AWS Shared Responsibility Model: Security OF the Cloud vs IN the Cloud
The AWS shared responsibility model is the framework that decides who is responsible for security in AWS: AWS secures the cloud itself — data centers, hardware, networking, and the software that runs managed services — while you secure everything you put in the cloud, such as your data, identities, and configurations. It is the single most predictable exam topic in the Security and Compliance domain, which carries 30% of your CLF-C02 score — the second-largest domain on the exam. Nearly every exam form asks at least one "who is responsible for X?" question, and the hardest versions test how the split shifts between services like Amazon EC2, Amazon RDS, and AWS Lambda. In this lesson you will learn the model's components, classify any control as AWS's, the customer's, or shared, and confidently answer responsibility questions no matter which service the question names.
On this page8 sections
- What the AWS shared responsibility model is
- AWS's responsibilities: security OF the cloud
- The customer's responsibilities: security IN the cloud
- Shared controls and the three classifications
- How responsibility shifts: EC2 vs RDS vs Lambda vs S3
- Quick reference: always AWS, always customer, shared
- Scenario: one workload, three deployment choices
- Exam traps and how questions are worded
- Explain the AWS shared responsibility model as "security of the cloud" versus "security in the cloud"
- Describe AWS's responsibilities, including physical infrastructure, hardware, networking, and the hypervisor
- Describe the customer's responsibilities, including data, identity and access management, and configuration choices
- Classify controls as inherited, shared, or customer-specific
- Predict how responsibility shifts across EC2, RDS, Lambda, and S3 for tasks like OS patching and encryption
- Identify the responsibilities that never move: customer data is always yours, physical security is always AWS's
AWS's responsibilities: security OF the cloud
AWS is responsible for protecting the infrastructure that runs every AWS service. This infrastructure spans four layers you should be able to list: physical facilities, hardware, networking, and virtualization software.
- Physical security of data centers. Guards, fencing, badge access, surveillance, and environmental controls at every facility. Customers can never visit an AWS data center or touch the hardware — physical security is entirely, permanently AWS's job.
- Hardware and infrastructure. Procuring, installing, maintaining, and securely decommissioning servers, storage devices, and other equipment. When a disk that held your data is retired, AWS destroys it according to its media-disposal process.
- Global network infrastructure. The Regions, Availability Zones, and edge locations, plus the cabling and network hardware connecting them, including protections against infrastructure-level threats.
- Virtualization and host software. The hypervisor that isolates one customer's EC2 instances from another's, and the host operating systems on the physical machines. You never patch a hypervisor on AWS — that is always AWS's responsibility.
For managed services, AWS's responsibility extends upward into the software layer. With Amazon RDS, DynamoDB, or Lambda, AWS also handles the guest operating system, platform patching, and the service software itself. That is exactly why the responsibility line moves per service: "security of the cloud" covers everything AWS operates for you, and managed services mean AWS operates more.
A reliable exam heuristic: if the task requires physical access to hardware, access to the host OS or hypervisor, or maintenance of the software that powers a managed service, the answer is AWS. AWS demonstrates that it meets these obligations through third-party audits and compliance reports — the mechanics of those programs belong to a separate task (2.2), so for this topic just know that AWS proves its side of the model to auditors so customers can inherit those controls.
The customer's responsibilities: security IN the cloud
Everything you create, upload, configure, or grant access to inside AWS is yours to secure. The customer's side of the model — "security in the cloud" — centers on five areas:
- Customer data. You own your data and you are responsible for protecting it: classifying it, deciding where it lives, controlling who can read it, and choosing whether and how to encrypt it. This never changes, on any service, ever. If an exam question asks who is responsible for the customer's data, the answer is the customer — even on the most fully managed service AWS offers.
- Identity and access management. Creating users and roles, assigning permissions, enforcing least privilege, enabling multi-factor authentication, and rotating credentials. AWS provides IAM as a tool, but every permission granted with it is your decision and your responsibility. (What IAM can do is its own task statement, 2.3 — here you only need to know that managing access is customer work.)
- Guest operating systems. On Amazon EC2, you control the instance's operating system, so you must patch it, apply security updates, and manage administrative access to it.
- Network and firewall configuration. Security group rules, network ACLs, subnet design, and routing. AWS supplies the virtual networking; you decide what traffic it permits. A security group that allows unrestricted inbound access is a customer mistake, not an AWS one.
- Encryption choices. Enabling server-side encryption, performing client-side encryption before upload, protecting data in transit with TLS, and managing keys. AWS builds the encryption capabilities; turning them on is up to you.
The unifying idea: AWS cannot see your intent. It cannot know which S3 bucket should be public, which user deserves administrator access, or which data is sensitive. Anything that depends on your decisions is, by definition, security in the cloud — and it belongs to you.
