- \n
- compute<\/li>\n<\/ul>\n
- \n
- database<\/li>\n<\/ul>\n
- \n
- storage<\/li>\n<\/ul>\n
- \n
- networking<\/li>\n<\/ul>\n<\/li>
- Customer is accountable only for\n
- \n
- Software on top of the infrastructure layer<\/li>\n
- data and access on top of the infrastructure layer<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-161.png\")
<\/figure>\n\n\n\nAWS Security Responsibilities<\/strong><\/p>\n\n\n\n
AWS is accountable for following<\/p>\n\n\n\n
- Computing Hardware and Global Infrastructure, which includes\n
- \n
- AWS regional, available, and edge zones cloud infrastructure\n
- \n
- All has physical security protections, and constant IT maintenance<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>
- Software related to AWS computing hardware management covering\n
- \n
- Computation<\/li>\n<\/ul>\n
- \n
- Storage<\/li>\n<\/ul>\n
- \n
- Database<\/li>\n<\/ul>\n
- \n
- Networking<\/li>\n<\/ul>\n
- \n
- software platform for all of AWS services<\/li>\n<\/ul>\n
- \n
- security services from AWS to be used by customers, and includes\n
- \n
- encryption keys<\/li>\n<\/ul>\n
- \n
- network monitoring tools<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>
- database protection, and more.<\/li><\/ul>\n\n\n\n
Customer Security Responsibilities<\/strong><\/p>\n\n\n\n
As per AWS service selected by customer, customer is accountable for different levels of security, as<\/p>\n\n\n\n
- For IaaS AWS service like – EC2\/VPC\/ S3, all of the security configuration and management tasks for security is to be done by customer and includes\n
- \n
- Customer Business Data before it enters AWS and after it exits AWS.<\/li>\n<\/ul>\n
- \n
- Security of the platform running on the IaaS like shoppers identities protection for an online clothing store<\/li>\n<\/ul>\n
- \n
- Data Encryption when data is at rest or transit<\/li>\n<\/ul>\n
- \n
- Encryption of the File System<\/li>\n<\/ul>\n
- \n
- Safety of the Network Traffic<\/li>\n<\/ul>\n<\/li>
- Safety for routing and zoning data<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-162.png\")
<\/figure>\n\n\n\nSecurity Shared Responsibility<\/strong><\/p>\n\n\n\n
AWS fulfills the need for cloud computing infrastructure and the customer is responsible for the implementation part of AWS\u2019s cloud computing infrastructure like configuration, patching, etc. It consists of<\/p>\n\n\n\n
- Controls in the cloud\u2019s IT setup \u2013 Operating and managing IT operation and controls are to be taken care by both customer and AWS. Customer is responsible for deployment of IT controls as per laid down AWS\u2019s guidelines and regulations. AWS provides various security related maintenance facilities like network level encryption, firewall maintenance, etc. to ease the burden on customer<\/li>
- Configuration Management \u2013 AWS takes the shared responsibility of the cloud computing infrastructure\u2019s configuration management and customer is responsible for configuration of operating systems, databases and software applications on the instances.<\/li>
- Patch Management \u2013 AWS is responsible for cloud computing infrastructure\u2019s patching and error fixing whereas customer does patching of operating systems, databases and software applications on the instances.<\/li>
- Customer Software Specific Controls \u2013 Customer is responsible for controls which are specific to their software application and has no linkage to AWS\u2019s cloud computing infrastructure<\/li>
- Employee Training and Awareness \u2013 Training and awareness of customer\u2019s employees who are using the AWS\u2019s cloud computing infrastructure, is customer\u2019s responsibility<\/li><\/ul>\n\n\n\n
Customers should<\/p>\n\n\n\n
- access control policies should be employed by using the AWS\u2019s IAM<\/li>
- access to ports to be controlled by configuring AWS Security Groups<\/li>
- CloudTrail should be enabled for logging<\/li><\/ul>\n\n\n\n
Responsibility of Customers also include<\/p>\n\n\n\n
- Implementation of policies for DLP (or data loss prevention) as might be needed by customer\u2019s internal and external policy compliance<\/li>
- Prevention, detection and remedy any hazard due to loss or stealing of account credentials resulting in malicious misuse of AWS<\/li><\/ul>\n\n\n\n
AWS takes the responsibility of securing its cloud computing infrastructure which includes<\/p>\n\n\n\n
- Computing<\/li>
- Storage<\/li>
- Networking<\/li>
- database services<\/li>
- security configuration of AWS services like\n
- \n
- DynamoDB<\/li>\n<\/ul>\n
- \n
- RDS<\/li>\n<\/ul>\n
- \n
- Redshift<\/li>\n<\/ul>\n
- \n
- Elastic MapReduce<\/li>\n<\/ul>\n
- \n
- Workspaces, etc.<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n
AWS Shared Responsibility Model Summary<\/p>\n\n\n\n
<\/td> Customer<\/td> AWS<\/td><\/tr> Prevent\/detect any compromise of AWS account<\/td> x<\/td> <\/td><\/tr> Prevent\/detect any insecure behavior of AWS user<\/td> x<\/td> <\/td><\/tr> Securely configuring AWS services ( AWS Managed Services are excluded)<\/td> x<\/td> <\/td><\/tr> Restricted access to AWS services or any customer\u2019s custom applications, to only users who need it<\/td> x<\/td> <\/td><\/tr> Update of Guest OS and security patch application<\/td> x<\/td> <\/td><\/tr> Making sure that both, AWS and customer\u2019s custom applications usage complies to internal and external policies<\/td> x<\/td> x<\/td><\/tr> Enabling and provisioning network security against attacks like DoS, MITM, port scanning<\/td> x<\/td> x<\/td><\/tr> Securely managing and operating configurations of AWS Managed Services<\/td> <\/td> x<\/td><\/tr> Provisioning of physical access control<\/td> <\/td> x<\/td><\/tr> Securing against any environmental risks like natural disasters, mass power outages, etc<\/td> <\/td> x<\/td><\/tr> patching and error fixing of database<\/td> <\/td> x<\/td><\/tr> Securing against zero day exploits or related vulnerabilities<\/td> <\/td> x<\/td><\/tr> Providing business continuity to customers and addressing availability, incident response<\/td> <\/td> x<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
- Workspaces, etc.<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n
- Elastic MapReduce<\/li>\n<\/ul>\n
- Redshift<\/li>\n<\/ul>\n
- RDS<\/li>\n<\/ul>\n
- DynamoDB<\/li>\n<\/ul>\n
- Encryption of the File System<\/li>\n<\/ul>\n
- Data Encryption when data is at rest or transit<\/li>\n<\/ul>\n
- Security of the platform running on the IaaS like shoppers identities protection for an online clothing store<\/li>\n<\/ul>\n
- Customer Business Data before it enters AWS and after it exits AWS.<\/li>\n<\/ul>\n
- For IaaS AWS service like – EC2\/VPC\/ S3, all of the security configuration and management tasks for security is to be done by customer and includes\n
- encryption keys<\/li>\n<\/ul>\n
- security services from AWS to be used by customers, and includes\n
- software platform for all of AWS services<\/li>\n<\/ul>\n
- Networking<\/li>\n<\/ul>\n
- Database<\/li>\n<\/ul>\n
- Storage<\/li>\n<\/ul>\n
- Computation<\/li>\n<\/ul>\n
- AWS regional, available, and edge zones cloud infrastructure\n
- Computing Hardware and Global Infrastructure, which includes\n
- storage<\/li>\n<\/ul>\n
- database<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-163.png\")
<\/figure>\r\n