The AWS Shared Responsibility Model is one of the most tested concepts in the AWS Cloud Practitioner exam — and one of the most important mental models for cloud security in practice. It defines precisely where AWS's responsibility ends and yours begins.
The Core Principle
AWS describes the model as:
- AWS is responsible for security of the cloud.
- You (the customer) are responsible for security in the cloud.
AWS's Responsibilities
AWS secures the underlying infrastructure that runs all AWS services:
- Physical facilities: Data centres, power, cooling, physical access controls
- Hardware: Servers, storage, networking equipment
- Virtualisation layer: The hypervisor that isolates your instances from other customers
- Global network infrastructure: Fiber, edge locations, AWS backbone
- Managed service software: For services like S3, RDS, Lambda — AWS patches and maintains the underlying software
Customer Responsibilities
What you are always responsible for, regardless of service type:
- Data: Classification, encryption, retention, compliance
- Identity and access management: IAM users, roles, policies, MFA
- Application security: Patching your application code, securing APIs
- Network traffic: Security groups, NACLs, firewall rules
- Encryption choices: Whether to enable encryption, which keys to use
For services where you manage the OS (like EC2):
- Operating system patches and security updates
- Installed applications and middleware
- Host-based firewalls
How Responsibility Shifts by Service Type
| Layer | EC2 (IaaS) | RDS (Managed) | S3 / Lambda (SaaS-like) |
|---|---|---|---|
| Physical hardware | AWS | AWS | AWS |
| Hypervisor | AWS | AWS | AWS |
| Guest OS | Customer | AWS | AWS |
| DB engine patches | Customer | AWS | N/A |
| Application code | Customer | Customer | Customer |
| Data encryption | Customer | Customer | Customer |
| IAM / Access control | Customer | Customer | Customer |
Shared Controls
Some controls are shared — both AWS and you have responsibilities:
- Patch management: AWS patches infrastructure and managed service software; you patch your EC2 guest OS and applications.
- Configuration management: AWS configures its infrastructure; you configure your resources, security groups, and services.
- Awareness and training: AWS trains its employees; you train yours.
Practical Exam Tips
- "Securing the S3 bucket policy" → Customer responsibility
- "Replacing failed hardware in a data centre" → AWS responsibility
- "Patching an EC2 instance's operating system" → Customer responsibility
- "Patching the database engine in an RDS managed instance" → AWS responsibility
- "Enabling encryption on an S3 bucket" → Customer responsibility (AWS provides the feature; you choose whether to use it)
Congratulations — You've Completed AWS Cloud Fundamentals!
You now have a solid foundation in AWS: cloud computing concepts, global infrastructure, core services, IAM, networking, monitoring, billing, and the shared responsibility model. The next step is to reinforce your knowledge with practice questions that mirror real exam scenarios.