Cloud breaches of high-profile companies grab headlines every year with details of sophisticated scams, lucrative payouts, and blindsided victims. But what these stories often leave out, the most important fact: In most cases, it is the customer, not the provider, who is responsible for the breaches due to the lack of proper controls to protect their data. Unfortunately, this is not likely to change anytime soon as Gartner predicts1 that through 2025, 99 percent of cloud security failures will be the customer’s fault.
To reduce the risk of cloud breaches and data leaks, it’s imperative that organizations understand their role in ensuring cloud security. This becomes critical as they shift more workloads to the cloud to support a remote workforce focused on agility and work/life balance and flexibility. Cloud security operates on a shared responsibility model that defines the balance of security responsibilities of the cloud service provider (CSP) and of the cloud customer.
Generally, the shared responsibility model stipulates the CSP is responsible for the security of the cloud and the customer is responsible for the security in the cloud. In practice, it’s a little trickier as the specific breakdown of cloud security responsibilities changes depending on the particulars of the cloud service that a customer is using. The cloud customer has more security responsibilities under an Infrastructure as a Service (IaaS) model than they do in a Software as a Service (SaaS) model, for example.
Amazon Web Services (AWS) was a leader in developing and promoting the shared responsibility model, and it is the basis of AWS security. The company has invested heavily in security to win the confidence of organizations still reluctant to move to the cloud. Charged with helping customers meet compliance requirements for every regulatory agency, it offers the broadest set of compliance controls and supports more security standards and compliance certifications than any other provider, including HIPAA/HITECH, PCI-DSS, GDPR, FedRAMP, ISO, FIPS 140-2, and NIST 800-171. Much of the responsibility for putting security controls in place to satisfy these requirements, though, falls on the customer.
AWS Services are deployed uniformly throughout their global infrastructure, providing the same security standards to a small business as the most security-sensitive enterprise. But to get the most value from these, it’s essential to understand the division of responsibilities between AWS and its customers. Let’s look at how these break down for each party.
What is the AWS Shared Responsibility Model?
The AWS Shared Responsibility Model (SRM) prescribes which security controls are AWS’s responsibility and which are the customers. Broadly, the model says AWS guarantees the security of its Global Cloud Infrastructure — its physical facilities, network, hardware, etc. — and the customer is responsible for securing whatever they put into the cloud through network controls, application configurations, identity, and access management, and other measures.
Here is another way to look at this: AWS is the homeowners association responsible for common areas, infrastructure, construction of public amenities, and street access. The customer is the homeowner responsible for securing the home, its contents, home maintenance, who has access to the home and ensuring only the proper residents enter the home.
Elements of the AWS Shared Responsibility Model
The customer’s responsibilities
AWS considers customers to be responsible for several key areas including:
- Customer Data: Under the AWS shared responsibility model, customers are solely responsible for managing their own data which includes, encryption, storage, and access controls. In this model, AWS covers the underlying infrastructure and security of the environment where the data resides.
- Platforms: Customer responsibility requires the management of configurations and security of applications in the services they deploy on the AWS platform. Requirements include ensuring proper patching, access controls, and that authentication measures are in place.
- Applications: Applications fall under the customer requirement for securing these include, implementing appropriate authentication, authorization, and encryption mechanisms as well as regular audits. In turn, AWS is responsible for ensuring availability, performance, and security of the underlying infrastructure.
- Identity and Access Management: Proper enforcement of identity and access management (IAM) practices include creating and managing IAM users, roles, and permissions, setting up multi-factor authentication (MFA), and monitoring IAM activities for potential risk. The role for AWS includes providing tools and services for IAM and ensuring the security and availability of the IAM service itself.
- Operating Systems: The sole responsibility of managing and securing the operating systems (OS) of VM or EC2 instances falls on the customer. This includes patching, hardening, and monitoring for security vulnerabilities. AWS is responsible for the physical host and hypervisor as well as providing AWS-managed services such as Amazon RDS or Amazon Lightsail, which handle OS patching for those specific services. AWS is responsible for physical hosts and hypervisors as well as the AWS managed services such as Amazon RDS or Amazon Lightsail.
- Network Configuration: The proper configuration of network settings falls to the customer. This includes virtual private cloud (VPC) configurations, subnet designs, security group rules, and network ACLs to control traffic flow and secure their applications and data. AWS, on the other hand, is responsible for security and availability of the underlying physical network infrastructure that powers the AWS services such as Amazon VPC and AWS security groups.
- Firewall Configuration: Customer responsibility for firewall configurations requires that configurations —such as security group rules, and network ACLs — to control incoming and outgoing traffic to AWS resources, as well as utilizing web application firewall (WAF) as a service to protect their web applications. The role for AWS in this area includes the availability of physical network infrastructure that host AWS services, including firewalls that enable customers to implement effective firewall configurations.
- Client-Side Data Encryption: As part of the shared responsibility model, client-side encryption involves encryption of data before it is uploaded to AWS services using client-side encryption libraries or SDKs, managing encryption keys, and ensuring proper access control. AWS is responsible for providing secure and compliant infrastructure to store and manage encrypted data as well as offering server-side encryption options like Amazon S3 server-side encryption or Amazon RDS encryption for data at rest.
