Shared Responsibility Model
Security OF the cloud vs security IN the cloud
Picture a horizontal line through a stack of EC2, RDS, S3, and Lambda: everything below it is AWS's job, everything above it is yours, and that single line answers nearly every "who is responsible" question this domain throws at you. The line is not fixed; it rises as a service becomes more managed (the next section moves it). AWS's half is "security OF the cloud": the global infrastructure that runs every service, the physical data centers, the hardware, the host operating system and virtualization layer, and the managed networking. The customer's half is "security IN the cloud": everything they put on top and configure (AWS Shared Responsibility Model[1]).
The line splits along one test: AWS owns the things you cannot touch (you will never walk into a data center or patch the hypervisor) and you own the things you turn on, upload, and configure. Below the line, AWS also owns the physical and environmental controls and the decommissioning of storage media so retired-hardware data stays unrecoverable.
Above the line, several duties stay permanently with the customer no matter the service: their own customer data, classifying that data, the IAM permissions for who can do what, the encryption options they enable, and the firewall / security group rules around their resources. The exam leans on this set because it never shifts to AWS, even for the most managed services. The two columns below name each half's duties side by side, with the dividing line running between them.
How the line shifts: EC2 to RDS to Lambda
This section moves the line from the model above: the most tested concept here is that the customer's share shrinks as a service becomes more managed, because the line rises and AWS absorbs more of the stack. AWS groups services into infrastructure, container/managed, and abstracted categories, and the boundary moves accordingly.
Amazon EC2 (IaaS / infrastructure): the line sits low, so the customer runs the most. AWS secures the hardware, hypervisor, and host. The customer owns the guest operating system (including its patching and updates), application software, security group / firewall configuration, and identity. EC2 "requires the customer to perform all of the necessary security configuration and management tasks" (AWS Shared Responsibility Model[1]). Patching the guest OS of an EC2 instance is a classic "customer responsibility" answer.
Amazon RDS (managed service): the line rises, so AWS now handles the operating system and the database engine patching, automated backups, and the underlying host. The customer no longer touches the OS, but still controls who can access the database (IAM and database credentials), the data itself, network access (security groups), and whether encryption is enabled (Amazon RDS Security[2]).
AWS Lambda (serverless): the line rises highest, so the customer offloads the most. AWS manages the servers, operating system, capacity, scaling, and runtime patching. The customer keeps only their function code, the function's IAM execution-role permissions, and their data (AWS Lambda, serverless compute[3]). There is no OS to patch at all.
The through-line: IaaS → managed → serverless hands progressively more operational security work to AWS, but the customer never gives up the data, IAM, and encryption duties from the model above.
Shared controls: duties that belong to both sides
Some controls do not land cleanly on one side of the line: AWS calls them shared, meaning both sides act in the same area but at different layers. AWS calls out three (AWS Shared Responsibility Model[1]):
- Patch management. AWS patches the infrastructure and the software of its managed services; the customer patches the guest OS and applications they run (for example, on EC2).
- Configuration management. AWS maintains the configuration of its infrastructure devices; the customer configures their own guest operating systems, databases, and applications.
- Awareness and training. AWS trains its own employees; the customer is responsible for training its own staff.
"Shared" means each side owns its own layer, not joint ownership, which is why the patch-management line moved between EC2 and RDS above; the diagram pairs each shared control's AWS layer with its customer layer. IAM sits on the customer side but is shared the same way: AWS provides it, the customer configures users, groups, roles, and least-privilege policies. AWS publishes its own compliance attestations (such as SOC and ISO reports) through AWS Artifact, so customers can evidence the AWS-controlled portion in their own audits (AWS Artifact[4]).
Exam pattern recognition
This section applies the model to question stems. On CLF-C02, these questions usually give one task and ask "who is responsible: AWS, the customer, or shared?" Anchor on the abstraction level in the stem and recall where the line sits for it.
Always AWS (below the line, security OF the cloud): physical security of data centers, hardware, the hypervisor / virtualization layer, the host OS underneath managed services, decommissioning of storage media, and the managed global network. If the stem mentions a data center, a physical host, or the hypervisor, the answer is AWS.
