Featured Post

Step Wise Project Planning

Planning is the most difficult process in project management. The framework described is called the Stepwise method to help to distinguis...

  1. Home

Security and the AWS Shared Responsibility Model


 

When you work with the AWS Cloud, managing security and compliance is a shared responsibility between AWS and you. To depict this shared responsibility, AWS created the shared responsibility model. The distinction of responsibility is commonly referred to as security OF the cloud versus security IN the cloud. 

64.png

AWS responsibility

AWS is responsible for security of the cloud. This means AWS protects and secures the infrastructure that runs the services offered in the AWS Cloud. AWS is responsible for:

  • Protecting and securing AWS Regions, Availability Zones, and data centers, down to the physical security of the buildings
  • Managing the hardware, software, and networking components that run AWS services, such as the physical servers, host operating systems, virtualization layers, and AWS networking components

The level of responsibility AWS has depends on the service. AWS classifies services into three categories. The following table provides information about each, including the AWS responsibility.

CategoryExamples of AWS Services in the Category AWS Responsibility 
Infrastructure services Compute services, such as Amazon Elastic Compute Cloud (Amazon EC2) AWS manages the underlying infrastructure and foundation services. 
Container services Services that require less management from the customer, such as Amazon Relational Database Service (Amazon RDS) AWS manages the underlying infrastructure and foundation services, operating system, and application platform. 
Abstracted services
Services that require very little management from the customer, such as Amazon Simple Storage Service (Amazon S3)
AWS operates the infrastructure layer, operating system, and platforms, in addition to server-side encryption and data protection.

Note: Container services refer to AWS abstracting application containers behind the scenes, not Docker container services. This enables AWS to move the responsibility of managing the platform away from customers.

Customer responsibility

Customers are responsible for security in the cloud. When using any AWS service, you’re responsible for properly configuring the service and your applications, in addition to ensuring that your data is secure.

Your level of responsibility depends on the AWS service. Some services require you to perform all the necessary security configuration and management tasks, while other more abstracted services require you to only manage the data and control access to your resources. Using the three categories of AWS services, you can determine your level of responsibility for each AWS service you use.

CategoryAWS Responsibility Customer Responsibility 
Infrastructure services AWS manages the infrastructure and foundation services. You control the operating system and application platform, in addition to encrypting, protecting, and managing customer data. 
Container services AWS manages the infrastructure and foundation services, operating system, and application platform. You are responsible for customer data, encrypting the data, and protecting it through network firewalls and backups. 
Abstracted services
AWS operates the infrastructure layer, operating system, and platforms, in addition to server-side encryption and data protection.
You are responsible for managing customer data and protecting it through client-side encryption.

Due to the varying levels of effort, customers must consider which AWS services they use and review the level of responsibility required to secure each service. They must also review how the shared security model aligns with the security standards in their IT environment, in addition to any applicable laws and regulations.

A key concept is that customers maintain complete control of their data and are responsible for managing the security related to their content. For example, you are responsible for the following:

  • Choosing a Region for AWS resources in accordance with data sovereignty regulations
  • Implementing data-protection mechanisms, such as encryption and scheduled backups
  • Using access control to limit who can access to your data and AWS resources

 

                                                                                                                          Source: AWS

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)