Shared Responsibility Model
The Shared Responsibility Model is the fundamental security framework of AWS. It dictates that security and compliance are a shared effort between AWS and the customer. Understanding the “Line of Demarcation” is critical for the SAA-C03 exam, as many questions test your ability to determine who is responsible for a specific task based on the service being used.
The Apartment Analogy
Think of AWS as a Landlord and the Customer as a Tenant:
- The Landlord (AWS): Responsible for the building’s structural integrity, the perimeter fence, the plumbing, and the electricity. If the roof leaks, it’s the landlord’s job to fix it.
- The Tenant (Customer): Responsible for locking their own front door, choosing who gets a key, and ensuring their furniture (data) isn’t flammable. If the tenant leaves the stove on and starts a fire, it is the tenant’s responsibility.
Core Concepts: The “What” and “Why”
This model aligns with the Security Pillar of the AWS Well-Architected Framework. By offloading the “undifferentiated heavy lifting” of infrastructure management to AWS, customers can focus on innovation and application code.
- AWS Responsibility: Security OF the Cloud. This includes the physical facilities, hardware, software, and networking that run AWS services.
- Customer Responsibility: Security IN the Cloud. This includes what the customer configures, the data they upload, and the access they grant via IAM.
Comparison of Responsibilities by Service Type
| Responsibility | Infrastructure (EC2) | Abstracted/PaaS (S3, Lambda) | Managed (RDS) |
|---|---|---|---|
| Physical Security | AWS | AWS | AWS |
| OS Patching | Customer | AWS | AWS |
| Network Firewall | Customer (Security Groups) | AWS (Underlying) | Customer (Security Groups) |
| Data Encryption | Customer | Customer | Customer |
Scenario-Based Decision Matrix
If the requirement is…
- Full Control over the OS: Use EC2. (Customer patches OS, AWS patches Hypervisor).
- High Availability without management: Use S3 or DynamoDB. (AWS handles replication; Customer handles bucket policies).
- Managed Database with OS access: Use EC2 with self-installed DB. (Customer handles everything above the hardware).
- Managed Database without OS access: Use RDS. (AWS handles OS/DB patching; Customer handles Schema/IAM).
Exam Tips: Golden Nuggets
- The Data Rule: The Customer is ALWAYS responsible for their data, regardless of the service type. This includes encryption and backups.
- IAM is ALWAYS Customer: AWS provides the IAM tools, but the customer is responsible for configuring users, groups, and roles.
- The “Managed” Trap: Even in “Managed” services like RDS, the customer is still responsible for firewall rules (Security Groups) and application-level security.
- Physical Security: If a question mentions “Physical Access Control” or “Disposing of Hard Drives,” the answer is almost always AWS.
Visualizing the Line of Demarcation
Key Service Context
EC2: Customer manages the Guest OS and everything above it.
S3/Lambda: AWS manages the OS and Network layer; Customer manages Data and Access.
Common Pitfalls
Assuming AWS performs backups by default (False: Customer must configure AWS Backup or Snapshots).
Thinking “Managed Service” means no security config needed.
Quick Patterns
Encryption: AWS provides the KMS tool, but Customer must click “Enable”.
Compliance: AWS provides “Artifact” (reports), but Customer must ensure their app meets industry standards.