"Cloud Security Isn’t Automatic: What AWS Secures vs What You Must"

Having gained an understanding of AWS’s fundamental goals and how its infrastructure, including Regions, Availability Zones, and Edge Locations, underpins global performance and dependability, I became interested in a more profound question: how does AWS maintain security at such a large scale, where millions of users are concurrently utilising its services?

I inquired with both Google and ChatGPT about how AWS manages security on such a vast scale. Both sources directed me to the AWS Shared Responsibility Model, and that’s when things became intriguing. As I delved into the AWS documentation, I came to realise that AWS does not entirely manage security. In fact, customers bear a considerable portion of the responsibility. This model distinctly outlines who is accountable for what — and it’s essential for every AWS user to grasp this before launching anything in the cloud.

Initially, it wasn’t entirely clear to me — particularly since my knowledge was limited to EC2 instances. When AWS refers to “cloud security,” I found myself with numerous questions: What type of security is being discussed? Which services are included in this? Am I responsible for securing everything on my own? The more I delved into the topic, the more I understood that security responsibilities differ based on the services utilised. This led to an important realisation: comprehending AWS security involves not only being familiar with the tools but also recognising where my responsibilities start and where AWS's obligations conclude.

🤝 What Exactly Is Shared?

As stated in the overview section of the AWS Cloud Security page, AWS is responsible for safeguarding the:

• Physical data centres

• The physical hardware (such as Disks, networking, and power)

• Software like the Hypervisor, host OS like Ubuntu

• Networking

These forms the foundation of its cloud infrastructure. Think of it like renting an apartment: AWS owns the building, and I, as a customer, rent one apartment. AWS handles all the luxuries I get, such as 24-hour running elevators, a continuous supply of electricity, and a well-maintained building with wiring.

Customers are accountable for protecting what they store in the cloud, which encompasses their data, applications, operating systems, and configurations. Therefore, although AWS guarantees the security of the foundational layer, customers need to take responsibility for the security of their workloads and services operating on AWS. This collaborative strategy contributes to a more secure cloud ecosystem.

The responsibility of the customer includes:

• Setting up IAM policies and access controls

• Encrypting your data

• Keeping application code secure

• Managing firewall rules

• Keeping an updated system of EC2 Instances

So, as a renter, I am responsible for locking my apartment doors, keeping my stuff safe and not causing any damage.

Then I asked ChatGPT to provide real-world examples. What type of scenarios would help explain it better?

💡 Real-World Examples

1. If you store important customer data in an S3 bucket and leave the bucket public, it’s your fault, not AWS’s. It gave you the tools to make it private, but you misconfigured it.

   • You store all user passwords in plain text or leave an S3 bucket public. That’s on you — not AWS.

2. If you're using EC2, it's your job to update the OS, configure the firewall, and protect against SSH brute force.

   • If there's a vulnerability in Ubuntu and you don’t patch it, hackers could break in.

3. If you're using a fully managed service like Lambda or S3, your responsibilities shrink — you focus only on your code, data, and permissions.

It means that if you take control to make it more personalised, you have more responsibility to manage it.

📊 Alterations in Shared Responsibility Based on Service Category

The AWS docs say, After customers understand the AWS Shared Responsibility Model, they need to tailor it to their unique use case. Responsibilities vary depending on the selected services, geographic regions, integrations, and compliance needs.

✅ In a Nutshell

The cloud provides flexibility, but it also brings a level of responsibility. AWS effectively safeguards the underlying infrastructure — the cloud platform. However, it is your responsibility to utilize it prudently. Grasping what falls under your responsibility is one of the initial steps to becoming an effective cloud architect.

In the upcoming post, we will explore IAM (Identity and Access Management) — the crucial tool for controlling access, reinforcing accountability, and securing your AWS environment.