The AWS IAM Shared Responsibility Model divides security and compliance tasks between AWS and the customer:
AWS Responsibility
Protects the infrastructure (hardware, software, facilities) running AWS services. Manages IAM features like user access controls, encryption, and monitoring. It means AWS is responsible for the security of the cloud — meaning the infrastructure that supports the cloud services.
- Infrastructure (global security network)
- Physical Security
- Networking
- Virtualization
- Hardware Security
- Compliance Programs, compliance validation
- Software and Services
- Manage the security of all services (EC2, RDS, Lambda, etc)
- Configuration and vulnerability Analysis
Customer Responsibility
Manages user access (IAM users, groups, roles, permissions), data encryption, application security, and compliance with regulations.
In short, AWS secures the cloud infrastructure, while customers secure their data, applications, and access within it.
- Data Protection
- Application Security
- Identity and Access Management
- Configure access, permissions, resources
- prevent unauthorized access via MFA, groups, policies
- Monitoring and Logging
Key Points
AWS is responsible for securing the cloud infrastructure (hardware, data centers, network), while the customer is responsible for securing what they build and run in the cloud (data, applications, and user access).
Customers must actively configure and manage security and compliance settings to ensure that their use of AWS services meets legal, regulatory, and internal compliance requirements.
In essence, AWS provides a secure foundation and compliance framework, but customers must take responsibility for properly configuring and managing their workloads to ensure compliance with specific requirements.
