AWS Shared Security Model and GDPR – Amazon Web Services

by | Jul 12, 2019 | AWS Certified Developer – Associate Exam, AWS Certified Solutions Architect – Associate Exam, AWS Certified SysOps Administrator – Associate Exam | 0 comments

As more companies move their business applications to the AWS cloud, their security becomes a critical issue. Unfortunately, many businesses are not aware of their security responsibility in the AWS cloud environment, and hence leave a huge gap in their security defences without their knowledge. Therefore, when assessing the security of these business applications, it’s imperative to understand the security measures that AWS implements and the measures that you as a customer are responsible for with the AWS Shared Responsibility Model.

Also, as part of the AWS Certification exams, it is important that IT professionals understand the AWS Shared Responsibility Model and ensure that the solutions deployed in the cloud meet all security requirements and best practice guidelines.

The Shared Responsibility Model

With the AWS Shared Responsibility Model, the security implementation of a customer’s infrastructure is shared between AWS and the customer. AWS is responsible for the global security “of” the cloud, which in practice means, protecting the underlying infrastructure (network, hardware, software, and facilities) from vulnerabilities, fraud, abuse, and intrusions, and providing customers with the necessary security capabilities.

On the other hand, the customer is responsible for security “in” the cloud, which means, the security of their content, applications, platform, operating systems, and networks. While AWS offers you several security tools to help you with security, such as CloudTrail, Security Groups, and IAM, their implementation is optional. Customers have the control to choose what security they want to implement to protect their IT infrastructure. Therefore, it’s important that customers carefully consider the services they select because their responsibility is determined by the AWS Cloud Services they choose.

IT Controls

The AWS Shared Responsibility also extends to IT controls whereby AWS and its customers share the responsibility of managing, operating and verifying IT controls. Using the control and compliance documentation, customers can perform the necessary control and verification procedures.

The AWS Shared Responsibility Model and GDPR

The EU’s General Data Protection Regulation (GDPR), requires that data processors and data controllers implement appropriate measures to protect customers and their data. The AWS Shared Responsibility Model does not change under GDPR. AWS remains with the responsibility of securing the underlying infrastructure that runs all AWS services, while customers and AWS Partner Network (APN) partners act as data processors or data controllers and are responsible for the data they put in the cloud.

The AWS Shared Responsibility Model outlines the responsibilities of AWS and its customers and APN partners, while the GDPR describes their roles as data processors and data controllers.

AWS roles as a data processor

When a customer uses AWS services to process personal data, the customer or the customer’s customer is usually the data controller and AWS is always the data processor. In this case, AWS is responsible for protecting the underlying infrastructure while the data controllers have control over the data hosted on this infrastructure.

Customer and APN partner roles as data controllers

As data controllers, the services they use may determine how they configure the services to help them meet their GDPR compliance needs. For instance, the data controller is responsible for managing all AWS services which are classified as Infrastructure as a Service (IaaS) as well as performing all routine security configuration and management.

To meet the GDPR compliance needs when using AWS global infrastructure, Amazon recommends that customers:

  • Protect their AWS account credential using Amazon Identity and Access Management (IAM)
  • Deploy multi-factor authentication for their user accounts
  • Use advanced managed security services

Become AWS Certified and start building cloud solutions for your clients.

The AWS Certified Cloud Practitioner certification is your stepping stone into the world of cloud computing and specifically the AWS ecosystem.  Learn the core fundamentals of the cloud and AWS covering cloud concepts, AWS technologies, security best practices and cloud economics with our ultimate training guide for the AWS Certified Cloud Practitioner course. 

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

I accept My Preferences
Privacy Center Cookie Policy
Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

Necessary Privacy Center Privacy Policy Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems.
Technical Cookies
In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec
WooCommerce
We use WooCommerce as a shopping system. For cart and order processing 2 cookies will be stored. This cookies are strictly necessary and can not be turned off.
  • woocommerce_cart_hash
  • woocommerce_items_in_cart
Decline all Services
Accept all Services