AWS Curriculum: Mastering the Shared Responsibility Model
Describing the customer's responsibilities on AWS
AWS Curriculum: Mastering the Shared Responsibility Model
This curriculum provides a comprehensive deep dive into the AWS Shared Responsibility Model, with a specific focus on defining and implementing the customer's duties to ensure security "in" the cloud.
Prerequisites
Before beginning this curriculum, students should have a foundational understanding of the following concepts:
- Cloud Computing Basics: Understanding of On-Demand self-service, Broad network access, and Resource pooling.
- AWS Global Infrastructure: Awareness of Regions, Availability Zones (AZs), and Edge Locations.
- Basic Security Concepts: General knowledge of encryption (at rest vs. in transit), firewalls, and identity management.
Module Breakdown
| Module | Title | Primary Focus | Difficulty |
|---|---|---|---|
| 1 | The Foundational Split | Security "Of" vs. Security "In" the cloud | Introductory |
| 2 | Customer Control Planes | IAM, Guest OS Patching, and Data Protection | Intermediate |
| 3 | The Responsibility Shift | How duties change between EC2, RDS, and Lambda | Intermediate |
| 4 | Compliance & Governance | Using AWS Artifact and Audit logs | Advanced |
Module Learning Objectives
Module 1: The Foundational Split
- Differentiate between the Security of the Cloud (AWS) and Security in the Cloud (Customer).
- Identify the physical components AWS is responsible for, including hardware and global infrastructure.
Module 2: Customer Control Planes
- Configure Network Security Groups to act as a virtual firewall for instances.
- Implement Identity and Access Management (IAM) policies following the principle of least privilege.
- Manage Guest Operating System updates and security patches for IaaS deployments.
Module 3: The Responsibility Shift
- Explain how customer responsibilities decrease when moving from Unmanaged (EC2) to Managed (RDS) and Serverless (Lambda) services.
- Identify which parts of the software stack become AWS responsibilities in a managed environment.
Success Metrics
To demonstrate mastery of this curriculum, the learner must be able to:
- Categorize Tasks: Correctly assign 10/10 security tasks (e.g., "Patching the Hypervisor" vs. "Patching the Guest OS") to the correct party.
- Architectural Assessment: Given a service (e.g., Amazon S3), list three specific customer configuration steps required to secure the data.
- Audit Readiness: Identify where to find AWS compliance reports (AWS Artifact) and how to capture security logs (CloudTrail/CloudWatch).
Real-World Application
Understanding the Shared Responsibility Model is not just for the CLF-C02 exam; it is a critical career skill:
- DevSecOps Engineers: Use these principles to automate security headers and firewall rules in CI/CD pipelines.
- Cloud Architects: Determine the Total Cost of Ownership (TCO) by accounting for the labor hours required for "Customer Responsibilities" in different architectural patterns.
- Compliance Officers: Map AWS's infrastructure certifications to organizational regulatory requirements (HIPAA, GDPR, PCI-DSS).
[!IMPORTANT] AWS is responsible for the physical security of the data center. However, if you leave an S3 bucket public or use "admin" as a password, AWS cannot prevent the resulting data breach. You are responsible for the configuration of the services you use.
Practical Examples Section
The following table illustrates how responsibility shifts based on the level of abstraction of the AWS service:
| Responsibility | Amazon EC2 (IaaS) | Amazon RDS (Managed) | AWS Lambda (Serverless) |
|---|---|---|---|
| Physical Security | AWS | AWS | AWS |
| Host OS/Hypervisor | AWS | AWS | AWS |
| Guest OS Patching | Customer | AWS | AWS |
| Application Code | Customer | Customer | Customer |
| Data Encryption | Customer | Customer | Customer |
| Network Config | Customer | Shared/Customer | AWS |
Visualizing the Effort Shift
▶Deep Dive: Managed vs. Unmanaged Responsibilities
In an
like EC2, the customer is responsible for the entire "stack" from the OS upward. In a
like Amazon RDS, AWS manages the OS, database patching, and backup infrastructure, while the customer remains responsible for managing database settings, user permissions, and the data itself.