AWS cloud computing infrastructure offers multitude of services which are varied in nature and usage. Thus, there is an inherent need to isolate shared responsibility between customer and AWS

  • physical security of the computing infrastructure is taken care by AWS, which includes resources of  
    • compute
    • database
    • storage
    • networking
  • Customer is accountable only for
    • Software on top of the infrastructure layer
    • data and access  on top of the infrastructure layer

AWS Security Responsibilities

AWS is accountable for following

  • Computing Hardware and Global Infrastructure, which includes
    • AWS regional, available, and edge zones cloud infrastructure
      • All has physical security protections, and constant IT maintenance
  • Software related to AWS computing hardware management covering
    • Computation
    • Storage
    • Database
    • Networking
    •  software platform for all of AWS services
    • security services from AWS to be used by customers, and includes
      • encryption keys
      • network monitoring tools
  • database protection, and more.

Customer Security Responsibilities

As per AWS service selected by customer, customer is accountable for different levels of security, as

  • For IaaS AWS service like – EC2/VPC/ S3, all of the security configuration and management tasks for security is to be done by customer and includes
    • Customer Business Data before it enters AWS and after it exits AWS.
    • Security of the platform running on the IaaS like shoppers identities protection for an online clothing store
    • Data Encryption when data is at rest or transit
    • Encryption of the File System
    • Safety of the Network Traffic
  • Safety for routing and zoning data

Security Shared Responsibility

AWS fulfills the need for cloud computing infrastructure and the customer is responsible for the implementation part of AWS’s cloud computing infrastructure like configuration, patching, etc. It consists of

  • Controls in the cloud’s IT setup – Operating and managing IT operation and controls are to be taken care by both customer and AWS. Customer is responsible for deployment of IT controls as per laid down AWS’s guidelines and regulations. AWS provides various security related maintenance facilities like network level encryption, firewall maintenance, etc. to ease the burden on customer
  • Configuration Management – AWS takes the shared responsibility of the cloud computing infrastructure’s configuration management and customer is responsible for configuration of operating systems, databases and software applications on the instances.
  • Patch Management – AWS is responsible for cloud computing infrastructure’s patching and error fixing whereas customer does patching of operating systems, databases and software applications on the instances.
  • Customer Software Specific Controls – Customer is responsible for controls which are specific to their software application and has no linkage to AWS’s cloud computing infrastructure
  • Employee Training and Awareness – Training and awareness of customer’s employees who are using the AWS’s cloud computing infrastructure, is customer’s responsibility

Customers should

  • access control policies should be employed by using the AWS’s IAM
  • access to ports to be controlled by configuring AWS Security Groups
  • CloudTrail should be enabled for logging

Responsibility of Customers also include

  • Implementation of policies for DLP (or data loss prevention) as might be needed by customer’s internal and external policy compliance
  • Prevention, detection and remedy any hazard due to loss or stealing of account credentials resulting in malicious misuse of AWS

AWS takes the responsibility of securing its cloud computing infrastructure which includes

  • Computing
  • Storage
  • Networking
  • database services
  • security configuration of AWS services like
    • DynamoDB
    • RDS
    • Redshift
    • Elastic MapReduce
    • Workspaces, etc.

AWS Shared Responsibility Model Summary

 CustomerAWS
Prevent/detect any compromise of AWS accountx 
Prevent/detect any insecure behavior of AWS userx 
Securely configuring AWS services ( AWS Managed Services are excluded)x 
Restricted access to AWS services or any  customer’s custom applications,  to only users who need itx 
Update of Guest OS and security patch applicationx 
Making sure that both, AWS and customer’s custom applications usage complies to internal and external policiesxx
Enabling and provisioning network security against attacks like DoS, MITM, port scanningxx
Securely managing and operating configurations of AWS Managed Services x
Provisioning of physical access control x
Securing against any environmental risks like natural disasters, mass power outages, etc x
patching and error fixing of database x
Securing against zero day exploits or related vulnerabilities x
Providing business continuity to customers and addressing availability, incident response x

Get ready to qualify AWS Certified Security – Specialty with hundreds of practice exam and expert guidance. Take test Now!

Menu