AWS Series — The Shared Responsibility Model
The Shared Responsibility Model of the AWS defines the clear distinction between the ownership of the resources. The customer is accountable for what they are responsible and similarly AWS is accountable for what they are responsible for.
Here is a snippet of certain responsibilities defined by them
Clearly, AWS is responsible for the infrastructure that is under their control which includes Regions, Availability Zones and Edge Locations. Also, the data centers has the hardware and they own them and they are accountable for it. They have to provide physical security of these data centers. They are also responsible for the hardware and physical asset in the data center. The Services that they provide like Computing, Storage, Database and Networking. They will be responsible for their availability and protection of those resources. Also, they own the software that the entire stack runs.
As a consumer, we would be responsible for what we have configured those services for and some of them are Customer Data which we store in the database. We are responsible to protect them according to the policies and guidelines. The applications that we deploy and make them available to the users is our responsibility. We decide on who can access the resources of our applications and who is authorized to change the settings. This can be done using Identity and Access Management.
We define the Firewall access and Network setting like inbound and outbound principles. We decide the operating system that we use. The major responsibility would be to protect the customer data that we use in our application and process them. We have to bind by the rules of Data Integrity by providing the Client-side and server-side encryption. Also, the transfer of the data by ensuring the Networking Traffic Protection.
Summary
To decide what is our responsibility, just think if you can do that task by yourself on the AWS management console. If you can, then you are responsible for it.
For Instance, you can control — Security Groups, IAM Users, patching EC2 operating systems, patching databases running on EC2 etc.,
You can’t control — Management of data centers, security cameras, cabling, patching RDS, operating systems etc.,
Encryption is a shared responsibility— When you go to the console, you can choose to encrypt the volume of data which means you are doing encryption from your side. AWS actually has to follow through and make sure that is encrypted.
