Security “of” the cloud – Introduction to AWS Security Concepts and the Shared Responsibility Model

Security “of” the cloud

AWS is responsible for securing the underlying infrastructure that runs all of the services offered in the AWS cloud. This includes fundamental infrastructure components, such as the hardware, software, networking, and facilities that house AWS cloud services. AWS’s responsibility of the cloud includes a wide range of security measures, such as physical security of data centers, server infrastructure, and network and virtualization security. These are tasks that AWS is uniquely positioned to perform, given its scale and expertise.

Security “in” the cloud

On the other hand, the customer is responsible for security in the cloud. This means that customers have control and ownership over their data, platforms, applications, systems, and networks, and they must protect them accordingly. This includes managing and controlling user access, protecting data through encryption, maintaining the security of their guest operating systems (OSs), applications, and data, and configuring their use of AWS services securely.

IaaS, PaaS, SaaS – different levels of responsibility

The shared responsibility model varies depending on the type of service – Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). AWS offers a wide range of services that fall under these categories, each with its unique features and benefits:

• IaaS: AWS provides the fundamental cloud-provider infrastructure, such as the virtual machine (VM) (EC2) service, and virtual private cloud (VPC) networking components. The customer is responsible for everything else, including the OS, middleware, application, runtime, data, as well as any customer-deployed infrastructure components.
• PaaS: This includes additional layers of managed services. AWS handles the runtime, middleware, and OS, allowing developers to focus solely on their applications and data. Services such as RDS, S3, and AWS Elastic Beanstalk are examples of PaaS.
• SaaS: AWS is responsible for the entire stack, and the customer only interacts with the application with its data. Services such as Amazon Connect and Amazon Quicksight are examples of SaaS.

The following figure (Figure 1.1) illustrates where the responsibility domain lies for each service type:

Figure 1.1 – High-level responsibility domain defined for each cloud service model

Now that we have a clear understanding of the shared responsibility model across different service models, let’s take a closer look at how this model is implemented in the real world, particularly in the context of a particular category of AWS services.