- Data Integrity Authentication: Data integrity requirements that fall to the customer include hashing, signing, and verifying data to ensure integrity and authenticity throughout its lifecycle within AWS services. The role for AWS includes protection against data tampering or unauthorized access and providing features like AWS CloudTrail for monitoring and logging AWS API activities to support customer data integrity and authentication efforts.
- Server-Side Encryption (file system and/or data): Responsibility for server-side encryption that is required by the customer includes choosing server-side encryption options such as Amazon S3 server-side encryption or Amazon RDS encryption at rest to protect data stored within AWS services. This also includes managing and securing the encryption keys. AWS is responsible for the infrastructure to store and manage the encrypted data and ensuring proper implementation and maintenance of server-side encryption features within AWS services.
- Networking Traffic Protection (encryption, integrity, identity): The customer is responsible for network traffic protection includes traffic protection measures such as SSL/TLS encryption, Virtual Private Networks (VPNs), or AWS Direct Connect to secure data in transit between their client-side environment and AWS services. On the other hand, AWS is responsible for a secure and resilient network infrastructure that powers the AWS services, including physical network components, routing, and traffic isolation to protect against unauthorized access or interception of the network traffic.
As we’ve seen in the AWS shared responsibility model, customers are responsible for various aspects of securing their data and applications in the AWS environment. One of the most challenging aspects for customers may be keeping up with the rapidly evolving security landscape and ensuring proper implementation of security measures based on requirements and compliance obligations. In order to combat this, customers should stay up to date with AWS security best practices leverage AWS security features and services as well as conduct regular security audits and assessments to ensure security posture in the AWS environment.
Responsibilities of AWS
AWS assumes certain responsibilities for ensuring the security and compliance of the underlying infrastructure and services provided.
Software
AWS’ role covers responsibility for securing and maintaining the security of the software that powers the AWS services, including patching, updating, and ensuring availability and integrity of the software stack.
- Compute: AWS covers the underlying compute infrastructure, including physical servers, hypervisors, and virtualization layers, as well as ensuring availability and performance of compute resources.
- Storage: Within the requirements for storage, AWS’ responsibility includes securing physical storage devices, storage area networks (SANs), object storage services, and ensuring data durability and availability.
- Database: Database responsibility for AWS includes, database servers, database engines, database storage as well as the data durability and availability.
- Networking: Responsibilities for AWS within networking include physical network components, routing, and traffic isolation which all protect against unauthorized access or interception of network traffic.
Hardware/AWS Global Infrastructure
The responsibilities for AWS in this area include managing data centers, servers, networking equipment, and storage devices that all make up its global infrastructure which ensure availability, security, and reliability of these resources for customer use.
- Regions: Management of physical infrastructure within its global regions falls as an AWS responsibility. This includes all geographically dispersed data center locations around the world.
- Availability Zones: AWS ensures the availability and reliability of all its Availability Zones (AZs) which are isolated data centers within the AWS regions designed to provide fault tolerance.
- Edge Locations: The AWS shared responsibility models require AWS to manage and maintain its global network of edge locations, which are distributed points of presence (PoPs) used for content caching and acceleration.
In the AWS shared responsibility model, AWS is responsible for managing and maintaining the physical infrastructure, global regions, and edge locations. Customers should understand and fulfill their share of configurations and application security. Care should be noted to not assume all aspects of security are solely handled by AWS. Proactive measures, such as monitoring, patching, and conducting security assessments, should be taken by customers to ensure a secure use of AWS services.
AWS Shared Responsibility Model Categorized by Service
Under this primary model, however, the balance of responsibility changes depending on the particular AWS service the customer is using. To make this clearer, AWS provides three additional shared responsibility models that delineate the security boundaries for its categories of service:
- Shared Responsibility Model for Infrastructure Services
- Shared Responsibility Model for Container Services
- Shared Responsibility Model for Abstract Services
As we look more closely at these, we’ll see how more security control shifts to AWS as more of its infrastructure is abstracted away. That removes a lot of infrastructure management — and also control — from the customer. In exchange, the customer gets a more turnkey experience allowing them to focus more on their application development and other core business activities.
Shared responsibility model for infrastructure services
As mentioned, AWS oversees the security of the cloud. That includes the components of its global infrastructure — regions, availability zones, and edge locations — as well as its storage, database, networking, and compute services.
It is responsible for the physical security of the data centers where the customer stores its data. It manages and controls access to everything from the networking and hardware components to the generators, power supplies, and air conditioning units that support its data center facilities. This essentially relieves customers of the responsibility for managing all the physical elements typically included in an on-premises infrastructure.
However, the customer is still accountable for securing anything they put in the cloud. An organization using AWS’s EC2 service, for example, can install and configure their own operating system in the cloud and run whatever applications they wish on top of it. But this OS-level of access and control comes with greater security responsibility. It falls on the customer in this situation to secure their operating system and control network access to all their instances, as well as manage application security and identity and access management. AWS provides a range of security controls to meet these responsibilities, but how and when they’re used is up to the customer.
