In this post we will discuss the Shared Responsibility Model and how AWS shares security responsibilities with their customers. This is one of the most important concepts for us to understand in working with the cloud. AWS is responsible for securing the underlying infrastructure that supports cloud services. Customers are responsible for securing anything they put into the cloud or connect to the cloud. The customer’s responsibility is often referred to as “Security in the Cloud” and AWS’ as “Security of the Cloud”.

The customer is responsible for securing all customer data. This includes both the organizational data and external customer data. AWS customers are responsible for securing application platforms, applications, and the user identity and access management (IAM). Additional customer responsibilities include operating system patching on Elastic Compute Cloud (EC2) instances, management of antivirus applications that might be installed, logical network and firewall configuration, and additional tasks like multi-factor authentication and password and key rotation for IAM users. The final area that customers are responsible for is protection of data in transit and data at rest. Data is transit refers to securing both endpoints of any data being over private and public networks. Our responsibility with data at rest includes encryption of any data stored in a file system, data base, or other storage service like Amazon Simple Storage Service (S3).

AWS is responsible for the Security of the Cloud. This means that they are responsible for security of the underlying infrastructure that cloud services offered by AWS run on. AWS is responsible securing all of their regions, availability zones, and edge locations that are hosted in physical data centers. The virtualization hardware, network gear, and everything related to managing the AWS platform that are not seen by customers run in these data centers. Fire suppression system management ,power management, and climate control management are each transferred to AWS. If a hard drive fails in a traditional IT environment the organization is responsible for securing disposal that complies with compliance requirements but this is not the case in the cloud. The responsibility for device decommissioning is transferred from the customer to AWS in the cloud. AWS is also responsible for securing and managing all network devices that secure the cloud.

It is important for the SysOps exam to be aware of how penetration testing is addressed by the Shared Responsibility Model. Penetration testing involves the customer carrying out simulated attacks against their own infrastructure. AWS provides a reference that outlines what activities are authorized and which ones are not: https://aws.amazon.com/security/penetration-testing AWS has only recently begun to allow some forms of testing without first gaining authorization. There are now a set of services (e.g., EC2 Instances, NAT Gateways, Elastic Load Balancers, etc.) that you can now scan without permission. Prohibited activities include activities like DNS Zone Walking, Port Flooding, etc.

AWS is also responsible for hypervisor isolation which involves separating EC2 instances at the hypervisor level. This enables AWS to provide customers with the assurance that even though multiple customers may have EC2 instances deployed on the same physical piece of hardware, each of those instances are separated logically. This has been designed to eliminate security risks being introduced to our organizations by another customer’s cloud resources.

If you keep this separation of responsibilities between AWS and the customer then you will do fine on this section of the exam.

Reference: https://aws.amazon.com/compliance/shared-responsibility-model/