AWS Shared Responsibility Model Explained (CLF-C02 Domain 2)

Quick answer: The AWS Shared Responsibility Model divides security obligations between AWS (security of the cloud) and the customer (security in the cloud). AWS owns the physical hardware, global infrastructure, and managed service layers. You own your data, IAM configuration, and OS-level security on EC2. The CLF-C02 exam tests this distinction heavily, especially with edge cases like RDS, Lambda, and S3.

Why the Shared Responsibility Model Matters for CLF-C02

The CLF-C02 exam dedicates an entire domain (Domain 2: Security and Compliance) to this concept. Expect 2–4 questions directly testing your ability to distinguish who secures what. Misunderstanding this model is one of the top reasons candidates lose points.

AWS operates on a "you secure what you control" principle. The line shifts depending on the service you choose—more managed services mean less customer responsibility. This isn't theoretical; it affects real-world security compliance (SOC 2, HIPAA, PCI DSS) and cost decisions.

Security of the Cloud: What AWS Always Owns

AWS is responsible for protecting the infrastructure that runs all services. This includes:

• Physical data centers: Access controls, surveillance, fire suppression, power redundancy
• Hardware: Servers, storage devices, network switches, cabling
• Global infrastructure: Regions, Availability Zones, edge locations
• Virtualization layer: Hypervisor security that isolates customer instances
• Managed service foundations: The underlying OS, patching, and runtime for services like RDS, Lambda, and DynamoDB

You never touch this layer. Even if you're an AWS administrator with full account access, you cannot physically enter a data center or modify hypervisor configurations. AWS publishes compliance certifications (SOC, ISO, PCI) to prove this layer is secure.

Security in the Cloud: What You Always Own

Customers are responsible for everything they put on top of AWS infrastructure. This is non-negotiable:

• Customer data: Classification, encryption (at rest and in transit), access governance
• Identity and Access Management (IAM): Users, groups, roles, policies, multi-factor authentication
• Operating system configuration: Patching, firewall rules, user accounts on EC2 instances
• Network controls: Security groups, network ACLs, VPC routing, VPN connections
• Application security: Code vulnerabilities, API keys, secrets management

A common CLF-C02 trap: "Who is responsible for encrypting data in S3?" The answer is the customer. AWS provides the tools (SSE-S3, SSE-KMS, SSE-C), but you choose to enable them and manage the keys.

The Responsibility Spectrum: From EC2 to Lambda

The model isn't binary. Responsibility shifts based on service type. This is where exam questions get tricky.

EC2 (Infrastructure as a Service)

You control the OS, applications, and network configuration. AWS secures the physical host and hypervisor. You patch the OS, configure the firewall, and manage IAM roles for instances.

RDS (Managed Database Service)

AWS handles OS patching, database engine updates, and automated backups. You manage database credentials, IAM policies for access, and encryption settings. You cannot SSH into the RDS host—it's AWS's responsibility.

Lambda (Serverless Compute)

AWS manages the execution environment, runtime updates, and underlying infrastructure. You secure the function code, environment variables, IAM execution roles, and data passed in/out. You also control concurrency limits and VPC configuration.

S3 (Object Storage)

AWS secures the storage infrastructure, durability (99.999999999%), and base encryption options. You configure bucket policies, IAM permissions, versioning, logging, and client-side encryption. A misconfigured S3 bucket (public access) is your fault, not AWS's.

Edge Cases That Trip Up Exam Candidates

These scenarios appear frequently in CLF-C02 exam questions:

Edge Case 1: RDS encryption AWS provides transparent data encryption for RDS at rest (using KMS) and in transit (SSL/TLS). But enabling encryption is your choice. If you don't enable it, unencrypted data is your responsibility.

Edge Case 2: Lambda environment variables Lambda encrypts environment variables at rest by default using AWS KMS. However, you can specify a custom KMS key. If you lose the key, AWS cannot recover the encrypted data—that's your responsibility.

