AWS Shared Responsibility Model — Part 1

(Introduction + Basics + Why it Matters)

1. What is the Shared Responsibility Model?

Let’s imagine you rent an apartment.

• The landlord makes sure the building is safe, the lifts are working, fire alarms are installed, and water and electricity lines are fine.
• But you, as the tenant, must lock your door, keep your valuables safe, and make sure you don’t leave the stove on.

That’s exactly how AWS works.

• AWS (the landlord) is responsible for securing the infrastructure — the physical servers, data centers, networking, and hardware.
• You (the customer) are responsible for what you do inside — like securing your data, managing access, and configuring services correctly.

This clear line of division is called the AWS Shared Responsibility Model.

👉 AWS secures “Security OF the Cloud”.
👉 Customers secure “Security IN the Cloud”.

2. Why Does It Matter?

A lot of companies think:
“Hey, we are on AWS, so everything is automatically secure!” ❌
That’s wrong.

Here’s a real-world example:

• In 2019, a major financial company had a data breach.
• The issue wasn’t with AWS servers. The issue was that the company misconfigured their S3 bucket (they left it open to the internet).
• Who was at fault? The customer. Because S3 is secure by default, but the customer didn’t configure access properly.

That’s why AWS created the Shared Responsibility Model — so that both AWS and customers know who is responsible for what.

3. High-Level Division

Here’s the most important line you should remember:

• AWS Responsibility → Security OF the Cloud
  (infrastructure, hardware, software that runs cloud services)
• Customer Responsibility → Security IN the Cloud
  (data, applications, identity, access control, configurations)

Think of it like an airport:

• The airport authority takes care of runways, buildings, and security systems.
• But you, the passenger, must carry valid ID, not bring dangerous items, and keep your luggage safe.

Both sides need to do their part.

4. Cloud Service Models and Responsibility

Responsibilities also change depending on the cloud service model you use:

1. IaaS (Infrastructure as a Service) → e.g., Amazon EC2

• AWS secures hardware, networking, and virtualization.
• You secure the OS, apps, and data.

2. PaaS (Platform as a Service) → e.g., AWS Elastic Beanstalk

• AWS manages infrastructure + runtime.
• You just secure your app and data.

3. SaaS (Software as a Service) → e.g., Amazon WorkMail

• AWS manages almost everything.
• You only manage your data and users.

AWS Responsibilities: Security “OF” the Cloud

1. Big Idea

AWS says:
👉 “We take care of everything that makes the cloud run. You only focus on what you put inside the cloud.”

So AWS is responsible for Security OF the Cloud.

This includes:

• Physical data centers
• Networking infrastructure
• Hardware & virtualization layer
• Global AWS services availability

Let’s break this down step by step.

2. Physical Security

Think about it: AWS has data centers all over the world. These are like super secure banks, but instead of gold, they store data.

AWS responsibilities here:

• Guards at the gate
• Biometric access (fingerprint, retina scan)
• 24/7 CCTV monitoring
• Fire suppression systems
• Climate control (servers don’t like heat 🔥)

Real-life example:
You never have to worry about someone breaking into the building where your EC2 instance runs. AWS already guards that.

3. Hardware & Infrastructure

AWS owns and manages:

• Servers
• Storage devices (disks)
• Networking equipment (switches, routers)

They make sure:

• Hardware failures are detected and replaced quickly.
• Data is replicated across availability zones (so if one disk dies, your data is still safe).

👉 Example: If an AWS hard disk fails in their data center, AWS replaces it. You don’t even know it happened.

4. Networking

AWS provides a global secure network.

They handle:

• Firewalls at the network level
• DDoS protection with AWS Shield
• Secure communication between regions & AZs
• Encryption in transit (TLS)

👉 Example: When you send data from one AWS region to another, you don’t need to worry about hackers sniffing packets in between. AWS already encrypts and secures the backbone network.

5. Virtualization Layer

Most AWS services run on virtual machines. AWS manages the hypervisor that divides physical servers into multiple VMs.

They make sure:

• One customer’s VM can’t “peek” into another customer’s VM.
• Isolation between accounts is always maintained.

👉 Example: If your EC2 runs on the same physical server as another company’s EC2, don’t worry. AWS guarantees they cannot see or touch your instance.

6. Managed Services

For managed services like S3, RDS, DynamoDB, AWS takes care of:

• Patching the underlying OS
• Ensuring uptime (99.99% SLA in many cases)
• Scaling infrastructure on demand

👉 Example: You don’t need to install antivirus or patch the OS inside Amazon S3. AWS already secures it.

7. Compliance & Certifications

AWS spends millions of dollars getting certifications like:

• ISO 27001
• SOC 1/2/3
• PCI DSS
• HIPAA

This means if your business needs to follow these rules, AWS already has a strong foundation.

👉 Example: If you’re building a healthcare app, AWS already meets HIPAA standards at the infrastructure level. You only need to ensure your app complies.

8. Availability & Redundancy

AWS ensures their cloud is always available:

• Multiple data centers in each region (called Availability Zones).
• Backup power, internet, cooling.
• Disaster recovery plans.

👉 Example: Even if one AZ in Mumbai goes down, AWS automatically shifts load to another AZ in the same region.

9. Summary of AWS Responsibilities

• Data center security
• Physical hardware
• Networking backbone
• Hypervisor/virtualization layer
• Managed service patching
• Global availability
• Compliance certifications

In short:
AWS provides the secure foundation. Customers build on top