Ravi Kumar Gupta
Publications Blog

Shared Responsibility Model in AWS

June 14, 2025 Ravi Kumar Gupta 6 min read
awscloud securityshared responsibilitycertification

When moving to the cloud, many teams breathe a sigh of relief—“Finally, we don’t have to worry about infrastructure security!” But that assumption can be dangerous.

While AWS takes care of the physical data centers and the core cloud platform, you are still responsible for most of the security in the cloud. This is where the AWS Shared Responsibility Model becomes essential.

What is the Shared Responsibility Model?#

The Shared Responsibility Model is AWS's way of clearly stating:

“We’ll secure the cloud; you secure your data in it.”

AWS calls this distinction:

  • Security of the Cloud – AWS’s job
  • Security in the Cloud – Your job

AWS Responsibilities – Security of the Cloud#

AWS manages:

  • Physical infrastructure (data centers, hardware, network)
  • Availability zones and global infrastructure
  • Managed service uptime
  • Hypervisors, networking stack, and platform patching

Examples:

  • AWS ensures that EC2 hypervisors are updated and physical access to data centers is secure.
  • AWS ensures that S3 is always available and scalable.

Your Responsibilities – Security in the Cloud#

You are responsible for:

  • Identity and Access Management (IAM)
  • Data encryption (at rest and in transit)
  • Security group/firewall configuration
  • OS-level patching (for EC2, RDS self-managed)
  • Application-level security and compliance

Examples:

  • S3 Buckets: AWS manages the infra, but you must define who can access the bucket.
  • EC2 Instances: AWS provides the VM; you manage patching, antivirus, and firewall settings.

Example Comparison Table#

Service AWS Responsibility Your Responsibility
EC2 Infra, hypervisor, hardware Patching OS, configuring IAM & security
S3 Storage infra, durability Bucket policies, access control
RDS DB provisioning, infra Schema design, user access, encryption

Common Mistakes#

  • Leaving S3 buckets public unintentionally.
  • Not enabling MFA or enforcing strong IAM policies.
  • Assuming backups are taken care of automatically for all services.
  • Ignoring CloudTrail or Config for auditing.

Best Practices#

  • Use IAM roles instead of long-lived access keys.
  • Enable CloudTrail and GuardDuty for security insights.
  • Encrypt data using KMS where possible.
  • Review Trusted Advisor security checks regularly.

Final Thoughts#

Cloud security is a shared responsibility, not a hand-off. AWS gives you the tools to build a secure environment, but using them correctly is on you.

Before launching anything into the cloud, ask:

“Am I doing my part in the shared responsibility model?”