Describing the customer’s responsibilities on AWS

The Shared Responsibility Model is a fundamental principle of cloud computing, defining what AWS is responsible for and what responsibilities fall on the customer.

AWS Responsibilities

AWS is responsible for the security and integrity of the cloud infrastructure, including the hardware, software, networking, and facilities that run the AWS Cloud services. For instance, AWS takes care of:

• Protecting the global infrastructure that runs all of the services offered in the AWS Cloud.
• Operating, managing, and controlling the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate.

Customer Responsibilities

Customers are responsible for any data, applications, and resources they run on AWS, as well as specific configuration tasks related to security and access. Their responsibilities typically include:

1. Data Security and Encryption: Customers are responsible for protecting their data, which includes encrypting sensitive data, classifying their assets, and implementing access policies. AWS provides services like AWS Key Management Service (KMS) and AWS Identity and Access Management (IAM) to help customers meet these responsibilities.
2. Identity and Access Management: It is the customer’s responsibility to manage user access to AWS services and resources securely. IAM enables customers to manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

   Example IAM Policy:

   {
   “Version”: “2012-10-17”,
   “Statement”: [
   {
   “Effect”: “Allow”,
   “Action”: “s3:ListBucket”,
   “Resource”: “arn:aws:s3:::example_bucket”
   }
   ]
   }

3. Resource Management: Customers should architect their AWS environment according to best practices, including the selection of appropriate AWS service types, resource types, and specific use case requirements.
4. Operating System Management: For IaaS offerings like Amazon EC2, it’s the customer’s responsibility to manage the guest operating system, including updates and security patches.
5. Network Configuration: Users must configure their VPC (Virtual Private Cloud) and set up firewall rules (security groups and network access lists) to control traffic to and from their instances.
6. Application Security: This includes the responsibility for securing application-level flaws, such as software vulnerabilities, and implementing application level firewall protections.
7. Compliance: Customers are accountable for understanding the compliance requirements applicable to their industry and geography and ensuring their environment complies with those standards.

Examples of Customer Responsibilities in Different Service Models

• In an IaaS (Infrastructure as a Service) environment like EC2, customers are responsible for everything from the virtual machine (VM) operating system up to the applications they run.
• In a PaaS (Platform as a Service) environment like AWS Elastic Beanstalk, AWS manages the underlying EC2 instances and the customers focus on their deployed applications and data.
• For SaaS (Software as a Service) such as Amazon WorkMail, AWS is responsible for the infrastructure and the application, but customers manage their data, user access, and the configuration of security settings.

The following table provides a high-level comparison of customer responsibilities across different service models:

Understanding the division of responsibilities is crucial when preparing for the AWS Certified Cloud Practitioner exam, as it ensures that cloud practitioners can correctly apply security and compliance controls in their AWS environment. AWS provides documentation and best practice guides that help customers in understanding and designing their workloads in accordance with the Shared Responsibility Model.