AWS Shared Responsibility Model
Understanding the AWS Shared Responsiblity Model
Responsibility “of” the cloud vs Responsibility “in” the cloud
In a typical on-premises IT infrastructure model, the end-user (the customer ) is responsible for securing everything, including their servers, networks, software, and facilities. However, the burden of securing their operational environment is lightened when they move part or all their operations to the cloud.
The AWS Shared Responsibility Model is a cloud security framework that divides the cloud’s security obligations between the customer and the cloud service provider (Amazon Web Services). Most cloud security breaches are due to customer error, rather than the cloud provider. Having a fair, shared system of security responsibilities ensures accountability on both ends.
The AWS Shared Responsibility Model is stated as follows:
The cloud service provider is responsible for the security “of” the cloud, while the customer is responsible for security “in” the cloud.
Now that we have a general idea of AWS’s Shared Responsibility Model, let’s take a closer look at the different security responsibilities between AWS and the customer.
AWS is Responsible for Security “of” the Cloud
Amazon Web Services is responsible for the security and reliability “of” their global infrastructure including their data center buildings, networking infrastructure, physical hardware, virtualization technology, and the software used to provide all the services they offer.
AWS protects their physical data centers by deploying strict physical access measures through video surveillance, intrusion detection systems and enforcing their employees at the data center level to use two-factor authentication. Also, AWS physically destroys old storage devices after they’ve run their lifecycle. In addition, to protect their physical facilities against natural disasters, AWS installs automatic fire detection and suppression systems, redundant power generators, and air conditioners that maintain and prevent their servers from overheating and causing power outages.
Providing high availability and fast incident detection and response during data center incidents is of utmost importance to AWS. This is why they build their data centers as redundantly connected clusters in various geographical regions. If an area is affected, AWS can quickly redistribute traffic to an unaffected area.
AWS also follows strict security standards imposed by various IT security organizations and standards such as Service Organization Controls (SOC 1), the Federal Information Security Management Act (FISMA), and Multi-Tier Cloud Security Standard (MTCS) Level 3, and many other industry-specific security standards like the Health Insurance Portability and Accountability Act (HIPAA), and the Cloud Security Alliance (CSA).
The Customer Is Responsible for Security “in” the Cloud
The customer, on the other hand, is responsible for securing activities that occur “in” the cloud or are connected to the AWS cloud. Besides securing the guest operating system (OS), configuring access management, and securing their own data. The responsibilities of the customer will vary depending on the service’s delivery model category (e.g. IaaS) the customer selects.
Customer Security Responsibilities for EC2 instances
For example, if the customer selects an EC2 (Elastic Compute Cloud) instance. Then, the customer is responsible for securing the following:
- The guest operating system (Security patching and updating)
- Amazon Machine Images (Encrypting the AMI if it’s EBS-backed)
- Encryption of Elastic Block Store volumes
- Configuring security groups
- EC2 key pairs (credentials)
- IAM policies and roles
- Applications installed in the EC2 instance
- Setting SSL/TLS (Secure Sockets Layer/Transport Layer Security) to enable encryption in flight through AWS ACM
Conclusion
The AWS shared responsibility model outlines the responsibilities in the cloud for both the customer and the cloud service provider. AWS is responsible for their global physical infrastructure including regions, availability zones, edge locations, hardware, and software required to provide all their services. While the user is responsible for securing what happens in the cloud.
In order for AWS to keep their side of the bargain, customers must understand that security in cloud computing is a shared task, and must deliver the complementary security activities necessary to achieve an overall security of their cloud operations.
Resources
- AWS Shared Responsibility Model
- Architecting the Cloud (Book)