AWS Shared Responsibility Model: SAA-C03 Study Guide

The Shared Responsibility Model is a fundamental concept for the AWS Certified Solutions Architect – Associate (SAA-C03) exam. It dictates who is responsible for specific security and operational tasks within the AWS ecosystem. Understanding this prevents architectural gaps and ensures compliance.

The “Renting an Apartment” Analogy

Think of AWS as a landlord and you as the tenant. The landlord (AWS) is responsible for the building’s structural integrity, the roof, the plumbing, and the common areas (Security OF the Cloud). The tenant (You) is responsible for locking your front door, choosing who has a key, and ensuring your furniture (data) is safe (Security IN the Cloud). If you leave your window open and get robbed, it’s not the landlord’s fault!

Core Concepts: Security OF vs. Security IN

AWS Responsibility: Security OF the Cloud

AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This includes:

  • Physical Security: Protecting data centers (security guards, cameras, biometric access).
  • Hardware Infrastructure: Servers, storage devices, and networking equipment.
  • Software Infrastructure: The virtualization layer (hypervisor) that abstracts hardware into virtual resources.
  • Global Infrastructure: Regions, Availability Zones (AZs), and Edge Locations.

Customer Responsibility: Security IN the Cloud

The customer’s responsibility is determined by the specific AWS service used. Generally, you are responsible for:

  • Data Encryption: Protecting data at rest (server-side) and in transit (client-side).
  • Identity and Access Management (IAM): Managing users, groups, roles, and permissions.
  • Operating System (OS): For IaaS services like EC2, you must patch the OS.
  • Network Configuration: Setting up Security Groups, Network ACLs, and VPC routing.

Service-Specific Responsibility Comparison

Feature Infrastructure (EC2) Container (ECS/Fargate) Abstracted (S3/Lambda)
OS Patching Customer AWS (Fargate) / Customer (EC2) AWS
Data Encryption Customer Customer Customer (Configuration)
IAM Policies Customer Customer Customer
Physical Security AWS AWS AWS

Exam Tips and Gotchas

  • Golden Nugget #1: AWS never manages your data. They provide the tools (KMS, CloudTrail), but you must enable and configure them.
  • Golden Nugget #2: For EC2, the customer is responsible for the guest OS. For RDS, AWS manages the OS and DB patching, but the customer manages the DB engine settings and credentials.
  • Common Distractor: An exam question might suggest AWS is responsible for “Client-side data encryption.” This is False; the customer always owns encryption logic.
  • The “Patch” Rule: If the service is “Serverless” or “Managed” (Lambda, S3, DynamoDB), AWS patches the underlying software. If it’s EC2, you patch it.

Decision Matrix / If–Then Guide

  • If the requirement is total control over the kernel and OS, choose EC2 (and accept responsibility for OS security).
  • If the requirement is to minimize operational overhead for database patching, choose RDS.
  • If the requirement is to secure data at rest on S3, choose SSE-S3, SSE-KMS, or SSE-C (Customer configures, AWS executes).
  • If the requirement is physical isolation of hardware, choose Dedicated Hosts (AWS still manages the physical security).

Topics covered:

Summary of key subtopics covered in this guide:

  • The distinction between Security “OF” and “IN” the cloud.
  • AWS Global Infrastructure physical security.
  • Customer responsibilities regarding IAM and Data Protection.
  • Comparison of responsibilities across IaaS, PaaS, and SaaS models.
  • Exam-specific strategies for identifying responsibility boundaries.

Infographic: The Responsibility Split

CUSTOMER: Security IN the Cloud Data & Content IAM / Access Control OS/Network Config SHARED RESPONSIBILITY BOUNDARY AWS: Security OF the Cloud Global Infrastructure Compute/Storage/DB Networking/Software
Service Ecosystem

Integrations

IAM: The primary tool for customer-side security. Use Roles instead of Users where possible.

KMS: AWS manages the HSM (Hardware Security Module), but you manage the Key Policy.

Performance & Scaling

The Trade-off

In IaaS (EC2), you manage scaling logic and OS performance. In Serverless (Lambda), AWS handles scaling, and you only optimize the code performance.

Cost Optimization

Shared Savings

AWS handles the cost of physical maintenance. You optimize costs by selecting the right sizing and using tools like AWS Trusted Advisor to find security gaps.

Production Use Case: Financial Application

A bank deploys an app on Amazon RDS. AWS ensures the physical data center is secure and the database engine is patched against vulnerabilities. The Bank is responsible for encrypting the database using KMS, configuring Security Groups to allow only web-tier traffic, and managing DB User permissions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top