Understanding the Shared Responsibility Model
The AWS shared responsibility model divides the security responsibilities between two parties: the AWS customer (you) and Amazon (AWS). The fact that you are no longer responsible for a massive portion of the security required for scalable data centers is a huge advantage. You can leverage the massive budgets of Amazon and its intense expertise.
The next two sections of this chapter provide examples of responsibilities in each part of the model. But for now, in general, it’s important to realize that Amazon’s responsibilities include the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. It is your responsibility as the customer to secure the guest operating system (including updates and security patches), application software, and the AWS network security group firewall.
Be aware that the customer responsibilities vary depending on which services the customer chooses to use. The customer responsibilities further vary based on the level of integration of AWS services consumed and their IT infrastructure. Laws and regulations that must be followed also vary. Examples of the different responsibility levels for different services used are given later in the chapter.
As shown in Figure 7-1, AWS is considered security of the cloud, and the customer’s responsibility is considered security in the cloud.
Figure 7-1 The AWS Shared Responsibility Model
In addition to partitioning the operational security concerns between the customer and AWS, the shared responsibility model also applies to IT controls that are in use. Amazon groups these controls into three categories:
Inherited controls: These are security controls the customer fully inherits from AWS. Perfect examples are the physical and environmental security controls used by Amazon.
Shared controls: These are controls that apply to both the infrastructure layer of Amazon and the customer responsibilities. Note that these shared controls apply to each domain in completely separate contexts or perspectives. AWS provides the requirements for the infrastructure, and the client must provide their own control implementation within their use of the services. A great example is Identity and Access Management (IAM). The IAM service must be secured, meet regulatory compliance, and function as intended, and the customer should create well-crafted policies.
Customer-specific controls: These are security controls the customer is solely responsible for, and they vary based on the services the customer selects, of course. A great example would be applying specific patches to one of your operating systems on an EC2 instance.