AWS Shared Responsibility Model for Security and Compliance

By on May 09, 2017

What is AWS Shared Responsibility?

As enterprises look to achieve greater operational efficiency and gain a competitive advantage, they are increasingly turning to cloud service providers like Amazon Web Services to offload their IT infrastructure and computing needs. The advantages afforded by divesting their datacenters in favor of moving to AWS are too many and too impactful to ignore, despite the loss of partial control over data and the accompanying security risks. At the same time, cloud services providers like AWS continue to make significant investments in the security of their services, leading some IT leaders to argue the public cloud may actually be more secure than what can be achieved on premises.

Cloud service providers are software and infrastructure specialists, and have their own dedicated teams responsible for the security of their product. They also have sizable budgets dedicated to security and hire leading IT security experts. Microsoft, as an example, spends $1 billion a year on the security of its products. Not even the largest enterprises are able to match this level of cybersecurity investment. However, despite the near limitless resources Amazon has at its disposal to enhance the security of AWS, directly comparing the security risk facing AWS with that of an on-premises IT infrastructure is misleading.

Like most cloud providers, Amazon focuses on the security “of” its cloud offering. Once the customer starts using AWS, Amazon shares the responsibility of securing the data in AWS with its customers, making AWS security a shared responsibility. This concept, known as the shared responsibility model of cloud security, was created in order for IT security teams to adapt to the adoption and proliferation of cloud services.

Definitive Guide to Securing Workloads on AWS


Download to learn about the AWS adoption trends, security challenges and best practices around AWS and applications deployed in AWS.

Download Now

In practice, this means Amazon protects the underlying infrastructure of AWS from vulnerabilities, intrusions, fraud, and abuse, and provide its customers with necessary security capabilities that can be configured as needed. As an example, Amazon has built one of the most advanced identity and access management services (IAM) that gives customers granular control over user permissions and provisioning. Amazon encourages its customers to follow all the AWS security best practices around IAM configuration and settings. However, it’s incumbent on the AWS customer, then, to make the most of an AWS service like IAM.

Gartner underscored the importance of the shared responsibility when they stated, “Through 2020, 95% of cloud security failures will be the customer’s fault.” Gartner’s prediction implies that the vast majority of enterprises using cloud services will fail to uphold their responsibilities for the security their data in the cloud.

Division of Responsibility of AWS Security

Since Amazon offers so many different cloud services, it’s imperative for enterprises to understand the division of responsibility between Amazon and its customers. AWS customers are responsible for protecting customer data stored in AWS as well as the custom applications deployed in AWS.

Customers are also responsible for implementing appropriate access control policies using AWS IAM, configuring AWS Security Groups (firewall) to prevent inappropriate access to ports, and enabling AWS CloudTrail. Customers are also responsible for enforcing appropriate data loss prevention policies to ensure compliance with internal and external policies, as well as detecting and remediating threats arising from stolen account credentials or malicious/accidental misuse of AWS.

Amazon is focused on securing its software, hardware, and the facilities where AWS services are located. Amazon’s responsibilities include securing its computing, storage, networking, and database services, as well as the security configuration of AWS managed services like Amazon DynamoDB, RDS, Redshift, Elastic MapReduce, Workspaces, etc.

Division of responsibility of AWS security

AWS Shared Responsibility Model vs. Customer Responsibility Model

Customer AWS
Preventing or detecting when an AWS account has been compromised x
Preventing or detecting a privileged or regular AWS user behaving in an insecure manner x
Configuring AWS services (except AWS Managed Services) in a secure manner x
Restricting access to AWS services or custom applications to only those users who require it x
Updating Guest Operating Systems and applying security patches x
Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies x x
Ensuring network security (DoS, MITM, port scanning) x x
Configuring AWS Managed Services in a secure manner x
Providing physical access control to hardware/software x
Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters x
Database patching x
Protecting against AWS zero day exploits and other vulnerabilities x
Business continuity management (availability, incident response) x

AWS Shared Responsibility Best Practices

Amazon encourages its customers to follow all the AWS security best practices around IAM configuration and settings. However, it’s incumbent on the AWS customer, then, to make the most of an AWS service like IAM. AWS is responsible for providing a service management layer around infrastructure or platform services including storage and networking. AWS also provides a range of security services and features that customers can use to secure their data and assets. Enterprises are still responsible for protecting the confidentiality, integrity, and availability of their data in the cloud, and for meeting specific business requirements for information protection.  To meet their customer responsibilities in the AWS model, enterprises should build and follow a set of security policies and processes to deploy applications and data quickly and securely. This includes being responsible for secure operating systems, platforms, and data.

What is the Shared Responsibility Model?

A shared responsibility model defines the cloud security responsibilities of a cloud computing service provider and its customer to ensure accountability. When an enterprise moves its data and applications to a public cloud it transfers some, but not all, of its IT security responsibilities to its cloud service provider (CSP). In such a framework, the cloud user and the cloud service provider are accountable for different security responsibilities while working together to maintain full coverage. An example of a responsibility model designates that a cloud service provider is responsible for the security of the cloud while an enterprise customer is responsible for securing the data they put in the cloud.

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs