Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
The AWS Shared Responsibility Model is a fundamental concept in AWS security. It defines who is responsible for what when using AWS services. Think of it as a division of labor between AWS (the cloud provider) and the customer (you, the user of AWS services).
AWS makes it clear that security and compliance is a shared responsibility, but exactly what each side is responsible for depends on the type of service you are using.
1. AWS Responsibility (“Security of the Cloud”)
AWS is responsible for the security of the cloud itself. This includes all the infrastructure that runs AWS services.
Specifically, AWS handles:
- Physical Security: The data centers are protected with 24/7 surveillance, access control, and environmental controls.
- Hardware and Network Infrastructure: Servers, storage devices, networking equipment, and the facilities themselves.
- Hypervisors and Virtualization: AWS manages the virtualization layer that allows multiple customers to share the same physical server securely.
- Managed Services Security: For services like Amazon S3, RDS, or Lambda, AWS ensures the underlying service infrastructure is secure.
✅ Key idea: AWS ensures the cloud platform itself is secure. You do not need to worry about their servers, racks, or data center doors.
2. Customer Responsibility (“Security in the Cloud”)
The customer is responsible for security inside the cloud, meaning anything you deploy, configure, or store on AWS.
This includes:
- Data Protection: Encrypting your files in S3, managing backups, and classifying sensitive data.
- Identity and Access Management (IAM): Controlling who can access your AWS resources. Creating policies, roles, and permissions.
- Network Security: Configuring security groups, network ACLs, VPCs, and firewalls correctly.
- Operating System and Application Security: For EC2 instances or other virtual servers, patching OS, updating software, and managing configuration security.
- Monitoring and Logging: Using services like CloudTrail, CloudWatch, or GuardDuty to track activity and detect issues.
✅ Key idea: You are responsible for anything you put in the cloud, from virtual servers to databases to code.
3. How Responsibilities Change by Service Type
AWS classifies services into three main types, which affect the shared responsibility:
| Service Type | Customer Responsibility | AWS Responsibility | Example |
|---|---|---|---|
| Infrastructure as a Service (IaaS) | Full OS, applications, data, networking, IAM | Physical infrastructure, hypervisors, networking | EC2, EBS, VPC |
| Platform as a Service (PaaS) | Applications, data, IAM | Everything under the platform (OS, runtime, networking) | RDS, Elastic Beanstalk |
| Software as a Service (SaaS) | Data, IAM | Everything else (application, OS, infrastructure) | WorkMail, Chime, S3 (managed features) |
💡 Tip for the exam: Know the difference between IaaS, PaaS, and SaaS because the level of customer responsibility decreases as you move from IaaS → PaaS → SaaS.
4. Why This Matters for Security and Compliance
Understanding this model helps you:
- Secure your data properly: Don’t assume AWS automatically encrypts or controls access to your files.
- Meet compliance requirements: For HIPAA, PCI, or GDPR, you must know which parts you are responsible for.
- Avoid misconfigurations: Many AWS security incidents happen because customers misunderstood their responsibilities (like leaving S3 buckets open to the public).
5. Quick Memory Tips for the Exam
- AWS = Security of the Cloud → physical, network, hardware, managed service infrastructure.
- Customer = Security in the Cloud → your data, applications, OS, IAM, network config.
- Responsibility decreases as AWS manages more → IaaS (most responsibility) → PaaS → SaaS (least responsibility).
6. Examples in IT Context (Exam-Relevant)
- EC2 (IaaS): AWS secures the physical server; you secure the OS, apps, and data.
- S3 (Object Storage): AWS protects the storage infrastructure; you manage bucket policies, access control, and encryption.
- RDS (PaaS Database): AWS manages OS, DB engine patching; you manage database users, schema, and backups.
✅ Summary for Students
- The shared responsibility model tells you which parts of AWS security are AWS’s job and which parts are yours.
- AWS handles the cloud infrastructure; you handle anything you put in the cloud.
- Understanding this is critical for the SAA-C03 exam, especially for questions on IAM, encryption, security groups, or compliance.
