IT managers: Uphold your duty to the AWS shared responsibility model

Rono Jacob, Director, Product Management

As you migrate your IT infrastructure to Amazon Web Services (AWS), and your data transitions from traditional on-premises data centers to the AWS infrastructure, it’s imperative that you understand — as an IT manager — the burden you carry for protecting your organization’s data. More importantly, it’s critical that you do not fall subject to the misconception that your AWS workloads are protected simply because they are hosted on the AWS infrastructure.

To eliminate this misconception and distinguish what each party is responsible for, AWS deployed the AWS shared responsibility model. This model defines a separation of powers — what AWS is responsible for and what its customers are responsible for when it comes to data security and compliance. Let’s dive further into the AWS shared responsibility model and why a third-party data protection solution like Druva is critical for protecting and managing your organization’s essential data.

What is the AWS shared responsibility model?

The AWS shared responsibility model is a shared model that establishes the operational partnership between the customer and AWS. Under the shared responsibility model, AWS provides the infrastructure burden — “security of the cloud” — while customers are responsible for and must protect their data in their AWS cloud workloads — “security in the cloud.”

“Security of the cloud” in the AWS shared responsibility model

As part of the AWS shared responsibility model, AWS states that it is responsible for the “security of the cloud.” This means that AWS is responsible for the cloud infrastructure which includes: hardware, software, networking, and the physical protection of the facilities that run AWS Cloud services.

What are AWS customers responsible for in the shared responsibility model?

In the AWS shared responsibility model, customer responsibility is for the “security in the cloud.” As a customer, the headache of managing and protecting the infrastructure is no longer an issue — AWS takes care of that responsibility. However, the onus is on the customer to protect and back up all customer data, the platform, operating systems, applications, and providing or restricting all access management to its users.

While AWS seeks to lessen the customer burden by providing the “security of the cloud,” the customer burden varies depending on “levels of abstraction.“ As AWS launched its infrastructure-as-a-service (IaaS), customers became responsible for security depending on their level of abstraction. Depending on the level of customer abstraction, there is a corresponding version of the AWS shared responsibility model1:

  • AWS shared responsibility model for EC2
  • AWS shared responsibility model for containers
  • AWS shared responsibility model for Lambda

To further illustrate the shared controls within the AWS shared responsibility model, some examples include2:

  • Patch management: AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
  • Configuration management: AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
  • Awareness and training: AWS trains AWS employees, but a customer must train their own employees.
AWS shared responsibility model

AWS shared responsibility model diagram

The consequences of failing to provide “security in the cloud”

Data security and compliance should be a top priority for your organization. Failing to provide “security in the cloud” can be costly for your organization. Your organization can be subjected to malicious acts and ransomware attacks if you do not have the proper security measures in place.

In addition, to avoid stringent penalties associated with the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR), your organization must have proactive compliance monitoring and data security measures in place. Protecting not only your customers’ data but your employees’ data is essential for business continuity and regulation guidelines.

Next steps

It’s salient that you understand your security responsibilities within the AWS shared responsibility model. As you start to develop your security strategy for protecting your data in the cloud, leveraging a third-party data protection solution like Druva can help you protect all of your most critical data across AWS workloads.

With Druva, your data is always on, always safe. Druva provides the resources and tools you need to protect your AWS workloads, applications, and data. Druva reduces data protection complexity, and effectively manages AWS cloud backups to meet business and regulatory backup compliance requirements.

Druva’s SaaS solution is built on AWS, and designed for infinite scalability, security, and flexibility.

Check out this white paper and discover how Druva can help your organization simplify AWS backup and recovery.

1Cloud Health by VMware, How the AWS shared responsibility model works, 2020
2AWS, Shared Responsibility Model, 2020.