AWS Shared Responsibility Model

AWS-SHARED-RESPONSIBILITY

The dividing line between what AWS secures and what you secure — and how that line shifts by service type.

awsshared-responsibilitysecuritycompliance

Overview

The shared responsibility model is the foundational framework for thinking about security in AWS. It defines, clearly and contractually, which security controls belong to AWS and which belong to the customer. Misunderstanding this boundary is one of the most common causes of cloud security incidents — not because AWS failed to protect its infrastructure, but because customers assumed AWS was protecting something that was explicitly the customer’s responsibility.

The model has one core principle: AWS is responsible for security OF the cloud; you are responsible for security IN the cloud.

AWS’s Responsibilities — Security OF the Cloud

AWS is responsible for protecting the infrastructure that runs all AWS services. This encompasses every layer below the service API — hardware, facilities, global network, and the hypervisor.

Physical Security

AWS designs, builds, and operates its own data centers. Physical security controls include:

Third parties conduct physical security audits and the results are included in AWS SOC 2 Type II reports, which customers can access via AWS Artifact.

Hardware and Global Network

AWS is responsible for the servers, switches, routers, and fiber infrastructure that comprise the AWS global network and regional infrastructure. This includes:

Hypervisor

For services that use virtualization (EC2, ECS, and underlying infrastructure for managed services), AWS is responsible for the hypervisor. This includes the Nitro System — AWS’s custom hypervisor built on dedicated hardware with a minimal attack surface. Customers cannot access or modify the hypervisor.

Nitro moves hypervisor functions to dedicated hardware rather than running them as software on the same CPU as VM workloads. This reduces the attack surface and removes the hypervisor from the data path, meaning customer workloads achieve near-bare-metal performance while remaining isolated.

Managed Service Internal Security

For managed services (RDS, DynamoDB, Lambda, S3, EKS), AWS is responsible for the underlying infrastructure — the OS, the runtime, the database engine software, patching, availability infrastructure, and internal network security. Customers never see this layer.

Customer Responsibilities — Security IN the Cloud

Everything that runs on top of the infrastructure is the customer’s responsibility. The exact boundary varies by service type (covered in the next section), but customer responsibilities universally include:

Data Classification and Protection

You decide what data goes into AWS, how sensitive it is, and what protections it requires. AWS provides the tools — encryption, access controls, replication — but does not classify your data or make data governance decisions for you.

Key data responsibilities:

Identity and Access Management

IAM is entirely the customer’s domain. AWS provides IAM as a service, but the configuration — who gets what access, how permissions are structured, whether least privilege is actually enforced — is the customer’s responsibility. Common failures here:

Network Configuration

VPCs, subnets, security groups, and network ACLs are customer-configured. AWS provides the network fabric; you configure the logical network.

Operating System and Application Security (EC2)

For EC2 and any service where you manage the OS, you are responsible for:

How Responsibility Shifts by Service Type

The shared responsibility line is not fixed — it moves depending on how much management AWS takes on for a given service.

Customer Layer
AWS Layer
EC2 (IaaS): Customer manages OS, runtime, middleware, application, data
AWS manages: hypervisor, hardware, facilities, network
RDS (PaaS): Customer manages schema, data, users, DB parameters
AWS manages: OS patches, DB engine upgrades, storage, replication
Lambda (Serverless): Customer manages code, dependencies, IAM, data
AWS manages: runtime, OS, scaling, availability, patching
S3 (Storage SaaS): Customer manages classification, policies, encryption config, access
AWS manages: hardware, durability replication, infrastructure security

IaaS — Amazon EC2

EC2 represents the most customer responsibility of any AWS compute service. The division:

LayerResponsible Party
Application code and dependenciesCustomer
Runtime (JVM, Python interpreter, Node.js)Customer
Middleware (web server, app server)Customer
Operating system (installation, configuration, patching)Customer
Guest OS firewallCustomer
EC2 instance configuration (IAM role, security groups, key pair)Customer
EBS encryption and backupsCustomer
HypervisorAWS
Physical server and storageAWS
Physical networkAWS
Physical facilityAWS

EC2 gives the most control and the most responsibility. If a vulnerability in your OS is exploited because you did not apply a patch, that is a customer security failure, not an AWS failure.