Edge Case 3: S3 cross-region replication AWS replicates objects automatically when configured. But you must configure IAM roles for replication, manage source/destination bucket policies, and ensure encryption settings match. AWS handles the data transfer, not the access controls.

Edge Case 4: VPC endpoints AWS provides the endpoint infrastructure (Gateway or Interface endpoints). You manage security groups, endpoint policies, and route tables to control traffic flow.

10 CLF-C02 Practice Questions on the Shared Responsibility Model

Test your understanding with these exam-style questions. Answers follow.

1. Who is responsible for patching the operating system on an Amazon RDS database instance?

   • A) The customer
   • B) AWS
   • C) Both
   • D) Neither

2. A company stores sensitive customer data in S3. Who is responsible for enabling server-side encryption?

   • A) AWS automatically encrypts all S3 data
   • B) The customer
   • C) The S3 service team
   • D) The data center operator

3. Which of the following is the customer's responsibility when using AWS Lambda?

   • A) Managing the runtime environment
   • B) Applying security patches to the underlying OS
   • C) Securing the function code and environment variables
   • D) Configuring the hypervisor

4. A security audit reveals unpatched vulnerabilities on an EC2 instance. Who is responsible for applying the patches?

   • A) AWS Support
   • B) AWS Systems Manager
   • C) The customer
   • D) The hardware vendor

5. What does "security of the cloud" include?

   • A) IAM user permissions
   • B) Customer data encryption
   • C) Physical data center security
   • D) Application firewall rules

6. An organization uses Amazon DynamoDB. Who manages the underlying storage hardware?

   • A) The customer
   • B) AWS
   • C) Both
   • D) A third-party vendor

7. Which service shifts the most security responsibility to AWS?

   • A) Amazon EC2
   • B) AWS Lambda
   • C) Amazon RDS
   • D) Amazon S3

8. A developer stores API keys in a Lambda environment variable. Who is responsible for controlling access to that variable?

   • A) AWS Lambda service
   • B) The customer, through IAM policies
   • C) AWS KMS
   • D) The VPC

9. Who is responsible for configuring security groups for an EC2 instance?

   • A) AWS
   • B) The customer
   • C) The hypervisor
   • D) The Availability Zone

10. A company wants to ensure data in transit is encrypted when using Amazon S3. Who must configure the encryption?

    • A) AWS, by default
    • B) The customer, by enabling S3 SSL/TLS
    • C) The internet service provider
    • D) The S3 bucket owner (always AWS)

Answers:

1. B (AWS patches RDS OS and database engine)
2. B (Customer must enable SSE; AWS provides the option)
3. C (Customer secures code and env vars; AWS manages runtime)
4. C (Customer patches EC2 OS)
5. C (Physical security is AWS's responsibility)
6. B (AWS manages DynamoDB hardware)
7. B (Lambda is serverless; AWS manages almost everything)
8. B (Customer controls access via IAM)
9. B (Customer configures security groups)
10. B (Customer must enable HTTPS/SSL; S3 supports it but doesn't enforce it)

Common Misconceptions Debunked

"AWS encrypts everything by default." False. S3, EBS, and RDS have optional encryption. You must enable it. Some services (like Lambda env vars) encrypt at rest by default, but you control the key.

"Managed services mean zero customer responsibility." False. Even with RDS and Lambda, you manage data access, IAM policies, and encryption choices.

"The Shared Responsibility Model doesn't apply to serverless." False. It applies to every AWS service. Serverless just shifts more responsibility to AWS, but customer obligations remain.

Your Takeaway for the CLF-C02 Exam

Memorize the core distinction: AWS handles the infrastructure under the service; you handle everything in the service. For EC2, you own the OS. For RDS, you own the data and access. For Lambda, you own the code and configuration.

When you see a CLF-C02 question about responsibility, ask: "Can I physically touch or modify this layer?" If no, it's AWS. If yes, it's yours.

Ready to test your knowledge? Get 500+ free AWS Cloud Practitioner practice questions at Courseiva.com — including a dedicated Shared Responsibility Model quiz with detailed explanations for every answer.