AWS Responsibilities: Security OF the Cloud
AWS is responsible for protecting the global infrastructure that runs all of the AWS services. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
This includes:
- Physical Security of Data Centers: Managing access to the physical data centers, including surveillance, access control, and environmental controls.
- Hardware Infrastructure: The underlying physical servers, storage devices, and other hardware.
- Network Infrastructure: The physical networking components like routers, switches, and cabling.
- Virtualization Infrastructure: The hypervisor layer that separates and manages the virtual machines (e.g., what powers EC2).
- Managed Services: For managed services like Amazon S3, DynamoDB, or RDS, AWS manages the operating system, database patching, and underlying infrastructure security.
Analogy: Think of AWS as the landlord of an apartment building. They are responsible for the security of the building itself, the foundation, the external walls, the main plumbing, and securing access to the building's front door.
Customer Responsibilities: Security IN the Cloud
The customer's responsibility is determined by the AWS Cloud services they select. A customer's responsibility increases as services become less managed (e.g., more responsibility for EC2 than for S3).
This includes:
- Customer Data: The customer is always responsible for their own data, its classification, and its protection.
- Identity and Access Management (IAM): Creating and managing users, groups, roles, and permissions. Enforcing the principle of least privilege, rotating credentials, and setting up MFA.
- Platform, Applications, and Operating System:
- For IaaS services like Amazon EC2, the customer is responsible for patching the guest operating system, installing antivirus, and managing the firewall.
- For all services, the customer is responsible for the security of their own application code and configurations.
- Network and Firewall Configuration:
- Configuring Security Groups (stateful firewalls for instances).
- Configuring Network Access Control Lists (NACLs) (stateless firewalls for subnets).
- Managing VPC routing, subnets, and gateways.
- Client-Side Data Encryption: Encrypting data before sending it to AWS.
- Server-Side Encryption (SSE): Configuring encryption for data at rest in AWS services (e.g., encrypting S3 buckets or EBS volumes).
- Network Traffic Protection: Encrypting data in transit between your applications and AWS services, often using TLS/SSL.
Analogy: As the tenant of the apartment, you are responsible for everything inside your own apartment. This includes locking your apartment door, managing who gets a key (IAM), the security of your furniture and belongings (customer data), and ensuring you don't leave a window open (misconfigured security group).
How the Model Varies by Service Type
- Infrastructure as a Service (IaaS - e.g., Amazon EC2, VPC): The customer has the most responsibility. You manage the guest OS, applications, and security configurations on top of the infrastructure provided by AWS.
- Platform as a Service (PaaS - e.g., Amazon RDS, AWS Lambda): The responsibility is more balanced. AWS manages the underlying infrastructure and the operating system/platform. The customer is responsible for their code/data and managing access to the service. For Lambda, you manage the code; for RDS, you manage the data and database schema.
- Software as a Service (SaaS - e.g., Amazon S3, Amazon DynamoDB, AWS Trusted Advisor): AWS manages the vast majority of the stack. The customer's primary responsibility is managing their data and user access to that data within the service.