AWS Shared Responsibility Model
AWS Shared Responsibility Model
- AWS responsibility - Security of the Cloud
- Protecting infrastructure (hardware, software, facilities and networking) that runs all of the AWS services
- Managed services like S3, DynamoDB, RDS etc
- Customer responsibility - Security in the Cloud
- For EC2 instance, customer is responsible for management of the guest OS (including security patches), firewall and network configuration, IAM etc.
Example for RDS:
- AWS responsibility:
- Manage the underlying EC2 instance, disable SSH access
- Automate DB patching
- Automate OS patching
- Audit the underlying instance and disk. Guarantee it function
- Customer responsibility:
- Check the ports/IP/SG inbound rules in DB’s SG
- In-database user creation and permissions
- Creating a database with or without public access
- Ensure parameter groups or DB is configured to only allow SSL connections
- Database encryption settings
Example for S3:
- AWS responsibility:
- Guarantee we get unlimited storage
- Guarantee we get encryption
- Ensure separation of the data between different customers
- Ensure AWS employees can’t access customer’s data
- Customer responsibility:
- Bucket configuration
- Bucket policy / public settings
- IAM user and roles
- Enable encryption