AWS Curriculum: Mastering the Shared Responsibility Model

This curriculum provides a comprehensive deep dive into the AWS Shared Responsibility Model, with a specific focus on defining and implementing the customer's duties to ensure security "in" the cloud.

Prerequisites

Before beginning this curriculum, students should have a foundational understanding of the following concepts:

• Cloud Computing Basics: Understanding of On-Demand self-service, Broad network access, and Resource pooling.
• AWS Global Infrastructure: Awareness of Regions, Availability Zones (AZs), and Edge Locations.
• Basic Security Concepts: General knowledge of encryption (at rest vs. in transit), firewalls, and identity management.

Module Breakdown

Module Learning Objectives

Module 1: The Foundational Split

• Differentiate between the Security of the Cloud (AWS) and Security in the Cloud (Customer).
• Identify the physical components AWS is responsible for, including hardware and global infrastructure.

Module 2: Customer Control Planes

• Configure Network Security Groups to act as a virtual firewall for instances.
• Implement Identity and Access Management (IAM) policies following the principle of least privilege.
• Manage Guest Operating System updates and security patches for IaaS deployments.

Module 3: The Responsibility Shift

• Explain how customer responsibilities decrease when moving from Unmanaged (EC2) to Managed (RDS) and Serverless (Lambda) services.
• Identify which parts of the software stack become AWS responsibilities in a managed environment.

Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Categorize Tasks: Correctly assign 10/10 security tasks (e.g., "Patching the Hypervisor" vs. "Patching the Guest OS") to the correct party.
2. Architectural Assessment: Given a service (e.g., Amazon S3), list three specific customer configuration steps required to secure the data.
3. Audit Readiness: Identify where to find AWS compliance reports (AWS Artifact) and how to capture security logs (CloudTrail/CloudWatch).

Real-World Application

Understanding the Shared Responsibility Model is not just for the CLF-C02 exam; it is a critical career skill:

• DevSecOps Engineers: Use these principles to automate security headers and firewall rules in CI/CD pipelines.
• Cloud Architects: Determine the Total Cost of Ownership (TCO) by accounting for the labor hours required for "Customer Responsibilities" in different architectural patterns.
• Compliance Officers: Map AWS's infrastructure certifications to organizational regulatory requirements (HIPAA, GDPR, PCI-DSS).

[!IMPORTANT] AWS is responsible for the physical security of the data center. However, if you leave an S3 bucket public or use "admin" as a password, AWS cannot prevent the resulting data breach. You are responsible for the configuration of the services you use.

Practical Examples Section

The following table illustrates how responsibility shifts based on the level of abstraction of the AWS service:

Visualizing the Effort Shift

▶Deep Dive: Managed vs. Unmanaged Responsibilities

In an

unmanaged service

like EC2, the customer is responsible for the entire "stack" from the OS upward. In a

managed service

like Amazon RDS, AWS manages the OS, database patching, and backup infrastructure, while the customer remains responsible for managing database settings, user permissions, and the data itself.