Always the customer (above the line, security IN the cloud): the data they store, data classification, IAM users and permissions, choosing to encrypt data, security group / firewall rules, and, on EC2, patching the guest OS and installed applications. These are the always-customer duties from the first section; if the stem mentions "the data," "who can access," or "the OS on an EC2 instance," the answer is the customer.
Common distractor traps: (1) Claiming AWS patches the guest OS of an EC2 instance. It does not; that is the customer's job on EC2, though AWS does patch the OS for managed services like RDS (the line-shift from the second section). (2) Claiming the customer owns physical data-center security. Never; that is always AWS. (3) Claiming AWS encrypts your data automatically as a responsibility. The customer chooses and configures encryption; AWS provides the tools. (4) Treating "shared" controls like patch management as one party's job. Both contribute at different layers.
Who is responsible, by service abstraction level
| Responsibility area | EC2 (IaaS) | RDS (managed) | Lambda (serverless) |
|---|---|---|---|
| Physical hardware & data center | AWS | AWS | AWS |
| Host hypervisor & virtualization | AWS | AWS | AWS |
| Guest OS patching | Customer | AWS | AWS |
| Database / runtime patching | Customer | AWS | AWS |
| Application code & logic | Customer | Customer | Customer |
| IAM permissions & access | Customer | Customer | Customer |
| Data & client-side encryption | Customer | Customer | Customer |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- AWS owns security OF the cloud
Security "OF the cloud" is always AWS's: the global infrastructure that runs every AWS service. The hardware, the host operating system and hypervisor/virtualization layer, the managed network, and the physical data-center facilities. This boundary never moves regardless of which service you pick; the customer only ever owns what they layer on top.
Trap Treating the guest OS on an EC2 instance as part of AWS's "OF the cloud" scope. AWS owns the host and hypervisor, but the guest OS is the customer's.
7 questions test this
- A compliance officer is reviewing the AWS shared responsibility model for Amazon S3 to determine which security controls AWS manages.…
- A company stores sensitive financial data in Amazon S3. The security team wants to understand which security controls AWS automatically…
- An organization is evaluating AWS Lambda for a compliance-sensitive workload. Under the AWS shared responsibility model, which security…
- A security team is auditing their organization's use of Amazon S3 under the shared responsibility model. For S3 as a managed service, which…
- A company runs its applications on Amazon EC2 instances. Under the AWS shared responsibility model, which task is the responsibility of AWS?
- A security auditor wants to verify that AWS maintains proper controls for the Amazon S3 infrastructure. Under the AWS shared responsibility…
- A company wants to understand AWS's responsibilities when using Amazon S3 as an abstracted storage service. According to the AWS shared…
- Customer owns security IN the cloud
Security "IN the cloud" is the customer's: everything configured and placed on top of AWS. The exact scope is determined by the services chosen: the more you manage yourself (e.g. EC2), the wider it gets; the more managed the service, the narrower. It always includes the customer's data, IAM permissions, and encryption choices.
- Physical and environmental security is always AWS, inherited by the customer
Physical data-center security, environmental controls, and the decommissioning of storage media are AWS "inherited controls" the customer fully inherits and never configures. When a drive reaches end of life AWS destroys it per NIST 800-88; the customer cannot touch or shift this layer.
Trap Assuming the customer can request or perform physical media destruction in an AWS data center, when media decommissioning is an inherited control AWS handles entirely.
6 questions test this
- A startup company is migrating to AWS and plans to use Amazon S3 as their primary storage service. The company's IT manager wants to…
- A compliance officer is reviewing the AWS shared responsibility model for Amazon S3 to determine which security controls AWS manages.…
- A company stores sensitive financial data in Amazon S3. The security team wants to understand which security controls AWS automatically…
- A company runs its applications on Amazon EC2 instances. Under the AWS shared responsibility model, which task is the responsibility of AWS?
- A healthcare organization is deploying a HIPAA-compliant application using Amazon RDS for MySQL. The security architect needs to understand…
- A cloud engineer is designing a serverless application and wants to understand how AWS protects Lambda infrastructure. Which security…
- The customer always owns and classifies its data
Customer datais the one responsibility that never shifts to AWS regardless of service. The customer owns it, classifies it, and decides how it's protected. Even with fully abstracted services where AWS runs everything else, ownership and classification of the data stay with the customer.Trap Assuming a fully managed or serverless service hands data protection to AWS. Managed services shrink the customer's scope but never absorb the data itself.
