I’m gonna cover a concept known as the AWS shared responsibility model.
So this is a graphic straight from AWS. This is a very important concept. You need to understand what it is that you are responsible for and what it is that AWS, as the provider of cloud services, is responsible for. And so you can see that delineation here.
Your Data: Your Responsibility
Now on the top there, we’ve got the customer – that’s you as the consumer of the cloud. Of course, at the very, very top, there is data. Data is your problem. That’s your data. It’s your responsibility.
Of course, underlying all this for data, we’ve got storage, we’ve got databases, and we’ve got connectivity services for transmitting data. AWS supplies those services and they supply the options for things like encryption. They make sure that your data is durably stored and copied into different places. So you need to understand how they do that and what the levels of durability and availability are. But ultimately, you’re responsible for your data.
Identity and Access Management
Now, again, platform applications, identity, and access management, AWS provides the identity and access management service, but you’re responsible for creating users, creating groups, creating roles, creating policies, and assigning the correct permissions. If you provide too many permissions and somebody does something that they shouldn’t, then unfortunately, that is your responsibility. That does become your problem.
Operating Systems and Network Configuration
Underneath that, we’ve got operating systems. Now here, in some cases, AWS will manage things like the patches of operating systems. So there are some examples of where that’s a shared responsibility. But mainly, for example, if you’re using the Amazon EC2 service, then the Windows or the Linux updates are something that you have to manage.
Again, network and firewall configurations are there. AWS will provide features for networking capabilities like security groups, which are firewalls for EC2 network access control lists, and they give you the ability to encrypt your communications as well. But you ultimately have to utilize those resources and those features to make sure that your data is properly protected.
Encryption and Protecting Your Data
So the free boxes in the middle here in blue, it’s all about encryption and protecting your data at rest and in transit, all your responsibility.
AWS Global Infrastructure
Underlying all this, of course, we have AWS, and AWS will provide the regions, the availability zones, the edge locations (those are the ones for Amazon CloudFront). They’re gonna manage all that global infrastructure, including the security of it, and then the various services on top of that.
So you’ve got the infrastructure layer – compute, storage, database, networking, and more. And then all the software on top of that. So they are obviously responsible for that. They say that they are responsible for the security of the cloud and you’re responsible for security in the cloud.
Customer Responsibility vs. AWS Responsibility
Just to show you this in a slightly different graphic here, you can see the customer responsibility on the top and the AWS responsibility on the bottom. So things like managing the data in your buckets, that’s up to you, as is creating things like roles, setting up multi-factor authentication, configuring security groups, and network access control lists. This is all a customer responsibility along with things like patch management.
And then underlying that, we’ve got the actual database servers, disk drives, physical network switches and routers, and the software layers, the control planes that sit on top of them. And of course, the data center security, that’s no longer something you have to worry about.
Conclusion
So that’s the AWS shared responsibility model. There’s much more information on this on the AWS website. It is important to understand this split of responsibilities so that you know what you’re responsible for and what AWS will be providing.
For more detailed insights and best practices, you can also refer to AWS’s official documentation on Security Best Practices and Identity and Access Management.