Shared responsibility model

Customer

Responsible for security IN the cloud

• Customer Data

• Platform, Application, and IAM

• OS Patching on EC2

• Antivirus

• Network, and Firewall Configuration

• Multi-Factor Authentication

• Password and Key Rotation

• Security Groups

• Resource-Based Policies

• Access Control Lists

• VPC

• Operating-system-level patches

• Data in transit and at rest

 

AWS

Responsible for security OF the cloud

• Regions, Availability Zones, and Edge Locations

• Physical server level and below

• Fire/power/climate management

• Storage device decommissioning according to industry standards

• Personnel Security

• Network Device Security and ACLs

• API access endpoints use SSL for secure communication

• DDoS protection

• EC2 instances and spoofing protection (ingress/egress filtering)

• Port scanning against rules even if it’s your own environment

• EC2 instance hypervisor isolation Instances on the same physical device are separated at the hypervisor level; they are independent of each other Underlying OS patching on Lambda, RDS, DynamoDB, and other managed services; customer focuses on security