DEV Community

Cover image for Understand the AWS Shared Responsibility Model
AWS Community Builders profile image Ntombizakhona Mabaso
Ntombizakhona Mabaso Subscriber for AWS Community Builders

Posted on

Understand the AWS Shared Responsibility Model

#aws #cloud #cloudcomputing #cloudpractitioner

🌅 Exam Guide: Cloud Practitioner
Domain 2: Security & Compliance
📘Task Statement 2.1

A New Dawn, A New Domain

New year, new you… and new domain on the exam. While you’re setting goals like drink more water, AWS is setting goals like keep the cloud from catching fire. The catch: some security tasks are yours.

Welcome to the AWS Shared Responsibility Model.

🎯 What Is This Task Testing?

You must understand:

  • The AWS shared responsibility model
  • The major components of the model
  • What AWS is responsible for
  • What the customer is responsible for
  • What is shared
  • How responsibilities shift depending on the service (e.g., Amazon EC2 vs Amazon RDS vs AWS Lambda)

🧠 The AWS Shared Responsibility Model

The simplest way to remember it:

  • AWS is responsible for security OF the cloud
  • Customers are responsible for security IN the cloud

This model helps define who handles which security controls, reducing confusion and improving risk management.

1)☁️ AWS Responsibilities (Security OF the Cloud )

AWS is responsible for protecting the underlying infrastructure that runs AWS services.

AWS typically handles:

  • Physical security: data centers, buildings, access controls, surveillance
  • Hardware and infrastructure: servers, storage, networking equipment
  • Virtualization layer: host OS/hypervisor for many services
  • Core networking: and foundational services that support the platform

If it’s about data centers, hardware, or the base cloud infrastructure, it’s almost always AWS.

2) 🧑‍💻 Customer Responsibilities (Security IN the Cloud)

Customers are responsible for what they deploy and configure on AWS, including controlling access and protecting their data.

Customers typically handle:

  • Identity and access management (IAM): users, roles, policies, MFA
  • Data protection: encryption choices, key management decisions, data classification
  • Network configuration: security groups, NACLs, VPC configuration
  • OS and application management: patching, hardening when applicable
  • Customer data: what you store, how you store it, who can access it
  • Logging and monitoring configuration: what you enable tracking and alerts on

If it’s about permissions, misconfiguration, data exposure, or application security, it’s usually customer.

3) 🤝 Shared Responsibilities (Depends on Context)

Some areas are shared because both AWS and the customer play a role.

Common shared areas:

  • Configuration management: AWS provides secure tools, customers must configure them correctly.
  • Patch management: AWS patches infrastructure, customers patch OS/apps when they manage them.
  • Awareness and training: AWS provides documentation, customers ensure staff follow best practices.
  • Incident response: AWS secures the platform, customers respond to events in their accounts/workloads.
  • Compliance: AWS provides compliant infrastructure, customers must architect and operate compliantly.

If “AWS provides the capability, customer must enable/configure it,” that’s usually shared.

4) 🔄 How Responsibilities Shift by Service Type

Your responsibility changes based on whether you’re using IaaS, PaaS, or serverless/managed services.

A. Amazon EC2

EC2 is closer to “you run a server,” so you manage more.

AWS handles: physical facilities, hardware, underlying infrastructure

Customer handles: guest OS patching, software installs, configuration, application security, data, IAM, network controls

With EC2, you are responsible for the operating system and above.

B. Amazon RDS

RDS is a managed database service so AWS takes over more operational tasks.

AWS handles: database engine patching/maintenance (service-dependent), backups features, underlying infrastructure

Customer handles: database access controls, network exposure, encryption settings, parameter choices, data, IAM

You don’t manage the database host like you would on EC2, but you still control data security and access.

C. AWS Lambda

Lambda is serverless so no servers to manage.

AWS handles: servers, OS, runtime infrastructure, scaling, availability of the service

Customer handles: function code, IAM permissions, secrets management, event/input validation, data protection

You focus on code + permissions + data, while AWS runs the platform.

Quick Comparison

  • EC2: customer manages OS + patching + runtime + app
  • RDS: AWS manages database platform, customer manages data + access + configuration
  • Lambda: AWS manages servers/OS/scaling, customer manages code + IAM + data

✅ Quick Exam-Style Summary

  • AWS Shared Responsibility Model:
    • AWS = security OF the cloud
    • Customer = security IN the cloud
  • Responsibilities shift by service:
    • more managed/serverless = more AWS responsibility
    • more infrastructure control (like EC2) = more customer responsibility

Additional Resources

Shared Responsibility Model

Top comments (0)