS is responsible for patching and fixing flaws within the system or application in a service like Amazon RDS. It is a managed service, and much of the infrastructure and database setup and management tasks are taken care of by AWS.
Who is responsible for server host and network-level security in the AWS Lambda service?
In AWS Lambda, AWS is responsible for the underlying server host and network-level security. It includes patch management, firewall configurations, and physical security of the host.
When using Amazon EC2, who is responsible for managing the guest operating system, including updates and security patches?
The customer is responsible for managing the guest operating system, including updates and security patches when using Amazon EC2 instances.
When using Amazon RDS, who would be responsible for setting up and managing the database application?
The customer carries the responsibility of setting up and managing the database application when using Amazon RDS.
In AWS Lambda, who is responsible for the application software, including updates and security patches?
The customer is responsible for all application software and code, including their updates and security patches in AWS Lambda.
Who is responsible for the security of data in-transit in Amazon EC2?
The customer is responsible for security groups, network ACLs, and the security of data in-transit in Amazon EC2.
Who is responsible for the customer data in AWS Lambda?
The security of the customer data in AWS Lambda is the customer’s responsibility.
Who is responsible for ensuring network traffic protection between instances in Amazon EC2?
The customer is responsible for network traffic protection between instances in Amazon EC2, typically by using security groups and network access control lists (ACLs).
When using Amazon RDS, who is responsible for managing network access controls, like database firewall settings?
With Amazon RDS, AWS handles the network access controls like database firewall settings, thereby reducing the operational burden for the customer.
Who is responsible for data encryption at rest in AWS services like Amazon S3?
The data encryption at rest in services like Amazon S3 can be configured by AWS or the customer. However, it’s commonly encouraged that the customer handles data-level encryption to maintain full control.
In AWS Lambda, who is responsible for access management at the account and user levels?
The customer is responsible for access management at the account and user levels in AWS Lambda.
Who handles platform and infrastructure patching in Amazon EC2?
AWS handles the platform and infrastructure patching in Amazon EC2, but the customer is responsible for patching the operating systems and applications running on those instances.
Who is responsible for the compliance of customer application software deployed in AWS Lambda?
The customer is responsible for ensuring that their application software deployed in AWS Lambda complies with all applicable laws and regulations.
Who is responsible for configuring the instance-level security in Amazon EC2?
The customer is responsible for setting up the EC2 instance-level security, including firewall rules, network, and security group configurations.
extutorials.com