3 questions test this
- A company has deployed its relational database on Amazon RDS. Under the AWS shared responsibility model, which task remains the…
- A company runs workloads across Amazon EC2, Amazon RDS, and AWS Lambda. Regardless of which of these services is used, which responsibility…
- A company deployed an Amazon EC2 instance and installed a custom application that processes sensitive customer data. Under the AWS shared…
- Configuring IAM is always the customer's job
Identity and access management is always a customer responsibility: AWS supplies
IAM, but the customer creates the users, groups, and roles and applies least-privilege permissions deciding who can access what. This holds across every service, including abstracted ones where IAM is most of what the customer configures.Trap Expecting AWS to enforce least privilege by default. IAM starts deny-by-default, but scoping access to actual need is entirely the customer's to design.
5 questions test this
- A company is conducting a security assessment of their AWS environment and needs to understand the division of security responsibilities…
- A company has deployed its relational database on Amazon RDS. Under the AWS shared responsibility model, which task remains the…
- A company runs workloads across Amazon EC2, Amazon RDS, and AWS Lambda. Regardless of which of these services is used, which responsibility…
- A company runs its application logic as AWS Lambda functions. Under the AWS shared responsibility model, which task is the responsibility…
- A software company uses Amazon RDS for PostgreSQL and wants to implement encryption for data at rest using AWS KMS customer managed keys.…
- The customer decides and configures encryption
Encryption is a customer responsibility: AWS provides the tools (client-side and server-side options, KMS keys), but the customer chooses whether to encrypt and turns the options on. AWS never assumes liability for an unencrypted data store the customer left in the clear.
Trap Assuming AWS encrypts all customer data at rest automatically, when enabling encryption and selecting the keys is the customer's choice to make.
3 questions test this
- A database administrator is evaluating security responsibilities for an Amazon RDS deployment. The administrator needs to enable encryption…
- A company is planning to encrypt data at rest for their Amazon RDS PostgreSQL database to meet compliance requirements. According to the…
- A software company uses Amazon RDS for PostgreSQL and wants to implement encryption for data at rest using AWS KMS customer managed keys.…
- The customer sets firewall and security-group rules
Network traffic protection at the customer layer is the customer's: configuring security groups and firewall rules to control what reaches the workload. On EC2 specifically, configuring the AWS-provided firewall (the security group) on each instance is explicitly the customer's responsibility.
Trap Treating the security group as something AWS manages because AWS provides it, when configuring its rules is the customer's responsibility.
14 questions test this
- A company wants to ensure that traffic between resources within their VPC subnets is controlled properly. Which statement accurately…
- A company is configuring security for their new Amazon EC2 deployment. According to AWS best practices and the shared responsibility model,…
- A company is running a web application on Amazon EC2 instances. The security team discovers that the instances have unrestricted SSH access…
- A company is deploying Amazon RDS and wants to ensure proper network isolation for their database. According to the shared responsibility…
- A company is deploying a multi-tier application in Amazon VPC with web servers in public subnets and database servers in private subnets.…
- A company needs to restrict network traffic to specific ports on their Amazon EC2 instances to meet security compliance requirements.…
- A company is running a web application on Amazon EC2 instances. Under the AWS shared responsibility model, which tasks are the customer's…
- Under the AWS shared responsibility model, which network security configurations are customer responsibilities when using Amazon VPC?
- A solutions architect is configuring network security for Amazon EC2 instances that will host a customer-facing application. The architect…
- A company deployed an Amazon EC2 instance and installed a custom application that processes sensitive customer data. Under the AWS shared…
- A company runs a web application on Amazon EC2 instances. The security team wants to control which IP addresses can connect to port 443 on…
- A company wants to add an additional layer of security at the subnet level in their VPC to complement their security groups. The security…
- A company is deploying Amazon EC2 instances in their Amazon VPC. The security team wants to implement an additional layer of defense at the…
- A company is deploying a web application on Amazon EC2 instances. According to the AWS shared responsibility model, which task is the…
Customer responsibility tracks the abstraction level: it is widest on infrastructure services (IaaS like EC2, where you own the guest OS), narrows on managed/container services (like RDS, where AWS takes the OS and engine), and is narrowest on abstracted services (like S3 and DynamoDB, where AWS runs the infrastructure and OS). Responsibility shifts toward AWS as you move up that spectrum.
