software

Understand the AWS Shared Responsibility Model

Published: (January 1, 2026 at 11:04 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Domain 2: Security & Compliance

Task Statement 2.1

A new domain on the exam. While you’re setting personal goals, AWS is setting goals like keep the cloud from catching fire. The catch: some security tasks are yours.

Welcome to the AWS Shared Responsibility Model.

What Is This Task Testing?

You must understand:

  • The AWS shared responsibility model
  • The major components of the model
  • What AWS is responsible for
  • What the customer is responsible for
  • What is shared
  • How responsibilities shift depending on the service (e.g., Amazon EC2 vs Amazon RDS vs AWS Lambda)

The AWS Shared Responsibility Model

The simplest way to remember it:

  • AWS is responsible for security OF the cloud
  • Customers are responsible for security IN the cloud

This model defines who handles which security controls, reducing confusion and improving risk management.

AWS Responsibilities (Security OF the Cloud)

AWS is responsible for protecting the underlying infrastructure that runs AWS services.

Typical responsibilities:

  • Physical security: data centers, buildings, access controls, surveillance
  • Hardware and infrastructure: servers, storage, networking equipment
  • Virtualization layer: host OS/hypervisor for many services
  • Core networking: foundational services that support the platform

If it’s about data centers, hardware, or the base cloud infrastructure, it’s almost always AWS.

Customer Responsibilities (Security IN the Cloud)

Customers are responsible for what they deploy and configure on AWS, including controlling access and protecting their data.

Typical responsibilities:

  • Identity and access management (IAM): users, roles, policies, MFA
  • Data protection: encryption choices, key management decisions, data classification
  • Network configuration: security groups, NACLs, VPC configuration
  • OS and application management: patching, hardening (when applicable)
  • Customer data: what you store, how you store it, who can access it
  • Logging and monitoring configuration: enabling tracking and alerts

If it’s about permissions, misconfiguration, data exposure, or application security, it’s usually customer.

Shared Responsibilities (Depends on Context)

Some areas are shared because both AWS and the customer play a role.

Common shared areas:

  • Configuration management: AWS provides secure tools; customers must configure them correctly.
  • Patch management: AWS patches infrastructure; customers patch OS/apps when they manage them.
  • Awareness and training: AWS provides documentation; customers ensure staff follow best practices.
  • Incident response: AWS secures the platform; customers respond to events in their accounts/workloads.
  • Compliance: AWS provides compliant infrastructure; customers must architect and operate compliantly.

If “AWS provides the capability, customer must enable/configure it,” that’s usually shared.

How Responsibilities Shift by Service Type

Your responsibility changes based on whether you’re using IaaS, PaaS, or serverless/managed services.

A. Amazon EC2

  • AWS handles: physical facilities, hardware, underlying infrastructure
  • Customer handles: guest OS patching, software installs, configuration, application security, data, IAM, network controls

With EC2, you are responsible for the operating system and above.

B. Amazon RDS

  • AWS handles: database engine patching/maintenance (service‑dependent), backup features, underlying infrastructure
  • Customer handles: database access controls, network exposure, encryption settings, parameter choices, data, IAM

You don’t manage the database host like on EC2, but you still control data security and access.

C. AWS Lambda

  • AWS handles: servers, OS, runtime infrastructure, scaling, availability of the service
  • Customer handles: function code, IAM permissions, secrets management, event/input validation, data protection

You focus on code + permissions + data, while AWS runs the platform.

Quick Comparison

  • EC2: customer manages OS + patching + runtime + app
  • RDS: AWS manages database platform; customer manages data + access + configuration
  • Lambda: AWS manages servers/OS/scaling; customer manages code + IAM + data

Quick Exam‑Style Summary

  • AWS = security OF the cloud
  • Customer = security IN the cloud

Responsibilities shift by service:

  • More managed/serverless → more AWS responsibility
  • More infrastructure control (like EC2) → more customer responsibility

Additional Resources

Back to Blog

Related posts

Read more »

The RGB LED Sidequest 💡

markdown !Jennifer Davishttps://media2.dev.to/dynamic/image/width=50,height=50,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%...

Mendex: Why I Build

Introduction Hello everyone. Today I want to share who I am, what I'm building, and why. Early Career and Burnout I started my career as a developer 17 years a...