PaaS — Amazon RDS

RDS manages the database engine and OS, shifting significant responsibility to AWS:

LayerResponsible Party
Application queries and connection handlingCustomer
Database user accounts and permissionsCustomer
Schema designCustomer
Data classification and encryption (at-rest encryption toggle, TDE)Customer
Parameter group configurationCustomer
Backup retention periodCustomer
DB engine software patchingAWS
Operating system patchingAWS
Underlying EC2 instance managementAWS
Storage provisioning and replication (Multi-AZ)AWS
Hardware and facilitiesAWS

You still manage who can connect to your database and what they can do once connected. AWS manages keeping the database engine software patched and the underlying hardware running.

Serverless — AWS Lambda

Lambda pushes the responsibility line even higher toward AWS:

LayerResponsible Party
Function codeCustomer
Libraries and dependencies packaged with the functionCustomer
IAM execution roleCustomer
Environment variables (including secrets management)Customer
Function triggers and event source configurationCustomer
Runtime (Python 3.12, Node.js 20, etc.)AWS
Runtime patching and security updatesAWS
Operating systemAWS
Scaling and concurrency managementAWS
Underlying compute hardwareAWS

The customer’s residual responsibility is narrower but still significant: your function code, its dependencies, and how it handles data and credentials.

Object Storage — Amazon S3

S3 is often misunderstood as the AWS service with the most AWS responsibility. In practice, many S3 breaches have been customer-caused:

LayerResponsible Party
Data content and classificationCustomer
Bucket policy (public access settings)Customer
IAM policies controlling accessCustomer
Server-side encryption selection (SSE-S3, SSE-KMS, SSE-C)Customer
S3 Object Lock configurationCustomer
Cross-Origin Resource Sharing (CORS)Customer
Versioning and replication configurationCustomer
Lifecycle rulesCustomer
Hardware providing 11 9s durabilityAWS
Internal replication across AZsAWS
Physical storage and networkAWS

The infamous “S3 bucket exposed publicly” class of incidents is entirely customer responsibility — AWS provides the Block Public Access feature (which should be enabled at the account level), but customers configure (or misconfigure) their bucket policies.

Compliance Inheritance

When AWS achieves certifications and attestations, customers inherit the coverage that AWS owns:

What AWS CertifiesWhat Customers InheritWhat Customers Still Own
SOC 2 Type II (physical, logical, availability controls for infrastructure)AWS infrastructure controls are certifiedControls over your applications, data, and configurations
PCI DSS (for in-scope AWS services)AWS infrastructure is a certified PCI-compliant environmentCustomers must still certify their application’s PCI compliance
ISO 27001 / 27017 / 27018AWS’s ISMS certificationCustomers’ own ISMS scope
FedRAMP (for govcloud and some commercial services)AWS infrastructure authorizationCustomer application must obtain its own ATO
HIPAA Business Associate Agreement (BAA)AWS signs a BAA covering HIPAA-eligible servicesCustomer is still responsible for PHI handling within those services

Compliance inheritance means you do not have to audit AWS’s data center physical security for your own SOC 2 audit — AWS’s SOC 2 report covers that. Your auditors review the AWS SOC 2 report (available in AWS Artifact) and focus your audit scope on your application and configuration controls.

However, inheritance is not a free pass. You cannot claim PCI DSS compliance simply because you run on AWS. Your application’s data handling, your IAM configuration, your network segmentation, your encryption choices — all of these are customer scope and must be audited and controlled independently.

AWS Artifact

AWS Artifact is the self-service portal for accessing AWS’s compliance documentation:

Access AWS Artifact from the AWS Management Console. Reports are signed NDAs — you must accept terms before downloading. Most reports are updated annually or semi-annually. Share these with your auditors, legal team, or enterprise customers who ask for AWS compliance documentation.

Practical Security Baseline

Translating the shared responsibility model into a practical checklist for what customers should implement in every AWS account:

ControlService / Feature
MFA on root and all IAM usersIAM
No active root access keysIAM credentials report
CloudTrail enabled in all regionsCloudTrail
GuardDuty enabledGuardDuty (threat detection across VPC flow logs, CloudTrail, DNS logs)
S3 Block Public Access at account levelS3 account settings
Default EBS encryption enabledEC2 account-level setting
Config rules enabledAWS Config (compliance drift detection)
Security Hub enabledSecurity Hub (aggregated findings from GuardDuty, Inspector, Macie, Config)
VPC Flow Logs enabledVPC
Password policy enforcedIAM password policy
Unused access keys identified and removedIAM credentials report + Access Analyzer

These controls address the customer-side responsibilities most commonly missed in early AWS deployments. AWS will not enable them for you — that is your side of the shared responsibility line.