The Shared Responsibility Model
Who secures what: AWS's responsibilities vs yours — the single most-tested concept on the exam.
Security in AWS is a partnership. AWS secures the cloud itself; you secure what you put in it. AWS summarizes this as: AWS is responsible for security OF the cloud, the customer is responsible for security IN the cloud. Expect multiple questions on this.
| Responsibility | Who | Examples |
|---|---|---|
| Security OF the cloud | AWS | Physical data centers, hardware, host operating systems, hypervisor, the global network, managed service infrastructure |
| Security IN the cloud | Customer | Your data, IAM users and permissions, guest OS patching on EC2, firewall (security group) rules, encryption choices, application code |
| Shared controls | Both | Patch management (AWS patches hosts, you patch your EC2 guest OS), configuration management, awareness and training |
AWS is the landlord of a secure apartment building: they maintain the walls, locks on the lobby, cameras, and fire systems. You're the tenant: you decide who gets a key to *your* apartment, whether you lock your door, and what valuables you leave in view.
It shifts with the service model
The more managed the service, the more responsibility AWS takes. On EC2 (IaaS) you patch the guest operating system yourself. On RDS or Lambda (managed/serverless), AWS handles OS and runtime patching — but you always own your data, its classification, and access control. No AWS service ever takes responsibility for your IAM configuration or your data.
Always the customer's job (memorize these)
- Customer data and its classification
- IAM: users, roles, permissions, MFA
- Guest OS patching on EC2 instances
- Security group and network firewall configuration
- Client-side and server-side encryption choices
- Application-level security
Always AWS's job
- Physical security of data centers
- Hardware and infrastructure maintenance
- Network infrastructure and the hypervisor
- Managed service underlying infrastructure (e.g., patching the RDS host OS)
- Global infrastructure: Regions, AZs, edge locations
Trick to spot: "patching" questions. Patching the EC2 guest OS → customer. Patching RDS/Lambda infrastructure → AWS. Physical destruction of decommissioned disks → AWS. Encrypting the data you store → customer (you choose to enable it).
Under the shared responsibility model, which task is the CUSTOMER's responsibility?