TL;DR
Overview
- Security and compliance in AWS are shared responsibilities between AWS and the customer
- The model distinguishes between security "of" the cloud (AWS) and security "in" the cloud (customer)
AWS Responsibility
- AWS manages the security of the cloud, including infrastructure, hardware, and networking components
- Responsibilities vary based on service category: infrastructure services vs. abstracted services
Customer Responsibility
- Customers are responsible for security in the cloud, including proper configuration and data security
- Customer responsibilities differ between infrastructure services (e.g., EC2) and abstracted services (e.g., S3)
- Customers maintain control of their data, including choosing regions, implementing data protection, and managing access control
Key Considerations
- Customers must review their responsibilities for each AWS service and align with their IT security standards and regulations
I. Overview
Security and compliance are a shared responsibility between AWS and you.
When you work with the AWS Cloud, managing security and compliance is a shared responsibility between AWS and you. To depict this shared responsibility, AWS created the shared responsibility model.
The distinction of responsibility is commonly referred to as security of the cloud as compared to security in the cloud.
II. AWS responsibility
AWS is responsible for security of the cloud. This means that AWS protects and secures the infrastructure that runs the services offered in the AWS Cloud. AWS is responsible for the following:
- Protecting and securing AWS Regions, Availability Zones, and data centers, down to the physical security of the buildings
- Managing the hardware, software, and networking components that run AWS services, such as the physical servers, host operating systems, virtualization layers, and AWS networking components
The level of responsibility that AWS has depends on the service. AWS classifies services into two categories. The following table provides information about each, including the AWS responsibility.
To learn more, expand the following category.
Category | Examples of AWS Services in the Category | AWS Responsibility |
---|---|---|
Infrastructure services | Compute services, such as Amazon Elastic Compute Cloud (Amazon EC2) | AWS manages the underlying infrastructure and foundation services. |
Abstracted services | Services that require very little management from the customer, such as Amazon Simple Storage Service (Amazon S3) | AWS operates the infrastructure layer, operating system, and platforms, in addition to server-side encryption and data protection. |
III. Customer responsibility
Customers are responsible for security in the cloud. When using any AWS service, the customer is responsible for properly configuring the service and their applications, in addition to ensuring that their data is secure.
The customers' level of responsibility depends on the AWS service. Some services require the customer to perform all the necessary security configuration and management tasks. Other more abstracted services require customers to only manage the data and control access to their resources. Using the two categories of AWS services, customers can determine their level of responsibility for each AWS service that they use.
To learn more, expand the following category.
Category | Examples of AWS Services in the Category | Customer Responsibility |
---|---|---|
Infrastructure services | Compute services, such as Amazon Elastic Compute Cloud (Amazon EC2) | Customers control the operating system and application platform, in addition to encrypting, protecting, and managing customer data. |
Abstracted services | Services that require very little management from the customer, such as Amazon Simple Storage Service (Amazon S3) | Customers are responsible for customer data, encrypting the data, and protecting it through network firewalls and backups. |
Due to the varying levels of effort, customers must consider which AWS services they use and review the level of responsibility required to secure each service. They must also review how the AWS shared responsibility model aligns with the security standards in their IT environment in addition to any applicable laws and regulations.
A key concept is that customers maintain complete control of their data and are responsible for managing the security related to their content. For example, you are responsible for the following:
- Choosing a Region for AWS resources in accordance with data sovereignty regulations
- Implementing data-protection mechanisms, such as encryption and scheduled backups
- Using access control to limit who can access your data and AWS resources
Top comments (0)