This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

Cloud Security Basics: Shared Responsibility Model Explained

The shared responsibility model is the foundational concept in cloud security. It defines what the cloud provider secures versus what the customer must secure. Misunderstanding this boundary is the root cause of most cloud data breaches.

The Shared Responsibility Model

Every major cloud provider — AWS, Google Cloud, and Azure — operates under a shared responsibility model. The provider secures the infrastructure that runs the services. The customer secures everything they deploy on top of that infrastructure.

AWS shared responsibility: AWS secures the hardware, software, networking, and facilities that run AWS services. The customer secures their data, platform applications, identity and access management, operating system patches, network firewall configurations, and client-side encryption.

GCP shared responsibility: Google secures the physical infrastructure, storage, networking, and encryption-at-rest infrastructure. The customer secures their data classifications, access policies, application configurations, and identity management.

Azure shared responsibility: Microsoft secures physical hosts, networks, and datacenters. The customer secures their data, identities, applications, and account management. For platform-as-a-service (PaaS) services, Microsoft takes on more responsibility for the runtime.

Identity and Access Management (IAM)

IAM is the gatekeeper of your cloud environment. Every API call to a cloud provider passes through IAM authorization.

AWS IAM

AWS IAM uses policies written in JSON to grant or deny permissions. Policies attach to users, groups, or roles.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": ["s3:GetObject", "s3:ListBucket"],

"Resource": [

"arn:aws:s3:::example-bucket",

"arn:aws:s3:::example-bucket/*"

]

}

]

}

Best practices for IAM:

• Apply the principle of least privilege. Grant only the permissions a role or user needs.

• Use IAM roles rather than long-lived access keys. EC2 instances and Lambda functions should assume roles.

• Enable AWS IAM Access Analyzer to identify unused permissions.

• Require multi-factor authentication for the root account and all privileged users.

GCP IAM

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.