Amazon shared responsibility model

Who’s responsible for security in AWS?

carson sweet / 01.29.18

One of the biggest questions to be answered as enterprises migrate to AWS is, who’s responsible for security?

The AWS shared responsibility model for security is a must-read for security and compliance practitioners starting their AWS journey. AWS does provide quite a lot of security for their customers, and they do quite a good job of it. More good news is that it’s an accepted, well-defined model addressing a fundamental step when developing a cloud infrastructure security strategy.

Amazon Web Services has made their shared responsibility model crystal clear, and it’s a model that other cloud infrastructure providers have followed. In essence, AWS takes on security for all the underpinnings of your cloud infrastructure environment – the physical security, hardware, network, and virtualization stack. In some cases where AWS is providing higher-level infrastructure services (like their Relational Database Service) they might take on even more responsibility.

But the responsibility is shared… so what do AWS customers need to do themselves?

Basically stated:

AWS customers who host workloads on EC2 are responsible for security and compliance of everything inside their EC2 server/workload instances.

This means that the customer is responsible for the instance operating system “up.” Security and compliance issues related to that workload’s OS configuration, application stack parameters, access rights, network accessibility, etc. are all the responsibility of the customer… in other words, you. The image below, courtesy of Amazon Web Services, helps tell the story:

Shared Responsibility Model

This is where CloudPassage Halo comes in. We purpose-built the Halo platform to support workloads in public cloud environments like AWS. This means Halo customers can automate fulfillment of their end of the shared responsibility model. CloudPassage Halo is used in AWS environments by some of the largest companies in the world, and as AWS adoption itself picks up pace in the industry, CloudPassage Halo is ready to support security and compliance needs on-demand.

To make it easier to gain access to Halo’s on-demand security capabilities, our solution has recently been added to the AWS Marketplace.

To sum up key takeaways:

  • Cloud providers like Amazon Web Services do handle quite a lot of security on behalf of their customers, and they do a very good job of it.
  • Cloud customers / consumers still have responsibilities, however, which are clearly defined by the cloud providers themselves. Understanding the boundaries is critical.
  • Where customers have the need to address security and compliance for cloud workloads, automation capabilities that are purpose-built for cloud infrastructure are extremely valuable.

Hopefully this post helps clarify the boundaries between what an IaaS provider brings to the game and the IaaS customer responsibilities. Here are some additional resources to help on your journey to safe, compliance public cloud adoption:

As always, please feel free to contact us to learn more and discuss your specific situation – especially if your AWS adoption is happening at large scale.