The Shared Responsibility Model

Who secures what: AWS's responsibilities vs yours — the single most-tested concept on the exam.

8 min read

Security in AWS is a partnership. AWS secures the cloud itself; you secure what you put in it. AWS summarizes this as: AWS is responsible for security OF the cloud, the customer is responsible for security IN the cloud. Expect multiple questions on this.

ResponsibilityWhoExamples
Security OF the cloudAWSPhysical data centers, hardware, host operating systems, hypervisor, the global network, managed service infrastructure
Security IN the cloudCustomerYour data, IAM users and permissions, guest OS patching on EC2, firewall (security group) rules, encryption choices, application code
Shared controlsBothPatch management (AWS patches hosts, you patch your EC2 guest OS), configuration management, awareness and training
Think of it like this

AWS is the landlord of a secure apartment building: they maintain the walls, locks on the lobby, cameras, and fire systems. You're the tenant: you decide who gets a key to *your* apartment, whether you lock your door, and what valuables you leave in view.

It shifts with the service model

The more managed the service, the more responsibility AWS takes. On EC2 (IaaS) you patch the guest operating system yourself. On RDS or Lambda (managed/serverless), AWS handles OS and runtime patching — but you always own your data, its classification, and access control. No AWS service ever takes responsibility for your IAM configuration or your data.

Always the customer's job (memorize these)

  • Customer data and its classification
  • IAM: users, roles, permissions, MFA
  • Guest OS patching on EC2 instances
  • Security group and network firewall configuration
  • Client-side and server-side encryption choices
  • Application-level security

Always AWS's job

  • Physical security of data centers
  • Hardware and infrastructure maintenance
  • Network infrastructure and the hypervisor
  • Managed service underlying infrastructure (e.g., patching the RDS host OS)
  • Global infrastructure: Regions, AZs, edge locations
Exam tip

Trick to spot: "patching" questions. Patching the EC2 guest OS → customer. Patching RDS/Lambda infrastructure → AWS. Physical destruction of decommissioned disks → AWS. Encrypting the data you store → customer (you choose to enable it).

Knowledge check
Question 1 of 4

Under the shared responsibility model, which task is the CUSTOMER's responsibility?