Go Back

What is the AWS Shared Responsibility Model?


Brendon Rod

Head of Marketing

What the AWS Shared Responsibility is & How it Impacts Cloud IAM Users

Amazon Web Services (AWS) developed the shared responsibility model (SRM) to help customers understand where responsibility falls for both cloud security and cloud compliance. The SRM is useful in developing an understanding of who is responsible for security in the cloud vs. security of the cloud. 

What is the Shared Responsibility Model for AWS?

The Amazon Web Services shared responsibility model provides clear demarcation as it pertains to who’s responsible for cloud compliance and cloud security — either AWS account users (you) or AWS itself. AWS takes care of its own share of responsibilities as part of its contractual obligation as your cloud provider. 

Why Is The Amazon AWS Shared Responsibility Model Important?

Understanding the responsibility of AWS in the shared responsibility model versus the responsibility you hold as the account holder/end-user is absolutely critical in eliminating confusion about what AWS does and does not do.

This ensures that 1) you perform your share of security and compliance responsibilities while also 2) relieving your operational burden, since under the SRM, AWS “manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates”.

Not only does the SRM apply to clients of AWS, but it has also been extended to public cloud infrastructure operations and management with other hyperscalers like Microsoft Azure and Google Cloud Platform (GCP).

Furthermore, it extends to various areas of critical focus, including infrastructure security, business continuity, application security, data security, IAM, and more.

Which Controls Are Shared Under the AWS Shared Responsibility Model?

Under the AWS cloud shared responsibility model, security and compliance are the two controls that are shared between AWS and the end user or client. They are not shared, however, in the sense that AWS and end users touch the same things.

They are shared in “
completely different contexts or perspectives”. Here are just a few examples AWS provides for more specific shared responsibilities:

  • Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
  • Configuration Management: AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
  • Awareness & Training: AWS trains AWS employees, but a customer must train their own employees.

How Your AWS Service Impacts Your Responsibilities Under the SRM

Specificities pertaining to what you as the customer are responsible for in the cloud largely depend on the AWS cloud service you choose, be it Amazon EC2, RDS, or S3. Here’s how customer responsibility breaks down for each chosen service (you can learn more by skipping to 1:14 in the video link):

If you’re an EC2 customer, you are responsible for:

  • Customer data
  • Platform & application management
  • OS, network, and firewall configuration
  • Network traffic protection
  • Server-side encryption
  • Client-side data encryption/integrity

If you’re an RDS customer, you are responsible for:

  • Customer data
  • Network traffic protection
  • Client-side data encryption
  • Firewall configuration

If you’re an S3 customer, you are responsible for:

  • Customer data
  • Client-side data encryption

What are the Two Recommendations for a Shared Responsibility Model?

As Github notes, understanding where the line in the sand is drawn as it pertains to cloud security and compliance responsibilities is just the first step. Executing a strategy for tackling all tasks related to SRM responsibilities is the next step.

Therefore, here’s what cloud providers versus consumers should do once they understand the SRM:

  • Cloud providers should document their internal security controls and customer security features so the cloud consumer or end user can make informed decisions. Cloud providers should also design and implement these controls.
  • Cloud consumers should build a responsibilities matrix delegating who implements which controls and the process for doing so, bearing in mind any applicable compliance standards.

How the Shared Responsibility & IAM Intersect

Many companies who use cloud IAM software mistakenly assume that their IAM provider will handle backing up their data and access. This is simply untrue

In a cloud IAM context, you are responsible for:

  • Your data
  • Your devices
  • Your identities

Under the shared responsibility model, you are also responsible for maintaining business continuity.

Therefore, if you’re aiming to bullet-proof your cloud IAM and ensure rapid recovery, we recommend utilizing Acsense, our IAM Resilience Platform

Interested? Get your demo now.




Looking to stay in the loop on the latest IAM trends and updates?


Subscribe to the FiveNines IAM newsletter today and gain access to exclusive insights from industry leaders, groundbreaking companies, and global news outlets. Don’t miss out on the must-read monthly newsletter that delivers the juiciest edition yet of IAM resilience.


Subscribe on Linkedin now and stay ahead of the curve!

Scroll to Top
Skip to content