Curriculum Overview: The AWS Shared Responsibility Model
Describing responsibilities that the customer and AWS share
Curriculum Overview: The AWS Shared Responsibility Model
This curriculum provides a comprehensive deep-dive into the security framework of Amazon Web Services (AWS). It is designed to prepare candidates for the AWS Certified Cloud Practitioner (CLF-C02) exam, specifically focusing on Domain 2: Security and Compliance, which accounts for approximately 30% of the exam content.
Prerequisites
Before beginning this module, students should have a foundational understanding of:
- Cloud Computing Basics: Familiarity with the definition of cloud computing and basic delivery models (IaaS, PaaS, SaaS).
- AWS Global Infrastructure: Knowledge of Regions, Availability Zones, and Edge Locations.
- Basic Security Concepts: Understanding of firewalls, encryption, and user access (IAM).
Module Breakdown
| Module | Title | Focus Area | Difficulty |
|---|---|---|---|
| 1 | The Fundamental Split | Understanding "Security of the Cloud" vs "Security in the cloud." | Beginner |
| 2 | AWS Responsibilities | Physical hardware, virtualization, and global infrastructure. | Beginner |
| 3 | Customer Responsibilities | Guest OS, data encryption, IAM, and network configuration. | Intermediate |
| 4 | Service-Level Shifts | How responsibility changes between EC2, RDS, and Lambda. | Intermediate |
| 5 | Compliance & Governance | Using AWS Artifact and understanding shared controls. | Intermediate |
Learning Objectives per Module
Module 1: The Fundamental Split
- Distinguish between the two primary pillars of the Shared Responsibility Model.
- Identify the boundary line between the provider (AWS) and the consumer (Customer).
Module 2 & 3: Deep Dive into Responsibilities
- AWS (Security OF the Cloud): Manage physical security of data centers, hardware, and the software layer (virtualization).
- Customer (Security IN the Cloud): Manage customer data, identity management, and application security.
Module 4: Service-Level Shifts
- Explain how moving from unmanaged (EC2) to managed (RDS) to serverless (Lambda) shifts the "management burden" toward AWS.
Examples: Responsibility Shifting
The level of customer responsibility depends entirely on the type of service selected.
Comparison of Service Models
| Service Type | Example | AWS Manages | Customer Manages |
|---|---|---|---|
| Infrastructure (IaaS) | Amazon EC2 | Physical hardware, Hypervisor. | OS Patching, Apps, Data, Firewalls. |
| Platform (PaaS) | Amazon RDS | OS Patching, DB Engine Software. | Application Data, Access Control. |
| Serverless | AWS Lambda | Entire stack including runtime. | Code logic, IAM permissions for the function. |
[!IMPORTANT] The "Golden Rule": If you can configure it through the AWS Management Console or CLI (like a security group or an S3 bucket policy), it is almost certainly a Customer responsibility.
Success Metrics
To demonstrate mastery of this curriculum, the student must be able to:
- Correctly Categorize: Given a list of 10 tasks, assign them to either AWS or the Customer with 100% accuracy.
- Explain Shifts: Describe why a customer has less responsibility for an Amazon RDS instance than an Amazon EC2 instance.
- Identify Artifacts: Locate where to find compliance reports (AWS Artifact) to prove AWS is fulfilling its part of the model.
Real-World Application
Understanding this model is critical for several career paths:
- Cloud Architects: Must design systems that account for the security controls they are responsible for implementing (e.g., configuring VPCs).
- Security Engineers: Must understand the limits of AWS's physical protection to properly implement encryption and monitoring.
- Compliance Officers: Need to understand the Shared Responsibility Model to pass audits like SOC2 or HIPAA, knowing which controls are "inherited" from AWS.
Estimated Timeline
- Total Duration: 4-6 Hours of Study
- Reading/Theory: 2 Hours
- Interactive Labs: 2 Hours (Focusing on IAM and Security Groups)
- Practice Assessment: 1 Hour