Trap Assuming the customer's responsibility grows as a service becomes more managed, when it actually shrinks as more of the stack moves to AWS.
- On EC2 the customer patches the guest OS
Amazon EC2is IaaS, so the customer manages the guest operating system (including updates and security patches) plus any installed application software and the security-group configuration. AWS only secures the underlying host, hypervisor, and hardware beneath the instance.Trap Assuming AWS auto-patches an EC2 instance's guest OS the way it patches managed services. On IaaS that patching is the customer's job.
13 questions test this
- A company is running a fleet of Amazon EC2 instances with a Linux operating system. According to the AWS shared responsibility model, which…
- A company is comparing running a database on Amazon EC2 instances with using Amazon RDS. Which statement correctly describes how…
- A company is configuring security for their new Amazon EC2 deployment. According to AWS best practices and the shared responsibility model,…
- A company is evaluating Amazon EC2, Amazon RDS, and AWS Lambda. Which statement correctly describes how customer responsibility changes…
- A security administrator needs to understand which security tasks are shared between AWS and the customer for Amazon EC2 instances. Which…
- A company is migrating from self-managed databases on Amazon EC2 to Amazon RDS. The database team wants to understand how patching…
- A company deployed an Amazon EC2 instance and installed a custom application that processes sensitive customer data. Under the AWS shared…
- A company runs production workloads on Amazon EC2 instances. The security team discovered that the operating system on several instances…
- A solutions architect is comparing security responsibilities between Amazon EC2 and AWS Lambda for a new application deployment. The team…
- A company is migrating workloads from on-premises to Amazon EC2. The operations team wants to understand the patch management…
- A security administrator needs to apply critical security patches to the guest operating systems on Amazon EC2 instances. According to the…
- A company is migrating from self-managed databases on Amazon EC2 to Amazon RDS. The operations team wants to understand how security…
- A company is evaluating whether to migrate from Amazon EC2-based applications to AWS Lambda. The security team wants to understand which…
- RDS moves OS and engine patching plus backups to AWS
With managed
Amazon RDS, AWS owns operating-system and database-engine patching, software installation, automated backups, scaling, and high availability; the customer is left with the data, access control (IAM), encryption choices, and query tuning. It's the canonical "managed service shrinks your share" example versus running your own database on EC2.Trap Assuming the customer still patches the database engine and OS on RDS the way they would on a self-managed database, when RDS hands both to AWS.
11 questions test this
- A company is using Amazon RDS for MySQL as its production database. The security team wants to understand who is responsible for applying…
- A company has deployed its relational database on Amazon RDS. Under the AWS shared responsibility model, which task remains the…
- A database administrator wants to configure the backup retention period and backup window for an Amazon RDS database. Under the AWS shared…
- A company is comparing running a database on Amazon EC2 instances with using Amazon RDS. Which statement correctly describes how…
- A company is evaluating Amazon EC2, Amazon RDS, and AWS Lambda. Which statement correctly describes how customer responsibility changes…
- A company is migrating from self-managed databases on Amazon EC2 to Amazon RDS. The database team wants to understand how patching…
- A company has moved a self-managed database off Amazon EC2 and onto Amazon RDS. Under the AWS shared responsibility model, which…
- A company is using Amazon RDS for MySQL and wants to ensure that security-related operating system patches are applied to its database…
- A company is running a production workload on Amazon RDS for PostgreSQL. The security team is concerned about keeping the database engine…
- A solutions architect is designing a secure database solution using Amazon RDS. According to the shared responsibility model, which access…
- A company is migrating from self-managed databases on Amazon EC2 to Amazon RDS. The operations team wants to understand how security…
- Lambda leaves the customer responsible only for code
With serverless
AWS Lambda, the customer is responsible only for their function code. AWS manages the servers, operating-system maintenance, capacity provisioning, automatic scaling, and logging. The customer still owns the function's IAM permissions and the data it touches, but carries zero OS or server responsibility.Trap Assuming serverless Lambda also relieves the customer of IAM and data responsibility, when those stay with the customer even though the OS and servers do not.
