This chapter explains the AWS Shared Responsibility Model, a foundational security concept that appears on every AWS certification exam, including CLF-C02. Understanding who is responsible for what is critical for passing the Security & Compliance domain (which makes up about 30% of the exam). We will cover the exact division of security responsibilities between AWS and the customer, how this model varies by service, and common exam pitfalls. By the end, you will be able to identify which security tasks belong to AWS and which belong to you in any scenario.
Jump to a section
Imagine you are renting an apartment in a large building. The landlord (AWS) is responsible for the security of the building's structure: the outer doors, the locks on the main entrance, the fire alarms in the hallways, and the integrity of the walls and roof. The landlord ensures the building is structurally sound and that common areas are secure. However, the landlord does not have keys to your specific apartment. You, as the tenant (the customer), are responsible for locking your own door, setting your own alarm system inside your apartment, and deciding who you give your keys to. If you leave your door unlocked or your window open, a burglar could enter, but that is not the landlord's fault. Similarly, if you install a weak lock or share keys with untrustworthy people, you bear the consequences. In AWS, the landlord secures the physical data centers, network infrastructure, and hypervisor, while you secure your data, applications, operating systems, and access permissions. The shared responsibility model clarifies who does what, preventing you from assuming AWS handles everything or that you have no security duties.
What is the AWS Shared Responsibility Model and Why Does It Exist?
The AWS Shared Responsibility Model is a security framework that defines the division of security obligations between AWS and the customer. It exists because cloud computing does not eliminate security responsibilities; it shifts them. In a traditional on-premises data center, you own everything—the building, servers, network cables, operating systems, applications, and data—so you are responsible for securing all layers. In the cloud, AWS provides the infrastructure, but you must secure what you put on top of it.
The model is often visualized as a layered cake: AWS is responsible for the "Security OF the Cloud" (the physical and structural layers), and the customer is responsible for "Security IN the Cloud" (everything they deploy and configure). This distinction is critical because many candidates mistakenly believe AWS secures everything, leading to security breaches and exam errors.
How It Works: The Division of Responsibilities
AWS is responsible for: - Physical security of data centers: guards, fences, cameras, biometric access, and environmental controls (power, cooling, fire suppression). - Hardware and software infrastructure: servers, storage devices, networking gear, hypervisors, and the software that manages them. - Network infrastructure: global network backbone, edge locations, and physical network segmentation. - Managed services: for services like Amazon RDS, Amazon S3, and AWS Lambda, AWS also handles the underlying operating system and platform security.
The customer is always responsible for: - Customer data: encryption, classification, and compliance of data stored or processed in AWS. - Identity and Access Management (IAM): users, groups, roles, policies, and multi-factor authentication (MFA). - Operating system and application security: patching, firewalls, antivirus, and configuration of guest OS on EC2 instances. - Network traffic protection: security groups, network ACLs, and firewall rules. - Client-side encryption: encrypting data before sending it to AWS.
For some services, responsibility is shared. For example, with Amazon RDS, AWS manages the database engine patching and backup, but you manage database credentials, schema, and data encryption keys.
Key Tiers and Configurations
The model varies by service type: - Infrastructure as a Service (IaaS) like Amazon EC2: You have more responsibility—you manage the guest OS, applications, and security groups. AWS secures the physical host and hypervisor. - Platform as a Service (PaaS) like AWS Elastic Beanstalk: AWS manages the OS and runtime, but you still manage your application code and IAM permissions. - Software as a Service (SaaS) like Amazon WorkMail: AWS handles almost everything, but you manage users and data.
Comparison to On-Premises
On-premises: You are responsible for everything from the building to the data. In the cloud, AWS takes over the lower layers, but you still have significant duties. The key difference is that you no longer need to worry about physical security or hardware maintenance, but you must master cloud-specific security tools like IAM and security groups.
When to Use vs Alternatives
You always use the Shared Responsibility Model—it is not a service you choose; it is the underlying security model for all AWS services. Understanding it helps you decide which services to use based on your security compliance needs. For example, if you need full control over the OS, use EC2. If you want to offload OS patching, use RDS or Lambda.
Identify Your Workload Type
First, determine whether your workload uses IaaS, PaaS, or SaaS. For example, if you launch an EC2 instance (IaaS), you are responsible for the guest OS, application, and security groups. If you use Amazon RDS (PaaS), AWS manages the OS and database engine, but you still manage data and access. This step is crucial because the division of responsibility changes. Many exam questions describe a service and ask who is responsible for a specific task—your answer depends on the service type. For instance, patching the operating system is the customer's responsibility for EC2 but AWS's responsibility for RDS.
List Customer Responsibilities
For your workload, list everything you must secure. This includes: IAM users and policies, encryption of data at rest and in transit, security group rules, network ACLs, operating system patches (if EC2), application code security, and compliance with regulations like HIPAA or GDPR. Use the AWS Shared Responsibility Model diagram (available in the AWS Well-Architected Framework) as a checklist. A common mistake is forgetting that customers are responsible for data classification and compliance, even if AWS provides compliance certifications.
List AWS Responsibilities
AWS is responsible for the physical data centers, hardware, global network, hypervisor, and for managed services, the underlying OS and platform. For example, AWS ensures that the hypervisor isolating EC2 instances is secure and that S3 buckets are durable (99.999999999% durability). AWS also provides security tools like CloudTrail and Config, but you must enable and configure them. Note that AWS does not automatically encrypt your data—you must enable encryption features like S3 Server-Side Encryption or EBS Encryption.
Implement Security Controls
Configure the security services that fall under your responsibility. Create IAM roles with least privilege, set up security groups to restrict traffic, enable encryption, and turn on AWS CloudTrail for auditing. For EC2, apply OS patches regularly—AWS provides tools like AWS Systems Manager Patch Manager to help. For S3, enable Block Public Access and use bucket policies. Remember that AWS will not automatically secure your resources; you must take action. Exam questions often test whether you know that customers must configure security groups and IAM.
Review and Audit Regularly
Use AWS Trusted Advisor and AWS Security Hub to check for security gaps. Run AWS Config rules to ensure compliance with your security policies. For example, you can create a Config rule that checks whether EBS volumes are encrypted. Regular auditing is your responsibility—AWS provides the tools, but you must use them. A typical exam scenario: a customer suffers a data breach because they left an S3 bucket public. This is the customer's fault, not AWS's, because the customer did not configure the bucket policy correctly.
Scenario 1: A Healthcare Startup Using AWS for HIPAA Compliance
A healthcare startup needs to store patient records in AWS while complying with HIPAA. They use Amazon S3 for storage and Amazon EC2 for application servers. The team must understand the Shared Responsibility Model to pass a compliance audit. AWS is responsible for the physical security of data centers and the HIPAA eligibility of its services (they sign a Business Associate Addendum). However, the startup is responsible for encrypting the patient data at rest (using S3 SSE-KMS) and in transit (using TLS), managing IAM roles to restrict access to authorized personnel, and ensuring the EC2 instances are patched and configured securely. A common mistake is assuming AWS automatically encrypts data—it does not. The startup must enable encryption and configure access policies. If they fail to do so and a breach occurs, the startup bears the liability. Cost-wise, encryption and IAM are free, but the labor to configure them is significant. Misconfiguration, such as leaving an S3 bucket public, can lead to data exposure and fines.
Scenario 2: A Financial Services Company Using AWS Lambda
A financial services company runs serverless functions with AWS Lambda to process transactions. They assume that because Lambda is a managed service, AWS handles all security. However, the customer is still responsible for the code, IAM permissions, and data encryption. For example, the Lambda function may access a DynamoDB table; the customer must ensure the IAM role attached to the function has only the necessary permissions (least privilege). Also, the customer must encrypt sensitive environment variables and enable VPC settings if the function needs to access a private database. A real-world incident involved a company that stored API keys in plaintext environment variables, leading to a compromise. The Shared Responsibility Model makes it clear: AWS secures the execution environment, but the customer secures the code and configuration. The exam often tests this—remember that even with serverless, you are responsible for your code and IAM.
Scenario 3: A Retail Company Using Amazon RDS
A retail company uses Amazon RDS for MySQL to store customer orders. They believe that because RDS is a managed service, AWS handles all security patches. This is partially true: AWS patches the database engine and OS. However, the customer is responsible for managing database user accounts, setting password policies, enabling encryption (RDS encryption is optional and must be enabled at creation), and configuring security groups to restrict network access. A common mistake is not enabling encryption at rest—if the underlying storage is compromised, the data is exposed. Also, the customer must enable automated backups and set retention periods. The exam often asks: who is responsible for patching the database engine? Answer: AWS. Who is responsible for configuring database access? Answer: the customer. This distinction is key.
What CLF-C02 Tests on This Objective
The CLF-C02 exam covers the Shared Responsibility Model in the Security & Compliance domain (Domain 2: Security and Compliance, Objective 2.1). You will see questions that ask: "Which of the following is the responsibility of AWS according to the Shared Responsibility Model?" or "A customer is using EC2 and RDS. Who is responsible for patching the operating system?" The exam tests your ability to distinguish between AWS responsibilities and customer responsibilities across different service types.
Common Wrong Answers and Why Candidates Choose Them
"AWS is responsible for all security." Candidates choose this because they think cloud means no security work. Reality: customers have significant responsibilities, especially for IaaS.
"The customer is responsible for physical security." Candidates confuse on-premises with cloud. AWS handles physical security.
"AWS is responsible for patching the guest OS on EC2." Candidates assume all patching is AWS's job. Reality: for EC2, the customer patches the guest OS; AWS patches the hypervisor.
"The customer is responsible for network infrastructure security." Candidates think they control everything. Reality: AWS secures the global network backbone; customers secure traffic with security groups and ACLs.
Specific Terms and Values That Appear on the Exam
"Security of the Cloud" vs. "Security in the Cloud"
"Hypervisor" – AWS secures the hypervisor; customer secures the guest OS.
"Physical access controls" – AWS responsibility.
"Customer data" – always customer responsibility.
"IAM" – always customer responsibility.
"Managed services" (RDS, Lambda, S3) – AWS handles the underlying platform; customer handles data and access.
Tricky Distinctions
The exam often compares EC2 (IaaS) and RDS (PaaS). For EC2, the customer patches the OS; for RDS, AWS patches the OS and database engine. Another tricky point: AWS is responsible for the security of the global network, but the customer is responsible for configuring security groups and network ACLs to protect their VPC.
Decision Rule for Multiple-Choice Questions
When you see a security responsibility question, first identify the service type (IaaS, PaaS, SaaS). Then ask: "Is this about physical hardware, hypervisor, or network backbone?" If yes, it's AWS. If it's about data, IAM, OS patches, or application code, it's the customer. For managed services, AWS does more, but the customer still handles data and access. Eliminate answers that assign physical security to the customer or data security to AWS.
AWS is responsible for security OF the cloud (physical, hardware, hypervisor, network backbone).
Customers are responsible for security IN the cloud (data, IAM, OS patches, network configuration, encryption).
Responsibility varies by service type: IaaS (EC2) gives more customer responsibility; PaaS (RDS) shifts OS patching to AWS; SaaS (WorkMail) shifts even more.
Customer data is ALWAYS the customer's responsibility, regardless of service type.
Encryption at rest and in transit is not automatic; customers must enable it (e.g., S3 SSE, EBS encryption, RDS encryption).
IAM is always the customer's responsibility — AWS provides the service, but you manage users, groups, roles, and policies.
For EC2, customers patch the guest OS; for RDS, AWS patches the OS and database engine.
AWS provides security tools (CloudTrail, Config, GuardDuty), but customers must enable and configure them.
The Shared Responsibility Model is a core concept tested in the Security & Compliance domain (~30% of CLF-C02).
A common exam trap: assuming AWS handles all security for managed services — remember data and access are your job.
These come up on the exam all the time. Here's how to tell them apart.
EC2 (IaaS)
Customer manages guest OS and applications.
Customer patches the operating system.
Customer configures security groups and network ACLs.
Customer is responsible for application security.
AWS secures the hypervisor and physical host.
RDS (PaaS)
AWS manages the OS and database engine.
AWS patches the OS and database engine.
Customer still manages security groups for network access.
Customer is responsible for data encryption and IAM.
AWS handles backup and recovery automation.
Mistake
AWS is responsible for all security in the cloud.
Correct
AWS is responsible for security OF the cloud, but customers are responsible for security IN the cloud, including data, IAM, OS, and network configuration.
Mistake
If I use a managed service like RDS, I don't have any security responsibilities.
Correct
Even with managed services, you are responsible for data encryption, IAM permissions, database credentials, and network access controls.
Mistake
The customer is responsible for physical security of data centers.
Correct
Physical security is entirely AWS's responsibility. Customers never have physical access to AWS data centers.
Mistake
AWS automatically encrypts all data at rest.
Correct
Encryption is optional for most services and must be enabled by the customer. For example, S3 server-side encryption is not default.
Mistake
Patching the operating system on EC2 is AWS's responsibility.
Correct
For EC2 (IaaS), the customer is responsible for patching the guest OS. AWS patches the hypervisor and underlying hardware.
The customer is responsible for patching the guest operating system on an EC2 instance. AWS patches the hypervisor and underlying hardware. This is a key distinction tested on the exam: for IaaS (EC2), the customer manages the OS; for PaaS (RDS), AWS manages the OS. An exam tip: if the question mentions EC2 and OS patching, the correct answer is the customer.
No, AWS provides encryption options (SSE-S3, SSE-KMS, SSE-C), but it is the customer's responsibility to enable encryption. By default, S3 buckets are not encrypted. The customer must configure bucket policies or default encryption settings. The exam often tests that encryption is a customer responsibility, even though AWS provides the tools.
'Security of the Cloud' refers to AWS's responsibility: physical security, hardware, software infrastructure, and network backbone. 'Security in the Cloud' refers to the customer's responsibility: data, IAM, OS, applications, and network configuration. This distinction is fundamental to the Shared Responsibility Model and appears verbatim on the exam.
AWS is solely responsible for physical access control to its data centers. Customers never have physical access. This includes guards, biometric scanners, cameras, and environmental controls. The exam may try to trick you by suggesting the customer can enter a data center—this is false.
No, AWS automatically patches the database engine and underlying OS for Amazon RDS. However, you are responsible for managing database credentials, user permissions, and enabling encryption. The exam often compares RDS and EC2: for RDS, AWS patches; for EC2, you patch.
IAM is always the customer's responsibility. AWS provides the IAM service, but you create users, groups, roles, policies, and enable MFA. A common exam scenario: a customer's data is leaked because an IAM user had excessive permissions. This is the customer's fault under the Shared Responsibility Model.
Yes, the model applies to all services, but the division of responsibility shifts depending on whether the service is IaaS, PaaS, or SaaS. For example, with Lambda (PaaS), AWS manages the runtime environment, but you manage the code and IAM. The exam expects you to apply the model to any service mentioned.
You've just covered AWS Shared Responsibility Model — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?