Skip to main content
VVMExam

AWS Security and Compliance: Shared Responsibility Model and Key Services

AWS and customers share responsibility for security; AWS secures the underlying infrastructure while customers are responsible for securing their data, applications, and configurations.

2 min read

The AWS Shared Responsibility Model divides security duties into two layers:

  • AWS responsibility (Security OF the Cloud): Physical data centers, hardware, networking, hypervisors, and managed service infrastructure. AWS handles patching and securing the underlying compute, storage, and networking that runs all services.
  • Customer responsibility (Security IN the Cloud): Operating systems (including patches), application code, data encryption, identity and access management, network/firewall configuration, and any data stored in AWS.

The boundary shifts depending on the service type. For managed services like Amazon RDS, AWS manages more layers (e.g., OS patching). For Amazon EC2, the customer manages the guest OS and above.

Key Compliance Concepts

  • AWS maintains certifications for many compliance programs including PCI DSS, HIPAA, SOC 1/2/3, ISO 27001, and FedRAMP.
  • AWS Artifact is the self-service portal where customers can download AWS compliance reports and sign agreements (such as the BAA for HIPAA).
  • Customers are responsible for ensuring their own workloads meet applicable regulatory requirements.

Core Security Services to Know

  • AWS IAM (Identity and Access Management): Controls who can access AWS resources and what actions they can perform. Uses users, groups, roles, and policies.
  • AWS Shield: Managed DDoS protection. Shield Standard is free for all customers; Shield Advanced offers enhanced protection with cost protection.
  • AWS WAF (Web Application Firewall): Filters web traffic based on rules to protect against common exploits such as SQL injection and cross-site scripting.
  • Amazon GuardDuty: Threat detection service that continuously monitors for malicious activity using machine learning and threat intelligence.
  • AWS CloudTrail: Logs all API calls made in an AWS account, supporting auditing and compliance monitoring.
  • AWS Config: Tracks configuration changes to AWS resources and evaluates them against desired settings.
  • Amazon Inspector: Automated security assessment service for EC2 instances and container images, checking for vulnerabilities and unintended network exposure.
  • AWS KMS (Key Management Service): Creates and manages encryption keys used to protect data at rest and in transit.

Exam Tip: Be prepared to identify which security responsibilities belong to AWS versus the customer in a given scenario, and recognize which service to use for a described security or compliance need.

Ready to practice this topic?