How responsibility shifts: EC2 vs RDS vs Lambda vs S3
The model's most-tested nuance is that the dividing line moves with the service's management level. Think of it as a slider: with infrastructure services like EC2 you manage the most; with abstracted services like Lambda and S3 you manage the least. What you keep in every case is your data, your access decisions, and your service-level configuration.
| Responsibility | Amazon EC2 (IaaS) | Amazon RDS (managed) | AWS Lambda (serverless) | Amazon S3 (storage) |
|---|---|---|---|---|
| Physical facilities, hardware, network, hypervisor | AWS | AWS | AWS | AWS |
| Guest operating system and patching | Customer | AWS | AWS | AWS (no OS exposed) |
| Platform / runtime / database engine software | Customer (what you install) | AWS (patches the DB engine) | AWS (manages the language runtime) | AWS (operates the service) |
| Application code / database schema and settings | Customer | Customer | Customer (function code) | Customer (bucket policies, settings) |
| Network/firewall configuration | Customer (security groups) | Customer (security groups, public access setting) | Customer (resource policies, VPC config if used) | Customer (block public access, bucket policies) |
| Data and encryption choices | Customer | Customer | Customer | Customer |
| IAM users and permissions | Customer | Customer | Customer | Customer |
Read the table by columns and the pattern jumps out. On EC2, AWS stops at the hypervisor: you patch the guest OS, install software, and configure the firewall. On RDS, AWS climbs higher — it patches the operating system and the database engine, while you keep the data, the schema, access controls, and settings such as backups and encryption. On Lambda, AWS manages everything up through the runtime; your responsibility shrinks to your function code, its permissions, and your data. On S3, there is no server for you at all — you manage bucket access configuration, encryption choices, and the objects themselves.
Read it by rows and you see the second pattern: the bottom three rows — data, encryption choices, and IAM — say Customer in every column, and the top row says AWS in every column. Some responsibilities shift; those never do.
Scenario: one workload, three deployment choices
A retail company runs an inventory application and is deciding how to host its PostgreSQL database. Walk through what its team owns in each option — this is exactly the kind of comparison CLF-C02 turns into questions.
Option 1: PostgreSQL on an EC2 instance. AWS secures the facility, the hardware, the network, and the hypervisor beneath the instance. The team must patch the Linux guest OS, patch PostgreSQL itself, configure the security group so only the application tier can reach port 5432, set up backups, enable encryption, and manage IAM access. Maximum control, maximum responsibility.
Option 2: Amazon RDS for PostgreSQL. The line moves up. AWS now also patches the operating system and the PostgreSQL engine and operates the backup machinery. The team still owns the data itself, the database credentials and IAM permissions, the security group rules, and the decisions to enable encryption at rest and automated backups. Notice what did not move: if an engineer sets the database to be publicly accessible with a weak password, the resulting breach is squarely the customer's responsibility — RDS being "managed" never made the data or its access rules AWS's problem.
Option 3: A serverless rewrite with Lambda and DynamoDB. The line moves up again. There is no OS, runtime, or database engine for the team to patch — AWS manages all of it. The team's remaining responsibilities are the function code, the IAM execution roles and table permissions, the table's encryption settings, and, always, the data.
The pattern to internalize: moving from EC2 to RDS to serverless steadily transfers operational security work to AWS — patching, platform maintenance, infrastructure configuration — while the team's ownership of data, access, and configuration choices stays exactly where it started. If a question describes a company "migrating from EC2 to RDS" and asks what responsibility transfers to AWS, the answer is OS and database-engine patching — never the data, never IAM.
Exam traps and how questions are worded
Shared-responsibility questions are recognition items — quick if you know the model, easy to fumble if you rush. These are the traps CLF-C02 sets most often.
Trap 1: the OF/IN swap. Questions quote the model's own vocabulary: "Which task is an example of security of the cloud?" Keep the mapping mechanical — OF = AWS = infrastructure; IN = customer = what you put there. Distractors bank on you inverting it under time pressure.
Trap 2: the service-shift trap. "Who is responsible for patching the operating system?" has different answers by service: the customer on EC2, AWS on RDS and Lambda. Always check which service the stem names before answering a patching question. If no service is named and options mention the hypervisor or host OS, those layers are AWS's regardless.
Trap 3: "managed" does not mean "AWS owns everything." Distractors claim AWS is responsible for data stored in S3, or for IAM permissions on a managed database. Both are always the customer's. Similarly, configuring security groups is the customer's job even though AWS provides the security group feature.
Trap 4: misfiled shared controls. When asked for a shared responsibility, the correct option is patch management, configuration management, or awareness and training. Options like "physical security" (pure AWS) or "data classification" (pure customer) are bait.
A four-step routine for any responsibility question: (1) Identify the layer the task lives in — physical/hypervisor, OS/platform, or data/access/config. (2) Identify the service named, and how managed it is. (3) Apply the anchors — data, IAM, and encryption choices are always customer; facilities, hardware, and hypervisor are always AWS. (4) If both parties genuinely act at different layers, it is shared. That routine answers virtually every Task 2.1 item on the exam.
