AWS Shared Responsibility Model for 13 Commonly Used AWS Services

The AWS Shared Responsibility Model is often misunderstood by those new to running their workloads within the cloud, leading to security gaps within their AWS environments. While AWS secures the underlying infrastructure for running cloud resources, customers are still responsible for securing their workloads that run in the cloud. The service being run within AWS will determine what portion you are responsible for securing.

In this blog post, I will cover some of the most commonly used AWS services and explain what part of the service you are responsible for securing and what portion AWS is responsible for securing for you. Understanding where AWS’s responsibility ends and yours begins is the difference between a secure and compliant AWS environment and a costly security incident.

Now let’s jump into the first set of services.

Compute & Networking

1. Amazon VPC (Virtual Private Cloud)

The AWS VPC (Virtual Private Cloud) is a foundational component of running many workloads within your AWS account. Without a VPC, you cannot set up an EC2 instance or many other AWS resources. A VPC is your private network within the AWS cloud, and with this control comes significant responsibility for network security architecture. Now let’s look at what you are responsible for securing as part of the VPC.

Your Responsibilities:

• Network architecture design and subnet configuration
• Security groups and Network Access Control Lists (NACLs)
• Route table configuration and traffic flow management
• VPC Flow Logs configuration for monitoring
• NAT Gateway and Internet Gateway security

AWS Handles:

• Physical network infrastructure
• AWS backbone network security
• Hypervisor-level network isolation
• Service endpoint security and availability

2. Amazon EC2 (Elastic Compute Cloud)

Amazon EC2 (Elastic Compute Cloud) represents one of the most common and often first services many AWS users utilize when they move to AWS. The reason is that many organizations moving to the cloud are performing “lift and shift” migrations of workloads from on-premises to the cloud. With EC2 instances, you get complete control over the underlying compute instance and are entirely responsible for the security of what goes on “inside” your EC2 instance. I will now go over where your responsibility lies when running EC2 instances and what AWS is responsible for.

Your Responsibilities:

• Guest operating system patching and security updates
• Application security and vulnerability management
• Security group configuration and network access controls
• Data encryption both in transit and at rest
• Identity and access management for the instance

AWS Handles:

• Physical server security and maintenance
• Hypervisor security and isolation between instances
• Host operating system patching
• Network infrastructure and physical controls

3. AWS Lambda

Regarding serverless computing, AWS Lambda is the most popular serverless service that AWS users use. AWS Lambda allows you to run your code in various programming languages without worrying about setting up the infrastructure to execute your code. Even though you don’t have to manage the infrastructure to run your code, you still need to consider specific security gotchas when using the AWS Lambda service. Next, I will briefly mention what you must think from a security perspective when using the AWS Lambda service.

Your Responsibilities:

• Function code security and vulnerability management
• Environment variable encryption and secrets management
• IAM execution role configuration
• Runtime security and dependency management
• Logging and monitoring configuration

AWS Handles:

• Runtime environment security and patching
• Infrastructure scaling and availability
• Physical infrastructure management
• Service platform security

Storage

4. Amazon S3 (Simple Storage Service)

Amazon S3 (Simple Storage Service) comes across as a very simple service when it comes to the use cases for which you will use this service. The S3 service is very simple to use, but if the underlying security of an S3 bucket is configured incorrectly, it can open you up to serious data breaches. As a matter of fact, data breaches from misconfigured S3 buckets make headlines regularly and one of the most common ways data is leaked from AWS accounts.

Your Responsibilities:

• Bucket policies and Access Control Lists (ACLs)
• Data encryption configuration (server-side and client-side)
• Access logging and monitoring setup
• Data classification and lifecycle management
• Cross-account access permissions

AWS Handles:

• Infrastructure durability and availability
• Physical storage security
• Platform-level access controls
• Service API security

Critical Note: Default S3 buckets are private, but misconfigurations can expose them publicly. Always implement least-privilege access and enable logging.

Managed Databases

5. Amazon RDS (Relational Database Service)

Amazon RDS is one of the most popular managed services AWS offers. It removes a lot of the heavy lifting of managing a database since you don’t have to manage the server infrastructure to run it; you only need to worry about managing the data stored in RDS. That said, you still need to ensure the database’s security. Here are some things you need to ensure you have correctly configured to secure your RDS instance.

