In this post, I will be talking about Understanding the Shared Responsibility Model in AWS. This is otherwise known as "YOUR RESPONSIBILITY" vs "AWS RESPONSIBILITY". If you're just about getting started with the AWS Cloud for your business or you're planning to run a test app on AWS Cloud as a developer, it is very important that you understand the shared responsibility model that forms the bedrock of the security and compliance of operation activities in AWS Cloud so as to have a smooth experience.
If you need to learn about the steps you can take to secure an AWS EC2 Instance in AWS, read this
As a customer, you are responsible for the security in the cloud. So whatever you use, however you configure it, it is completely your responsibility to secure them. These includes your data, operating system, networking environment, and firewall configurations etc. While on the hand, AWS is entirely responsible for the security of the cloud. So all the infrastructure, hardware, software, and their own internal security are purely the responsibility of AWS to secure.
When you use AWS Cloud, you're agreeing to the Acceptable Use Policy which can be found right here. What this means is when you're using the AWS Cloud, it is obvious that you cannot do any illegal, harmful or offensive use of content, security violations, network abuse and e-mail or other informational abuse.
The diagram below gives us some good examples of where the line is of who is responsible for what.
As you can see from the diagram above, at the bottom side of it we have the Regions, Availability Zones and Edge Locations. These are known as the Global Infrastructure in AWS Cloud. Right above the items (Global Infrastructure), we have Compute,Storage,Database and Networking. These are the physical servers and the software layers that runs on them. For instance, the compute server in the AWS Datacenter runs an Operating System. Now, it is not your responsibility to manage these servers but that of AWS. Similarly, the storage system also runs some kind of software and they have physical disk and networking configurations and all that is taking care of by the AWS.
Furthermore, for database, it depends on the kind of database. In this case, for instance, DynamoDB is a database and you are responsible for provisioning a table on it and then you're also responsible for the data you store on the table but the underlying database and the hardware that runs on it are taking care of by the AWS.
Then there is networking in which we have the physical network equipment, and then the routing and switching software that sits on top of them. This is run by AWS. If you move to the top ladder of the diagram as a customer you're responsible for the networking traffic rotation, how you encrypt your data and make sure it is going to the right place for your route tables and so on. You're also responsible for the configuration of network firewalls such as using security groups and Network Access Control List (NACL) are all part of your responsibilities as a customer.
Server-Side-Encryption (SSE) of your data. For instance, encrypting your data on Amazon S3 is your responsibility. So all forms of encryption are your responsibility. And then you got the Client-Side-Data Encryption as well that's encrypting data that can be brought into the AWS Cloud yourself.
For the Operating system, if you're running a Linux, Windows or macOS based EC2 instance you need to manage the security, patching of the guest OS, and update the application that runs on it by yourself. As mentioned before, for the networking and firewall configurations if you're running a firewall on your EC2 instance or you're using security groups and access control list it is your responsibility as a customer to ensure they are well implemented.
Moving up another layer in the diagram, we have Platform, Applications and Identity and Access Management. So here we're looking at things like the applications that you install on your system and also the authentication and authorization system, user groups, roles and policies are the customer's responsibility.
Finally, from the diagram, the actual data itself (known as the Customer data) that you store in the AWS cloud is solely what you're responsible for as the customer.
In conclusion, the AWS Shared Responsivity Model defines what you as an AWS customer or a user are responsible for and what AWS are also responsible for and it is in relation to security and compliance. Remember, that AWS is responsible for the security of the cloud that means protecting the infrastructure that runs the services offered in the cloud and these includes hardware, software, networking and facilities that runs AWS cloud services. On the other hand, customers are responsible for security in the cloud and these includes EC2, network access control lists (NACLs), Security groups, Operating system patches and updates, IAM users access management, and client and server-side data encryption.
For further reading, checkout the following links: