1.3.1. AWS's Security Responsibilities (Security OF the Cloud)
First Principle: AWS is responsible for protecting the infrastructure that runs all AWS services — the physical facilities, hardware, networking, and hypervisor layer. This is called "security OF the cloud" because AWS secures the cloud platform itself.
AWS's responsibilities include layers you never see and cannot access:
- Physical Security: Data centers with biometric access, 24/7 surveillance, hardware destruction for decommissioned storage
- Network Infrastructure: AWS global backbone, DDoS protection at the edge, network isolation between tenants
- Hypervisor: Compute isolation between customers on shared hardware (Nitro system)
- Managed Service Platforms: For services like RDS, Lambda, and S3, AWS manages the underlying OS, patching, and runtime
The key insight: as services become more managed, AWS takes on more responsibility. This creates a spectrum:
| Service Type | AWS Manages | You Manage |
|---|---|---|
| IaaS (EC2) | Hardware, hypervisor | OS, patching, firewall, IAM, data |
| PaaS (RDS) | Hardware, OS, patching, backups | Security groups, IAM, encryption, data |
| Serverless (Lambda) | Everything except code | Function code, execution role, environment variables |
| SaaS (S3) | Everything except config | Bucket policies, encryption, access control, data |
⚠️ Exam Trap: Questions may ask who is responsible for patching the operating system on an RDS instance. The answer is AWS — RDS is a managed service. But for EC2, OS patching is YOUR responsibility.
Scenario: A security audit asks whether you need to implement physical access controls for your AWS-hosted data. You explain that AWS handles all physical security and can provide compliance documentation through AWS Artifact.
Reflection Question: How does the spectrum from IaaS to Serverless shift the responsibility boundary, and why is this critical for choosing the right security controls?
