This chapter is from the book Show
The Shared Responsibility ModelThe AWS Shared Responsibility Model is very simple. It divides the security responsibilities between two parties—the AWS customer (you) and Amazon (AWS). The fact that you are no longer responsible for a massive portion of the security required for scalable data centers is a huge advantage. You can leverage the massive budgets of Amazon and their intense expertise. The next two sections of this chapter provide many examples of responsibilities in each part of the model. But for now, realize the Amazon responsibilities include the host operating system and virtualization layer down. From there, Amazon is also responsible for the physical security of the facilities in which the service operates. It is your (the customer’s) responsibility to secure the guest operating system (including updates and security patches), application software, and the AWS network security group firewall. Be aware that the client responsibilities will vary depending on which services the client chooses to use. The client responsibilities further vary based on the level of integration of AWS services consumed and their IT infrastructure. Laws and regulations that must be followed will also vary. As shown in Figure 5-1, AWS is considered “Security of the Cloud”, and the customer’s responsibility is considered “Security in the Cloud.” In addition to partitioning the operational security concerns between the AWS client and AWS themselves, the Shared Responsibility Model applies to IT controls that are in use. Amazon categorizes these controls into three categories:
Amazon ResponsibilitiesRemember, Amazon is considered responsible for security of the cloud. This means that AWS is responsible for protecting the infrastructure that runs the services that customers select. This encompasses the hardware and software required to power the AWS service, including the networking and facilities used. Specific Amazon responsibilities would include the following:
Client ResponsibilitiesRemember, we consider the client responsible for security in the cloud. The specific services selected will cause variations in the client responsibilities. For example, if you are relying heavily on S3 for storage, you will be responsible for knowledge and proper configuration of the security permissions for your resources. Another example would be if the client chooses to use EC2 and run an operating system like Windows Server 2016. The client will be required to keep the operating system updated and patched. The client is also responsible for the application software required on this guest operating system. In addition, the client is responsible for the appropriate security group configuration for the EC2 instance. Specific examples of client responsibilities would include the following:
Figure 5-2 shows an example of a customer checking the security groups settings that would apply to an EC2 instance. This is a perfect example of client responsibilities. AWS is responsible for making sure the security group functions as intended, but it is the client’s responsibility to configure it correctly. FIGURE 5-2 Checking the Security Groups Settings for an EC2 Instance What are two examples of AWS's responsibility in the shared responsibility model?As a rule of thumb, AWS is responsible for security of the cloud, and the customer is responsible for security in the cloud. Breaking that down, AWS is responsible for the host operating system, the virtualization layer and the physical security of the cloud servers.
Which of the following is AWS responsible for in the shared responsibility model?AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Which actions are the responsibility of AWS under the AWS shared responsibility model select two?AWS Responsibility: AWS is responsible for the Infrastructure (Regions and Availability Domains), services (compute, storage, database and network), platform and operating system.
What are the two recommendations for a shared responsibility model?This shared responsibility model directly correlates to two recommendations: Cloud providers should clearly document their internal security controls and customer security features so the cloud consumer can make an informed decision. Providers should also properly design and implement those controls.
|