Shared responsibility model


Responsible for security IN the cloud

• Customer Data

• Platform, Application, and IAM

• OS Patching on EC2

• Antivirus

• Network, and Firewall Configuration

• Multi-Factor Authentication

• Password and Key Rotation

• Security Groups

• Resource-Based Policies

• Access Control Lists


• Operating-system-level patches

• Data in transit and at rest



Responsible for security OF the cloud

• Regions, Availability Zones, and Edge Locations

• Physical server level and below

• Fire/power/climate management

• Storage device decommissioning according to industry standards

• Personnel Security

• Network Device Security and ACLs

• API access endpoints use SSL for secure communication

• DDoS protection

• EC2 instances and spoofing protection (ingress/egress filtering)

• Port scanning against rules even if it’s your own environment

• EC2 instance hypervisor isolation Instances on the same physical device are separated at the hypervisor level; they are independent of each other Underlying OS patching on Lambda, RDS, DynamoDB, and other managed services; customer focuses on security