As more companies move their business applications to the AWS cloud, their security becomes a critical issue. Unfortunately, many businesses are not aware of their security responsibility in the AWS cloud environment, and hence leave a huge gap in their security defences without their knowledge. Therefore, when assessing the security of these business applications, it’s imperative to understand the security measures that AWS implements and the measures that you as a customer are responsible for with the AWS Shared Responsibility Model.
Also, as part of the AWS Certification exams, it is important that IT professionals understand the AWS Shared Responsibility Model and ensure that the solutions deployed in the cloud meet all security requirements and best practice guidelines.
The Shared Responsibility Model
With the AWS Shared Responsibility Model, the security implementation of a customer’s infrastructure is shared between AWS and the customer. AWS is responsible for the global security “of” the cloud, which in practice means, protecting the underlying infrastructure (network, hardware, software, and facilities) from vulnerabilities, fraud, abuse, and intrusions, and providing customers with the necessary security capabilities.
On the other hand, the customer is responsible for security “in” the cloud, which means, the security of their content, applications, platform, operating systems, and networks. While AWS offers you several security tools to help you with security, such as CloudTrail, Security Groups, and IAM, their implementation is optional. Customers have the control to choose what security they want to implement to protect their IT infrastructure. Therefore, it’s important that customers carefully consider the services they select because their responsibility is determined by the AWS Cloud Services they choose.
The AWS Shared Responsibility also extends to IT controls whereby AWS and its customers share the responsibility of managing, operating and verifying IT controls. Using the control and compliance documentation, customers can perform the necessary control and verification procedures.
The AWS Shared Responsibility Model and GDPR
The EU’s General Data Protection Regulation (GDPR), requires that data processors and data controllers implement appropriate measures to protect customers and their data. The AWS Shared Responsibility Model does not change under GDPR. AWS remains with the responsibility of securing the underlying infrastructure that runs all AWS services, while customers and AWS Partner Network (APN) partners act as data processors or data controllers and are responsible for the data they put in the cloud.
The AWS Shared Responsibility Model outlines the responsibilities of AWS and its customers and APN partners, while the GDPR describes their roles as data processors and data controllers.
AWS roles as a data processor
When a customer uses AWS services to process personal data, the customer or the customer’s customer is usually the data controller and AWS is always the data processor. In this case, AWS is responsible for protecting the underlying infrastructure while the data controllers have control over the data hosted on this infrastructure.
Customer and APN partner roles as data controllers
As data controllers, the services they use may determine how they configure the services to help them meet their GDPR compliance needs. For instance, the data controller is responsible for managing all AWS services which are classified as Infrastructure as a Service (IaaS) as well as performing all routine security configuration and management.
To meet the GDPR compliance needs when using AWS global infrastructure, Amazon recommends that customers:
- Protect their AWS account credential using Amazon Identity and Access Management (IAM)
- Deploy multi-factor authentication for their user accounts
- Use advanced managed security services
Become AWS Certified and start building cloud solutions for your clients.
The AWS Certified Cloud Practitioner certification is your stepping stone into the world of cloud computing and specifically the AWS ecosystem. Learn the core fundamentals of the cloud and AWS covering cloud concepts, AWS technologies, security best practices and cloud economics with our ultimate training guide for the AWS Certified Cloud Practitioner course.