In practice, this means Amazon protects the underlying infrastructure of AWS from vulnerabilities, intrusions, fraud, and abuse, and provide its customers with necessary security capabilities that can be configured as needed. As an example, Amazon has built one of the most advanced identity and access management services (IAM) that gives customers granular control over user permissions and provisioning. Amazon encourages its customers to follow all the AWS security best practices around IAM configuration and settings. However, it’s incumbent on the AWS customer, then, to make the most of an AWS service like IAM.

Gartner underscored the importance of the shared responsibility when they stated, “Through 2020, 95% of cloud security failures will be the customer’s fault.” Gartner’s prediction implies that the vast majority of enterprises using cloud services will fail to uphold their responsibilities for the security their data in the cloud.

Division of Responsibility of AWS Security

Since Amazon offers so many different cloud services, it’s imperative for enterprises to understand the division of responsibility between Amazon and its customers. AWS customers are responsible for protecting customer data stored in AWS as well as the custom applications deployed in AWS.

Customers are also responsible for implementing appropriate access control policies using AWS IAM, configuring AWS Security Groups (firewall) to prevent inappropriate access to ports, and enabling AWS CloudTrail. Customers are also responsible for enforcing appropriate data loss prevention policies to ensure compliance with internal and external policies, as well as detecting and remediating threats arising from stolen account credentials or malicious/accidental misuse of AWS.

Amazon is focused on securing its software, hardware, and the facilities where AWS services are located. Amazon’s responsibilities include securing its computing, storage, networking, and database services, as well as the security configuration of AWS managed services like Amazon DynamoDB, RDS, Redshift, Elastic MapReduce, Workspaces, etc.

AWS Shared Responsibility Model vs. Customer Responsibility Model