Shared responsibility model - Amazon Web Services (AWS) Tutorial

Understanding the AWS shared responsibility model is key to architecting secure solutions in the cloud. It outlines who is responsible for which element of the cloud. Here are some common questions that come up when adopting the cloud. Who will manage the hardware powering the virtual services? Who is responsible for the software components? Who is responsible for the operating system configuration? Who will configure the network? Who is responsible for encryption and access control? The shared responsibility model helps answer these questions. It outlines the shared responsibility of security and compliance between AWS and the customer. First, let's understand at a high level how AWS is architected. At the base, you have physical servers powering all the services. AWS shares the capacity of these physical servers across multiple customers. AWS does this using a software called hypervisor. The hypervisor allocates and manages resources of the physical servers such as the CPU and memory, to virtual services provided by AWS. The hypervisor and physical servers are not visible to the customer. AWS is always responsible for operating and managing the physical infrastructure hosting the services, the host operating system, and the virtualization layer, which is the hypervisor. This is always the case regardless of the service or service type. Customer responsibility is determined by the AWS service type. AWS offers services in different categories, such as infrastructure as a service or IaaS, and platform as a service or PaaS. Let's look at the shared responsibility model for Amazon EC2, a service that allows you to launch virtual machines. It falls in the IaaS category because the infrastructure is fully configurable according to your preferences. AWS is responsible for the physical hardware and its global infrastructure, consisting of regions, availability zones, and edge locations where it hosts the physical hardware. AWS is also responsible for the software used to manage the hardware, that is, the hypervisor. The hypervisor manages compute, storage, database, and networking associated with the physical hardware. This is commonly referred to as security of the cloud. The customer is responsible for security in the cloud. So customer responsibilities include server and client-side encryption and network traffic protection. This is to protect data at rest and in transit. The customer is also responsible for managing the guest operating system, running on the virtual machines and their network and firewall configuration. Managing the platform and any applications running on the instances and identity and access management is the customer's responsibility. For example, the customer is responsible for patching the guest operating system and any software applications running on them. Finally, regardless of the service type, managing data is always the customer's responsibility. Now, let's look at the shared responsibility model for Relational Database Service, also known as RDS. It falls in the PaaS or platform as a service category because AWS provisions the platform, in this case the database, you simply host your data in it. For PaaS offerings, in addition to managing physical hardware and the associated software, AWS also manages the operating system, network, and firewall configuration of the assets on which the database is installed. AWS also manages the platform and the application. The customer is responsible for client-side encryption, identity and access management, and applying the necessary network and firewall configuration. Again, managing the data is always the customer's responsibility. Now, let's talk about a more abstracted service like S3. Simple Storage Service or S3, is an object storage service from AWS. It has an interface that customers can use to upload objects and has minimal configuration settings such as encryption, logging, access control, and a few others. When using Amazon S3, the customer is only responsible for client-side encryption, identity and access management, and the data. AWS manages the rest of the components. As we've just seen, the split of responsibilities depends on the service or service type, but the following are always true. AWS is always responsible for the physical infrastructure and the hypervisor. The customer is always responsible for managing data. The customer is always responsible for managing identities and access, for example, user accounts and their permissions. As you can see, the shared responsibility model clearly differentiates the responsibilities of AWS and the customer and establishes a framework based on shared commitment. Understanding this will enhance your security posture and allow you to use AWS services confidently.