The AWS Shared Responsibility Model

Security and compliance on AWS are a shared responsibility between AWS and the customer. This model clearly defines what AWS is responsible for (security of the cloud) and what you are responsible for (security in the cloud). Misunderstanding this boundary is one of the most common causes of security incidents.

---

The Core Principle

┌─────────────────────────────────────────────────────────┐
│                   CUSTOMER                               │
│            Security "IN" the Cloud                       │
│                                                         │
│  Customer data                                          │
│  Platform, applications, identity & access management   │
│  Operating system, network & firewall configuration     │
│  Client-side data encryption                            │
│  Server-side encryption (file system and/or data)       │
│  Networking traffic protection (encryption, integrity)  │
├─────────────────────────────────────────────────────────┤
│                     AWS                                  │
│            Security "OF" the Cloud                       │
│                                                         │
│  Hardware / AWS Global Infrastructure                   │
│  Regions, Availability Zones, Edge Locations            │
│  Compute, storage, database, networking (hardware)      │
│  Software: virtualisation layer, host OS, patching      │
│  Physical security of data centres                      │
└─────────────────────────────────────────────────────────┘

---

AWS Responsibilities — Security OF the Cloud

AWS is responsible for the infrastructure that runs all AWS services. This includes:

Physical Security

• Data centres are in undisclosed locations with multiple layers of physical security
• Biometric access controls, 24/7 security guards, CCTV surveillance
• Environmental controls: fire suppression, climate control, flood detection

Hardware and Infrastructure

• Servers, storage devices, networking equipment
• Hardware lifecycle management: procurement, deployment, decommissioning
• Secure destruction of decommissioned storage

Software Infrastructure

• The hypervisor and virtualisation layer
• Host operating system patching
• Network infrastructure (routers, switches, load balancers)
• Managed service software (e.g., the RDS engine, Lambda runtime environment)

Global Infrastructure

• Regions, Availability Zones, Edge Locations
• Redundant power, cooling, and network connectivity
• Inter-AZ and inter-Region networking

Compliance Certifications

AWS maintains a vast portfolio of compliance certifications:

Certification	Scope
SOC 1, 2, 3	Controls over financial reporting and security
ISO 27001	Information security management
ISO 27017	Cloud-specific security controls
ISO 27018	Protection of personal data in the cloud
PCI DSS Level 1	Payment card processing
HIPAA	Healthcare data (via BAA)
FedRAMP	US government workloads
GDPR	EU data protection
C5	German government cloud security

You can access AWS compliance reports through AWS Artifact.

---

Customer Responsibilities — Security IN the Cloud

You are responsible for securing everything you put into or build on top of AWS. The exact scope depends on the service model.

For IaaS Services (e.g., EC2)

When you use EC2, you take on the most responsibility:

• Guest operating system — installing patches and updates
• Application software — deploying, configuring, and securing your apps
• Data encryption — encrypting data at rest and in transit
• Network configuration — security groups, NACLs, routing tables
• Identity and access management — IAM users, roles, policies
• Firewall configuration — what ports are open, from which IP ranges

For PaaS / Managed Services (e.g., RDS, Lambda)

AWS takes on more responsibility:

• AWS patches the underlying OS and runtime (for Lambda, RDS, etc.)
• You are still responsible for:
  • Data classification and encryption
  • IAM policies and access control
  • Network configuration (VPC, security groups)
  • Application-level security
  • Backup and retention policies (where configurable)

For SaaS Services (e.g., Amazon QuickSight)

Minimal customer responsibility: