Shared Responsibility Model for Infrastructure Services – AWS Security Fundamentals – SCS-C02 Study Guide

Shared Responsibility Model for Infrastructure Services

The shared model for infrastructure services is the most common model that AWS engineers and users are familiar with today. It is represented in Figure 1.2 and covers IaaS services such as Amazon Elastic Compute Cloud (EC2):

Figure 1.3: Shared responsibility model for infrastructure services

So, within this infrastructure, AWS provides global reach via various data centers and provides the underlying hardware and infrastructure required to allow its customers to create cloud resources from the AWS-provisioned and pooled hardware resources. These two components effectively make up the AWS cloud.

Essentially, customers have the ultimate security responsibility for anything they provision using AWS foundation services across the global infrastructure.

Using the EC2 service as an example, look at each point relating to the customer’s responsibilities from the preceding diagram:

Customer data: The customer has to maintain the security of the data they import into or create within their AWS environment—for example, any data stored on EC2 volumes, ephemeral or persistent.
Platform, application, and Identity and Access Management (IAM): Any platform or application installed on top of your EC2 instance must be secured and protected by controls configured and implemented by you, the customer. In addition to this, you are solely responsible for maintaining any access control to your EC2 instance and applications. AWS provides the IAM service to implement these controls, but it is down to you to implement adequate security measures using the features offered by IAM.
Operating system and network and firewall configuration: As you saw in Figure 1.2, the responsibility of AWS ends at the hypervisor level. EC2 instances fall within the infrastructure model, so maintaining the operating system’s security is the customer’s responsibility. As a result, the customer must sustain and implement patching for the relevant operating system. EC2 instances are deployed within a Virtual Private Cloud (VPC). Therefore, network configuration, including firewall restrictions such as security groups (effectively, virtual firewalls operating at the instance level) must be configured and associated appropriately to protect your EC2 fleet.
Client-side data encryption and data integrity authentication: This relates to the protection of data generated by or stored on your EC2 instances via an encryption mechanism. If you plan to encrypt your data as a customer, you are responsible for doing so.
Server-side encryption (filesystem and/or data): Again, if you plan to use any form of encryption to protect your data using server-side mechanisms, (perhaps through the use of the Key Management Service (KMS), which will be discussed in depth in a later chapter), it is down to you to use the service effectively for data protection.
Network traffic protection (encryption/identity/integrity): When network traffic is being sent to and from your EC2 instance, you can configure to encrypt the communication with a protocol such as SSL or HTTPS, where applicable. Using AWS Certificate Manager, which will be discussed in depth in Chapter 19, Using Certificates and Certificate Services in AWS, helps simplify the management and provisioning of secure certificates with AWS services.