15 questions test this
- A company is migrating from Amazon EC2 to AWS Lambda to reduce operational overhead. Which security responsibility does AWS assume for…
- A company is evaluating AWS Lambda for processing sensitive customer data. The security officer needs to understand what AWS manages to…
- A company runs its application logic on AWS Lambda functions. Under the AWS shared responsibility model, which task is AWS responsible for?
- An organization is evaluating AWS Lambda for a compliance-sensitive workload. Under the AWS shared responsibility model, which security…
- A company is evaluating Amazon EC2, Amazon RDS, and AWS Lambda. Which statement correctly describes how customer responsibility changes…
- A company is migrating from Amazon EC2-based applications to AWS Lambda. The operations team previously managed operating system patches on…
- A company is deploying serverless applications using AWS Lambda. A security engineer wants to understand which security tasks AWS handles…
- A company runs its application logic as AWS Lambda functions. Under the AWS shared responsibility model, which task is the responsibility…
- A company is deploying serverless applications using AWS Lambda and wants to understand the shared responsibility model. In this model,…
- A company is migrating its application to AWS Lambda and wants to understand the shared responsibility model. The security team needs to…
- A development team uses AWS Lambda with managed runtimes for their serverless application. The team wants to understand how runtime…
- A company is migrating from on-premises virtual machines to AWS Lambda functions for their application. A cloud architect needs to explain…
- A solutions architect is comparing security responsibilities between Amazon EC2 and AWS Lambda for a new application deployment. The team…
- A company is using AWS Lambda for serverless applications and wants to understand how runtime security updates are handled. The security…
- A company is evaluating whether to migrate from Amazon EC2-based applications to AWS Lambda. The security team wants to understand which…
Patch management is a named shared control: AWS patches and fixes flaws in the infrastructure (and in managed-service software), while the customer patches the guest OS and the applications it runs. The split follows the service: on EC2 the OS patching falls to the customer; on RDS or Lambda it shifts to AWS.
4 questions test this
- A security administrator needs to understand which security tasks are shared between AWS and the customer for Amazon EC2 instances. Which…
- A company runs production workloads on Amazon EC2 instances. The security team discovered that the operating system on several instances…
- A company is migrating workloads from on-premises to Amazon EC2. The operations team wants to understand the patch management…
- A security administrator needs to apply critical security patches to the guest operating systems on Amazon EC2 instances. According to the…
Configuration management is a named shared control: AWS maintains the configuration of its infrastructure devices, while the customer configures its own guest operating systems, databases, and applications. Both sides configure, but each only its own layer.
Trap Assuming AWS configures the customer's guest OS, databases, and applications because it configures its own infrastructure devices, when each party configures only its own layer.
Awareness and training is a named shared control: AWS trains AWS employees, and the customer must train its own employees. Each party is accountable only for educating its own staff, not the other's.
- For abstracted services the customer owns only data, IAM, and encryption
For abstracted services like
Amazon S3andAmazon DynamoDB, AWS operates the infrastructure layer, the operating system, and the platform; the customer accesses endpoints and is responsible for managing the data (including encryption options), classifying assets, and using IAM to apply the right permissions. It is the narrowest customer footprint of any service category.Trap Assuming an abstracted service like S3 or DynamoDB leaves the customer with nothing to secure, when the customer still owns the data, its classification, encryption options, and IAM permissions.
4 questions test this
- A company is conducting a security assessment of their AWS environment and needs to understand the division of security responsibilities…
- A security team is auditing their organization's use of Amazon S3 under the shared responsibility model. For S3 as a managed service, which…
- A security auditor wants to verify that AWS maintains proper controls for the Amazon S3 infrastructure. Under the AWS shared responsibility…
- A company wants to understand AWS's responsibilities when using Amazon S3 as an abstracted storage service. According to the AWS shared…