Your Responsibilities:

• Database user access management and authentication
• Network security through VPC and security groups
• Database-level encryption configuration
• Backup retention and recovery testing
• Database parameter group security settings

AWS Handles:

• Operating system patching and maintenance
• Database engine patching (with maintenance windows)
• Infrastructure availability and scaling
• Physical security of database servers
• Automated backup infrastructure

6. Amazon DynamoDB

Amazon DynamoDB represents a fully managed NoSQL database service known for its seamless scaling capabilities across real-time and streaming workloads. As users, you don’t need to manage the underlying infrastructure of this high-throughput NoSQL database. Still, you must ensure proper security configuration across several critical areas within your DynamoDB implementation. Here are some things you need to consider configuring as part of your DynamoDB security.

Your Responsibilities:

• Access control policies and IAM configuration
• Encryption at rest and in transit settings
• Data modeling and application-level security
• Backup and point-in-time recovery configuration
• Global table security settings

AWS Handles:

• Database software management and patching
• Infrastructure scaling and performance
• Physical security and compliance
• Service availability and disaster recovery

7. Amazon ElastiCache

Many development teams need to add caching capabilities to their applications quickly with minimal operational overhead, and Amazon ElastiCache provides the perfect managed service solution. ElastiCache offers the flexibility to choose between Redis or Memcached as your underlying caching engine, but it requires careful attention to security configuration when implementing caching infrastructure.

Your Responsibilities:

• Subnet group and VPC security configuration
• Security group rules and network access controls
• Authentication and encryption in transit configuration
• Parameter group security settings
• Backup and restore security policies

AWS Handles:

• Redis/Memcached engine patching and updates
• Infrastructure scaling and node management
• Physical security and hardware maintenance
• Service availability and failover management

Managed Containers

8. Amazon EKS/ECS (Container Services)

AWS offers multiple container services, including Amazon EKS and Amazon ECS. While selecting the appropriate container service for your organization is beyond the scope of this blog post, container orchestration services present unique shared responsibility model challenges, particularly regarding cluster and container security architecture.

Here are some key security considerations when using Amazon EKS/ECS:

Your Responsibilities:

• Container image security and vulnerability scanning
• Pod/task security policies and configurations
• Network policies and service mesh security
• Application security within containers
• Cluster access management and RBAC

AWS Handles:

• Control plane security (EKS Kubernetes API)
• Worker node security (for managed node groups)
• Service infrastructure and availability
• Container orchestration platform security

Security

9. AWS IAM (Identity and Access Management)

AWS Identity and Access Management is the service you will use to set up user authentication and authorization for your AWS account and all the AWS resources running in your AWS environment. IAM is by far the most critical service for securing your environment. AWS IAM is a unique service in the AWS shared responsibility model because you, as a user, bear almost complete responsibility for the configuration and management of this service.

Your Responsibilities:

• User, group, and role management
• Policy creation and least-privilege implementation
• Access key rotation and credential management
• Multi-factor authentication enforcement
• Cross-account access configuration

AWS Handles:

• Global identity infrastructure
• Authentication service availability
• Service API security
• Compliance certifications for the service

Other Services

10. Amazon CloudFront

Amazon CloudFront is a global content delivery network (CDN) that allows you to cache your websites, APIs, video content, and other web-based assets for your users worldwide. This improves latency when users access cached resources. When building enterprise-grade solutions, having a CDN as part of the architecture is key to providing the best performance of your applications to users and customers. Here are some areas you are responsible for securing when using Amazon CloudFront.

Your Responsibilities:

• Origin server security configuration
• SSL/TLS certificate management
• Access controls and caching behaviors
• Geographic restrictions and content policies
• Custom error page security

AWS Handles:

• Edge location physical security
• Global CDN infrastructure
• Basic DDoS protection
• Edge server maintenance and security

11. AWS Systems Manager

AWS Systems Manager is a management service that provides a centralized interface for managing your AWS infrastructure and on-premises resources at scale. It’s essentially a centralized operations hub that helps automate common administrative tasks such as patch management, software inventory assessment, and remote session management.

