Mastering the AWS Shared Responsibility Model: Curriculum Overview

This curriculum provides a comprehensive deep-dive into the AWS Shared Responsibility Model, a fundamental concept for the AWS Certified Cloud Practitioner (CLF-C02) exam. Understanding where AWS's responsibility ends and the customer's begins is critical for maintaining security and compliance in the cloud.

Prerequisites

To successfully engage with this curriculum, learners should possess:

• Basic Cloud Literacy: Understanding of what the cloud is and the difference between on-premises and cloud computing.
• General IT Security Knowledge: Familiarity with concepts like encryption, firewalls (Security Groups), and user identity (IAM).
• Service Awareness: A high-level awareness of core AWS services such as Amazon EC2 (Compute), Amazon S3 (Storage), and Amazon RDS (Database).

Module Breakdown

Learning Objectives per Module

Module 1: The "Of" vs. "In" Concept

• Differentiate between Security OF the Cloud (AWS) and Security IN the Cloud (Customer).
• Identify the two primary parties involved in the model.

Module 2: AWS Responsibility (Infrastructure)

• Describe AWS's role in protecting global infrastructure (Regions, AZs, Edge Locations).
• Explain AWS's management of the virtualization layer and physical hardware.

Module 3: Customer Responsibility (Configuration)

• Define customer duties regarding Customer Data and encryption.
• Understand responsibility for Guest Operating Systems (patching and updates).

Module 4: Shifting Responsibilities

• Analyze how moving from an unmanaged service (EC2) to a managed service (RDS/Lambda) reduces customer operational burden.

Success Metrics

Learners have mastered this content when they can:

1. Correctly Classify: Assign a specific task (e.g., "Patching the EC2 Kernel") to the correct party with 100% accuracy.
2. Scenario Analysis: Explain why a customer is responsible for S3 bucket permissions even though AWS manages the underlying storage disks.
3. Pass Assessment: Achieve a score of >80% on mock exam questions related to Domain 2.1 of the CLF-C02.

Real-World Application

[!IMPORTANT] In a professional setting, failing to understand this model leads to "Security Gaps." For example, if a Cloud Architect assumes AWS patches their EC2 instances, the system remains vulnerable to exploits, potentially leading to a data breach.

• Cloud Architects: Use this model to design secure VPCs and select the right level of managed services to reduce "to-do" lists for their teams.
• Compliance Auditors: Use the model to determine which SOC2 or ISO reports to request from AWS and which controls they must document themselves.

Case Study Examples

Below is a comparison of how responsibility shifts across different service models:

Example 1: Amazon EC2 (Infrastructure as a Service)

• AWS: Responsible for the physical host and the hypervisor.
• Customer: Responsible for everything from the Guest OS upward (firewall rules, updates, data).
• Example: If an EC2 instance is hacked because the SSH port was left open to the world (0.0.0.0/0), this is a Customer Failure.

Example 2: Amazon RDS (Platform as a Service)

• AWS: Responsible for the OS, database patching, and hardware.
• Customer: Responsible for managing database users, permissions, and application-level security.
• Example: If a database is deleted because a customer gave an intern "Admin" rights, this is a Customer Failure.

Example 3: AWS Lambda (Serverless/SaaS-like)

• AWS: Manages the entire stack, including the underlying runtime environment.
• Customer: Responsible ONLY for the code and the IAM roles assigned to the function.

[!TIP] Always remember: AWS is responsible for the "Concrete and Cables"; the Customer is responsible for the "Data and Defaults."