AWS infrastructure services security responsibilities:
- AWS foundation services: networking, compute, storage, database
- AWS global infrastructure: regions, availability zones, edge locations
Customer infrastructure service security responsibilities:
- Customer data
- Platform, applications, identity and access Management
- Client and server-side encryption
- Operating system, network, and firewall configuration
- Network traffic protection
Shared responsibility model for container services
A container service enables multiple applications on the same operating system to share resources. AWS Elastic Map Reduce (EMR), AWS Elastic Beanstalk, and Amazon Relational Database Service (RDS) are examples of AWS container services.
Running containerized services on AWS adds a layer of abstraction. Though these services use EC2, they remove visibility and access to the operating system. That shifts responsibility for the operating system and network configuration as well as platform and application management over to AWS. A great way to think about this using our previous home example would be apartment living. The apartment management controls the property, is responsible for the maintenance and provides smaller living units within the much larger infrastructure. The apartment tenants, however, are still responsible for securing the contents of the apartment and access into the apartment itself.
This reduces — but doesn’t eliminate — the customer’s container security responsibility. They’re still responsible for firewall configuration and securing their data through access management and encryption.
AWS container services responsibilities
- AWS foundation services: networking, compute, storage, database
- AWS global infrastructure: regions, availability zones, edge locations
- Platform and applications management
- Operating system, network configuration
Customer container services responsibilities
- Customer data
- Identity and access management
- Client and server-side encryption
- Firewall configuration
- Network traffic protection
[Related reading: AWS Container Security Best Practices]
Shared responsibility model for abstract services
For abstract services, including Amazon Glacier, DynamoDB, S3, and SQS, even more security responsibility is shifted to AWS. In addition to the security levels of the infrastructure and container service models, AWS takes responsibility for server-side encryption and network traffic protection. This leaves the customer responsible mainly for properly configuring the security of the given service, such as applying permissions at the platform and IAM user/group level. Taking our housing analogy one last time, in this scenario we can equate this to a hotel room. All responsibility falls on the provider except for personal access to the room which is still defined by the tenant.
AWS abstract services security responsibilities
- AWS foundation services: networking, compute, storage, database
- AWS global infrastructure: regions, availability zones, edge locations
- Platform and applications management
- Operating system, network configuration
- Data protection at rest
- Network traffic protection for data in transit
Customer abstract services security responsibilities
- Customer data
- Identity and access management
- Client-side encryption
- Function code and resource configuration
Potential Challenges with the AWS Shared Responsibility Model
Migrating to the cloud within the AWS shared responsibility model can pose challenges for customers. Misconceptions about full security coverage by AWS, complexity in understanding and fulfilling responsibilities, inadequate configuration, access control mismanagement, and failure to comply with regulations and compliance are common pitfalls. Careful planning, through understanding of responsibilities, proactive security measures, and staying updated with regulatory requirements and compliance mandates are essential to addressing these challenges and ensuring a secure and compliant cloud migration with AWS.
In addition, customers should be aware of other key considerations when migrating into the AWS cloud infrastructure. These include understanding the implications of data residency and data sovereignty, as data may be stored in different regions or countries with varying legal requirements such as GDPR. Customers should also be mindful of the potential for increased costs associated with the cloud services, such as data transfer fees, storage costs, and usage-based pricing. These should be carefully planned and monitored to avoid unexpected expenses. Finally, customers should regularly review and update their security measures and configurations to adapt to evolving security threats and best practices, as well as any AWS updates or announcements that may impact their cloud environment.
Meeting Your Shared Responsibilities
Understanding the customer’s area of security responsibility is the first step to protecting your data in the cloud. But fulfilling those responsibilities requires familiarity with the security, permissions, and privacy settings you need to secure that data. Like all cloud providers, AWS has default settings that will determine what security controls are enabled in your environment. While they may provide a base level of protection, they are most likely insufficient for your organization’s specific security and compliance requirements. Ultimately, you are accountable for ensuring that the appropriate security controls are active. AWS provides multiple layers of security controls to prevent unauthorized access, for example, but if you don’t enable multi-factor authentication or configure inadequate user credentials, you will be responsible for any resulting data breach.
Moving to the cloud exposes organizations to an array of new threats, and a proactive security approach is the best defense. To learn how you can get started, download our Shared Responsibility eBook, where we outline how the shared security responsibility model impacts you and recommend a five-step plan for using it to maximize your protection.
It may also make sense to partner with a managed detection and response (MDR) provider, like Fortra’s Alert Logic. We can help you determine and manage the appropriate controls and settings for your organization’s AWS environment so you can meet your security responsibilities and provide your applications and data with the highest level of protection. Contact us today to request your free demo.
Additional Resources on the AWS Shared Responsibility Model
Ebook: Key Steps in Defining a Shared Responsibility Model for AWS Environments
Guide: Secrets to a Stronger Strategy for Container Security
Solution Brief: Alert Logic for Amazon Web Services
Footnotes