Tip. CLF-C02 tests this topic with short recognition items: "Who is responsible for X under the AWS shared responsibility model?" where X is a task like patching the guest OS, securing the data center, configuring a security group, or encrypting data. Expect the vocabulary trap — matching "security of the cloud" to AWS and "security in the cloud" to the customer — and the service-shift trap, where the same task (OS patching) has a different owner on EC2 (customer) versus RDS or Lambda (AWS). Questions also ask you to pick the shared control from a list; the answer is patch management, configuration management, or awareness and training. Anchor every answer on two absolutes: customer data and IAM are always the customer's, and physical infrastructure and the hypervisor are always AWS's.
- AWS is responsible for security OF the cloud (facilities, hardware, network, hypervisor); the customer is responsible for security IN the cloud (data, access, configuration).
- Customer data, IAM permissions, and encryption choices are ALWAYS the customer's responsibility, on every service.
- Physical data centers, hardware, the global infrastructure, and the hypervisor are ALWAYS AWS's responsibility.
- The line shifts by service: on EC2 you patch the guest OS; on RDS, AWS patches the OS and database engine; on Lambda, AWS manages everything up through the runtime.
- The three shared controls to memorize: patch management, configuration management, and awareness and training.
- Controls classify as inherited (fully from AWS, e.g. physical security), shared (both act in their own layer), or customer-specific (e.g. data classification).
- Security group and network firewall configuration is the customer's job, even though AWS provides the feature.
- More managed service = more AWS responsibility for operations, but never for your data or your access decisions.
Frequently asked questions
What is the AWS shared responsibility model?
The AWS shared responsibility model defines how security and compliance duties are divided between AWS and its customers. AWS is responsible for "security of the cloud" — protecting the physical data centers, hardware, networking, and virtualization software that run all AWS services. The customer is responsible for "security in the cloud" — protecting their data, managing identities and permissions, configuring firewalls and service settings, and choosing encryption. Some controls, like patch management and awareness training, are shared: AWS handles its layer and the customer handles theirs. The exact split shifts depending on how managed the service is.
What is the difference between security of the cloud and security in the cloud?
"Security of the cloud" is everything AWS does to protect the infrastructure that runs its services: physical facility security, hardware maintenance and disposal, the global network of Regions and Availability Zones, the hypervisor, and the software behind managed services. "Security in the cloud" is everything the customer does with what they deploy: protecting data, managing IAM users and permissions, patching guest operating systems on EC2, configuring security groups, and enabling encryption. A simple test: if the task requires access to AWS hardware or host software, it is OF the cloud (AWS); if it depends on your decisions, it is IN the cloud (you).
Who is responsible for patching in AWS?
Patch management is a shared control, and the split depends on the service. AWS always patches the physical infrastructure, host operating systems, and hypervisor. On Amazon EC2, the customer patches the guest operating system and any software they install. On Amazon RDS, AWS patches the underlying OS and the database engine, while the customer controls maintenance-window settings and their own data. On AWS Lambda and other serverless services, AWS handles all platform and runtime patching — the customer maintains only their code. The more managed the service, the more patching AWS takes over.
Who is responsible for data stored in AWS?
The customer, always. Under the AWS shared responsibility model, customer data is the customer's responsibility on every service — EC2, RDS, S3, Lambda, DynamoDB, all of them. That includes classifying the data, deciding who can access it, configuring bucket or database access controls, and choosing whether to encrypt it at rest and in transit. AWS secures the storage infrastructure beneath your data and provides encryption and access-control features, but it never decides how your data should be protected or who should see it. No level of service management transfers data responsibility to AWS.
Is the shared responsibility model different for EC2, RDS, and Lambda?
Yes — the boundary shifts with the service's management level. On EC2, an infrastructure service, AWS's responsibility ends at the hypervisor: you manage the guest OS, patching, installed software, and firewall rules. On RDS, a managed service, AWS also handles the operating system and database engine patching, leaving you the data, access controls, and settings. On Lambda, a serverless service, AWS manages everything up through the language runtime, and you manage only your code, its permissions, and your data. In every case, data, IAM, and encryption choices remain the customer's responsibility.
What are examples of shared controls in the AWS shared responsibility model?
AWS identifies three shared controls, where both AWS and the customer act in their own layer. Patch management: AWS patches the infrastructure and managed-service software, while customers patch their EC2 guest operating systems and applications. Configuration management: AWS configures its infrastructure devices and host systems, while customers configure their own instances, databases, and security groups. Awareness and training: AWS trains AWS employees, while customers train their own staff. These three are distinct from inherited controls, which customers fully inherit from AWS (like physical security), and customer-specific controls, which only the customer performs (like data classification).
Who is responsible for security group configuration in AWS?
The customer. Security groups are a customer-side responsibility under the shared responsibility model, because they control what traffic can reach your resources — a decision only you can make. AWS builds and operates the underlying virtual networking and provides security groups as a feature, but the rules you write (which ports are open, which sources are allowed) are security "in the cloud." The same logic applies to network ACLs, S3 Block Public Access settings, and an RDS instance's public accessibility flag. If an overly permissive rule exposes a resource, that is a customer configuration issue, not an AWS one.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.