Your Responsibilities:

• Patch management policies and scheduling
• Systems Manager agent configuration
• Parameter Store access controls and encryption
• Automation document security and validation
• Compliance rule configuration and monitoring

AWS Handles:

• Service infrastructure and availability
• Agent functionality and updates
• Console and API security
• Global service delivery

12. Amazon Route 53

Amazon Route 53 is AWS’s highly available and scalable Domain Name System (DNS) web service that translates domain names (like abc.com) into IP addresses that computers use to connect. AWS Route 53 allows you to do things such as register domain names, host DNS records for your domains, and set up custom traffic routing for your domains. Here is what you are responsible for configuring when using the Route 53 service.

Your Responsibilities:

• DNS record management and configuration
• Domain registration security and ownership
• Health check configuration and monitoring
• DNS security policies and access controls
• Routing policy security (geolocation, weighted, etc.)

AWS Handles:

• Global DNS infrastructure and availability
• DDoS protection at the DNS level
• Physical DNS server security
• Service performance and scalability

Critical Note: DNS hijacking attacks often target mismanaged Route 53 configurations. Implement strong access controls and monitor DNS changes closely.

13. AWS CloudWatch

AWS CloudWatch is a monitoring and observability service that collects, tracks, and analyzes metrics, logs, and events from your AWS resources and applications in real-time. Properly configuring AWS CloudWatch to log events that occur in your AWS account is key to ensuring you have visibility into what is going on in your accounts.

Your Responsibilities:

• Log group access policies and retention settings
• Metric filter configuration and alerting rules
• Dashboard access controls and sharing permissions
• Log data encryption and sensitive data handling
• Custom metric security and validation

AWS Handles:

• Service infrastructure and data durability
• Metric collection and storage systems
• Service API security and availability
• Physical security of monitoring infrastructure

Key Takeaways for Security Teams

Service Type Determines Responsibility: IaaS services like EC2 require maximum customer responsibility, while managed services shift more responsibility to AWS, but never eliminate your security obligations.

Identity and Access Management is Always Your Responsibility: Regardless of service type, IAM configuration, user management, and access controls remain your responsibility across all AWS services.

Data Protection Requires Active Configuration: Encryption, backup, and data lifecycle management require explicit configuration across all AWS service types.

Network Security Varies by Service: While AWS secures the underlying network infrastructure, you must configure application-level network controls, security groups, and access policies.

Monitoring and Logging are Shared: AWS provides the infrastructure for logging services, but you must configure, analyze, and respond to security events.

Assessment Framework for Your Organization

When evaluating your AWS security posture, ask these critical questions for each service:

1. Who patches what? Understand patching responsibilities for operating systems, applications, and managed services.

2. How is data encrypted? Verify that encryption is properly configured and managed at rest and in transit.

3. Who controls access? Map IAM policies, security groups, and resource-based policies for each service.

4. What’s being logged? Ensure comprehensive logging is enabled and monitored across all services.

5. How are incidents detected and responded to? Verify monitoring and alerting cover both AWS and customer responsibilities.

6. Are DNS and caching layers secure? Validate that Route 53 configurations and ElastiCache access controls are correctly implemented.

7. Is monitoring data protected? Ensure CloudWatch logs and metrics don’t expose sensitive information through overly permissive access.

From The Field

While conducting AWS security assessments as a Security Solutions Architect at AWS, I performed a security assessment for a company that perfectly illustrated why understanding the shared responsibility model is critical. This organization had been running in AWS for three years and felt confident about their security posture until we discovered a critical vulnerability during their compliance audit preparation. Their primary web application server, running on EC2, hadn’t been patched in over eight months and was vulnerable to a well-known remote code execution exploit used in past attacks. The IT team genuinely believed AWS automatically patched their EC2 instances, not realizing that guest operating system maintenance was their responsibility. When we demonstrated how an attacker could gain full system access through this vulnerability, the security team immediately understood the severity. The emergency patching and security review process cost the company substantial revenue loss because it required taking their main application offline during peak business hours for urgent remediation.