How shared responsibility model in AWS security works?

Are you preparing for AWS Certified SysOps Administrator – Associate certification exam?  Are you ready to pass this exam? In this blog, we are writing a series of articles on topics that are covered in the AWS Certified SysOps associate certification exam. You can subscribe to us for receiving further updates on this topic.

The SysOps Associate certification exam is the hardest exam at the associate certification level. We would recommend you pass both the solution architect associated certification exam and developer associated certification exam first before of taking this exam.

The AWS Certified SysOps Administrator – Associate exam validates technical expertise in deployment, management, and operations on the AWS platform

The AWS Certified SysOps Administrator – Associate Level exam validates the candidate’s ability to:

  • Deliver the stability and scalability needed by a business on AWS
  • Provision systems, services, and deployment automation on AWS
  • Ensure data integrity and data security on AWS technology
  • Provide guidance on AWS best practices
  • Understand and monitor metrics on AWS
Domains covered at the AWS Certified SysOps associate exam
Domains covered by the AWS Certified SysOps associate exam

Figure #0.  Domains covered by the AWS Certified SysOps associate exam

You can download the related AWS Certified SysOps Administrator – Associate Level Exam Blueprint for more detail about it.

In this article, we are going to explain about the topic that addresses the understanding of the shared responsibility model as highlighted in the AWS Blueprint from the above exam guide.


Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. The access to your AWS resources should be following always the least privilege. It will warrant a better integrity, confidentiality, and availability of your AWS resources and data/information.

Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared.

The Security of a Cloud Solution

When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:


Brief description

Security of the cloud This kind of Security measures that the cloud service provider (AWS) implements and operates. It is managed by Amazon AWS. 
Security in the cloud This kind of Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services. It is the responsibility of the customer. 

In this scenario, the customers retain control of what security they choose to implement to protect their own information and infrastructure, no differently than they today are doing in their on-premise infrastructure.

When you decide to move yourIT infrastructure to AWS services, it immediately creates a model of shared responsibility between your company as customer and AWS.

Are you an AWS Security professional? AWS Security Specialty certification recognizes and demonstrates your knowledge of AWS security. Plan now to validate your skills with the AWS Certified Security Speciality exam!

The Shared Responsibility Model

While AWS manages the security of the cloud, security in the cloud  is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks.

The Shared Responsibility Model
The Shared Responsibility Model

Figure #1.  The Shared Responsibility Model

As you see, the customer is responsible by:

  • The authentication, authorization, integrity and encryption of the client-side data
  • The encryption of server-side information via file system or directly into the data storage
  • The protection of the flow information through the network, warranties your identity, integrity, and encryption in the transportation
  • Assuming the responsibility and management of the guest operating system including updates and patches and other associated software
  • Securing the configuration related to the network and networking devices configuration like firewall, using securing controls like NACLs (network access control lists) and security groups
  • Deploying, configuring and deploying security baselines within their AWS available services

In summary, the customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS, provided security group firewall. All AWS customers retain ownership and control of their data.

Finally, the AWS provider is responsible by:

  • Protecting the global infrastructure for services that run in the cloud
  • The physical infrastructure and facilities in which the service operate, where are running the AWS resources of the customer
  • The access control and protection from external attacks of the physical AWS services and resources
  • Operating, managing and controlling the components from the host operating system and virtualization layer

In summary, AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. AWS simply makes available the compute, storage, database and networking services selected by the customer.

Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.

It is possible for customers to enhance security and/or meet their more stringent compliance requirements by leveraging technology such as host-based firewalls, host-based intrusion detection/prevention, encryption and key management. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment of solutions that meet industry-specific certification requirements.

This customer/AWS shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation, and verification of IT controls shared.

Customers can then use the AWS control and compliance documentation available to them to perform their control evaluation and verification procedures as required.

AWS Compliance best practices

The AWS control environment is subject to regular internal and external risk assessments. AWS engages with external certifying bodies and independent auditors to review and test the AWS overall control environment.

AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:

  • Obtaining industry certifications and independent third-party attestations described in the AWS Compliance Whitepaper
  • Publishing information about the AWS security and control practices in whitepapers and website content
  • Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)

AWS strictly controls access to data centers, even for internal employees. Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS data center manager per the AWS access policy. Controls in place limit access to systems and data and provide that access to systems or data is restricted and monitored. In addition, customer data is and server instances are logically isolated from other customers by default.

The AWS environment is a virtualized, multi-tenant environment. AWS has implemented security management processes, PCI controls, and other security controls designed to isolate each customer from other customers. AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software.

Important Points to Remember for the AWS Certified SysOps Administrator – Associate Certification exam

  • AWS Compliance enablers to help customers to establish and operate in an AWS security control environment
  • The shared responsibility model is part of AWS Compliance program
  • The Security of the cloud is managed by Amazon AWS provider
  • The Security in the cloud is responsibility of the customer
  • The customer is responsible for their information and data, their secure transmission, integrity, and encryption
  • Also, the customer is responsible for managing, support, patching and control of the guest operating system and AWS services provided like EC2
  • AWS customers retain control and ownership of their data
  • The AWS network provides significant protection against traditional network security issues and the customer can implement further protection


In this article, we have explained about the shared responsibility model as part of the compliance management of AWS services, where there are specific responsibilities delegated to the customer and AWS provider.


[1] Compliance: The shared responsibility model. Amazon AWS.
[2] AWS Risk and Compliance Overview. Amazon AWS whitepaper.
[3] AWS Certified SysOps Administrator – Associate Certification.

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top