We can see from the phrase "AWS Shared Responsibility Model" that security implementation on the AWS Cloud is not just the responsibility of one entity, but is shared among AWS and you, the client. This blog post dives into the different models available and the role and responsibilities within them.
What is AWS shared responsibility model?💭
The AWS Shared Responsibility Model specifies which security controls are under AWS's control and which are under your control. You select how you want your resources to be 'in' the cloud (how much access you wish to allow to and from your resources), while AWS ensures worldwide security 'of' the Cloud (i.e., the underlying network and hardware they provide to host and connect your resources). A good grasp of the AWS Shared Responsibility Model, in my experience, makes it easier to develop and maintain a highly secure and dependable environment.
AWS treats security as a major priority...and so should you🤷♀️
AWS Shared Responsibility Models
To help provide a clear definition of the boundaries of responsibility, AWS has devised 3 main models, each representing where AWS and customer responsibilities start and end:
- ✔Shared Responsibility Model for Infrastructure Services
- ✔Shared Responsibility Model for Container Services
- ✔Shared Responsibility Model for Abstract Services
Let's understand one by one
Shared Responsibility Model for Infrastructure Services
- AWS is in charge of what is known as cloud security. This includes the parts of their worldwide infrastructure, including as Regions, Availability Zones, and Edge Locations, as well as the foundations of their Compute, Storage, Database, and Network services. AWS owns and controls access to their data centers, which house your client data. Physical access to all hardware and networking components, as well as any extra data center facilities such as generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units, and fire suppression systems, is included.
- Essentially, AWS is responsible for the components that make up the cloud, any data put ‘into’ the cloud then becomes your responsibility.
- Because AWS secures and maintains the underlying cloud infrastructure, the responsibility for what goes into the cloud lies on you. This includes client and server side encryption and network traffic protection, operating system, network, and firewall configuration security, application security, and identity and access management. It is totally up to you how much additional security you choose to deploy. What you pick may be determined by the type of your business or by current controls in place.
To reduce exposure to external dangers that might undermine your environment, I recommend strengthening security as much as feasible. The crucial thing to understand is that, while AWS provides many sophisticated security features, it is not AWS's job to determine how and when to use them.
Shared Responsibility Model for Container Services
Examples of AWS container services include:
- AWS Relational Database Service (RDS)
- AWS Elastic Map Reduce (EMR)
- AWS Elastic Beanstalk
We can see that platform and application administration, as well as any operating system or system and network setup, has passed to AWS's duty and is no longer ours as the client to maintain. This is a significant distinction from infrastructure-based services. However, not all responsibility has been transferred. It should be noted that firewall setting remains the end user's responsibility, which integrates at the platform and application administration levels. RDS, for example, makes use of security groups, which you would be in charge of configuring and deploying.
Shared Responsibility Model for Abstract Services
Examples of abstract services include:
- Simple Storage Service (S3)
- DynamoDB
- Amazon Glacier
- SQS
You'll see that AWS has taken on even more responsibilities, notably Network Traffic Protection, which AWS will administer via the platform to safeguard any data in transit utilising AWS's own network. You are also responsible for utilising IAM tools to apply the appropriate rights at both the platform (such as S3 Bucket policies) and the IAM user/group level.
Final words
As we go through each of these models, it becomes evident that the amount of control and responsibility increases more toward AWS than toward the consumer.
The AWS Shared Responsibility Model is a robust and extremely helpful platform that helps IT departments and application groups grow their capability. It may be a safe and effective tool for storing data and serve as a foundation for more complicated applications if properly managed. Customer service guarantees that you get the finest end-to-end solutions, including real technical help in managing organisational transformation.
Graphics from Cloudacademy