AWS Responsibilities
Remember that Amazon is considered responsible for security of the cloud. That is, AWS is responsible for protecting the infrastructure that runs the services chosen, including the hardware and software required to power the AWS service as well as the networking and facilities used.
Specific Amazon responsibilities include the following:
Cloud software, including compute, storage, networking, and database software
Hardware
AWS global infrastructure, including Regions, Availability Zones, and Edge Locations
As we will elaborate on in the next section, it is important to remember that these AWS responsibilities will shift based on the AWS service selected. While it might seem like it would be difficult to track and configure these responsibilities, AWS makes it fairly simple. The configuration options available in the GUI of the Management Console make the shared responsibilities obvious.
Customer Responsibilities
Remember that the customer is responsible for security in the cloud. Specific examples of client responsibilities include the following:
Customer data
Platform, applications, IAM
Guest operating systems
Network and firewall configurations
Client-side data encryption
Server-side encryption (file system and/or data)
Network traffic protection (encryption, integrity, and identity)
Figure 7-2 shows an example of a customer checking the security group settings that apply to an EC2 instance. This is a perfect example of customer responsibilities. AWS is responsible for making sure the security group functions as intended, but it is the customer’s responsibility to configure it correctly.
Figure 7-2 Checking the Security Group Settings for an EC2 Instance
Also remember that your customer responsibilities vary based on the specific services selected. Here are some examples you should consider:
If you are relying heavily on Simple Storage Service (S3) for storage, you will be responsible for knowledge and proper configuration of the security permissions for your resources.
If you choose to use EC2, you are required to keep the operating system updated and patched, and you are also responsible for the application software required on the guest operating system. You are responsible for the appropriate security group configuration for the EC2 instance as well, as shown earlier in the chapter.
If you choose to use the managed AWS Relational Database Service (RDS), you are responsible for securing your data, but AWS bears the responsibility of securing the underlying database technology and patching it as required.
If you choose to use the serverless compute service of Lambda, once again you are responsible for securing the data outputs of Lambda, but AWS is responsible for all security on the actual compute resources that make up the pool.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have a few choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 7-2 lists these key topics and the page number on which each is found.