AWS Shared Responsibility Model Explained: Who Secures What?

AWS runs the physical infrastructure. You configure and secure everything you put on it. That split is the AWS Shared Responsibility Model, and misunderstanding it is behind most cloud security incidents. Not because AWS was breached, but because a customer assumed AWS was handling something that was actually theirs to secure.

This page explains exactly where the boundary sits, how it shifts when you move from EC2 to RDS to Lambda, and what concrete actions you need to take on your side of the line. By the end, you will know who secures what for every major AWS service type and have a practical checklist you can act on immediately.

Simple explanation

AWS runs the buildings, the servers, the network cables, and the software that makes services like EC2, S3, and Lambda work. That is their security job. Your security job is everything you deploy and configure on top of those services: your data, your user permissions, your encryption settings, your application code, and your network rules.

Think of it like renting office space

The building owner secures the structure: walls, locks on the front door, fire suppression, elevator maintenance. But once you move in, you are responsible for who gets a key to your office, what you store inside, and whether you lock your own door at night. AWS is the building owner. You are the tenant.

The exact split changes depending on which AWS service you use. When you run an EC2 instance, you manage the operating system. When you use Lambda, AWS manages the OS and runtime for you. But no matter how managed the service is, your data, IAM configuration, and application code are always your responsibility.

Why this matters

The vast majority of cloud security breaches are customer misconfigurations, not AWS infrastructure failures. Real-world examples include:

  • S3 buckets left publicly accessible, exposing customer records or internal documents
  • IAM roles with wildcard permissions (:) that give attackers full account access when credentials leak
  • EC2 instances running unpatched operating systems with known vulnerabilities
  • Secrets like database passwords and API keys hardcoded in application code or environment variables
  • Security groups with 0.0.0.0/0 inbound rules exposing services to the entire internet
  • CloudTrail disabled, leaving no audit trail when something goes wrong
Every item above is a customer responsibility

None of these breaches happened because AWS’s infrastructure was compromised. They happened because the customer side of the boundary was left unprotected. Knowing where your responsibility starts is the first step to auditing the right things.

How it works

AWS describes the model using two phrases:

  • Security of the cloud is AWS’s responsibility. This covers the physical infrastructure, hardware, hypervisor, global network, and the managed layers of AWS services.
  • Security in the cloud is your responsibility. This covers the data, identities, permissions, configurations, encryption, code, and monitoring that you deploy and manage on top of AWS.

The boundary between the two is not a single fixed line. It shifts depending on how managed the service is. EC2 gives you a virtual machine, so you own everything from the OS up. RDS gives you a managed database, so AWS owns the OS and engine patching, but you still own the data, access, and encryption settings. Lambda gives you a function runtime, so AWS owns almost the entire stack, but your code and its IAM permissions are still yours.

The constant across all service types

Your data, your IAM configuration, and your application code are always your responsibility. No AWS service, no matter how managed, removes those from your plate.

What AWS is responsible for

AWS secures the security of the cloud, meaning the infrastructure that all AWS services run on:

  • Physical security including data centre access controls, biometric scanning, surveillance, and perimeter fencing
  • Hardware including servers, storage devices, networking equipment, and hardware lifecycle management
  • Global network including the AWS backbone, routers, switches, and DDoS protection at the network edge
  • Hypervisor, the virtualization layer that isolates EC2 instances from each other
  • Managed service infrastructure where AWS patches the OS, runtime, and engine for services like RDS, DynamoDB, and Lambda
  • Availability, meaning region and availability zone uptime within published SLAs
Think of AWS as a foundation contractor

When you hire a contractor to pour a concrete foundation, they guarantee the foundation is level, structurally sound, and built to code. But they do not decide where you put the walls, how you wire the electrics, or whether you lock the windows. AWS builds the foundation. What you construct on top is yours to secure.

AWS publishes compliance certifications (SOC 1/2/3, ISO 27001, PCI DSS, HIPAA, FedRAMP) that cover these infrastructure-level controls. You inherit those certifications for the infrastructure layer when you build on AWS.

What you are responsible for

You are responsible for security in the cloud, meaning everything you deploy, configure, and run on top of AWS:

  • Your data including classification, handling, and controlling who can access it
  • IAM configuration including users, roles, policies, and who has access to what in your account
  • Operating system on EC2 including patching, hardening, user accounts, and installed software
  • Application code including your code, its dependencies, and application-level vulnerabilities
  • Network configuration including VPC design, security group rules, NACLs, and route tables
  • Encryption for S3, EBS, RDS, and other services (KMS provides the tools; you must turn them on)
  • Monitoring and logging through CloudTrail, CloudWatch, and GuardDuty, plus actually responding to alerts
  • Secrets handling through Secrets Manager or Parameter Store, not hardcoded in code or environment variables
The things people forget most often

Encryption and logging are both opt-in for most AWS services. AWS gives you the tools, but the default state for many services is “off” or “minimal.” If you do not explicitly enable CloudTrail beyond the 90-day event history, enable encryption at rest, and turn on GuardDuty, those protections simply are not there.

Security of the cloud vs security in the cloud

These two phrases appear constantly in AWS documentation and certification exams. Here is the direct comparison:

Security of the cloud (AWS)Security in the cloud (you)
ScopeInfrastructure and platform layersConfiguration, data, and code layers
ExamplesHardware, hypervisor, global network, data centre locksIAM policies, OS patches, encryption settings, app code
ProofAWS compliance certifications (SOC 2, ISO 27001, etc.)Your own audit controls, policies, and monitoring
Changes per service?Grows as the service becomes more managedShrinks but never disappears (IAM, data, code always yours)
A quick way to remember the difference

If you can log into a console and change it, it is your responsibility. If you cannot touch it because it lives in an AWS data centre behind biometric locks, it is theirs. “Of” means the foundation. “In” means everything built on top.

How responsibility changes by service type

The boundary shifts significantly depending on whether you are using infrastructure (EC2), a managed service (RDS), a serverless function (Lambda), or object storage (S3):

ServiceWhat AWS securesWhat you still secureTypical mistake
EC2Hardware, hypervisor, physical networkGuest OS, patches, app code, security groups, IAM, encryptionRunning months without OS patches
RDSHardware, OS, database engine patches, HA infraDatabase users, queries, data, encryption settings, IAM, networkLeaving the database publicly accessible
LambdaHardware, OS, runtime, scaling, patchingFunction code, dependencies, IAM execution role, secrets, VPC configGranting the function : permissions
S3Storage infrastructure, durability, availabilityBucket policies, ACLs, Block Public Access, encryption, IAMDisabling Block Public Access for “convenience”
EKSControl plane, Kubernetes API server, etcdWorker nodes, pod security, container images, IRSA, network policiesRunning containers as root with default service accounts
The pattern to remember

The more managed the service, the more AWS handles. But your data, IAM permissions, and application code are never transferred to AWS. Even with Lambda, a function with an over-permissive IAM role is your problem, not theirs.

When to use this model

The shared responsibility model is not just a certification topic. You should actively think about it:

  • Before launching any workload. Ask “what am I responsible for securing on this service?” before you go to production.
  • During architecture reviews. When choosing between EC2 and a managed or serverless service, the security boundary is a real factor in the decision.
  • During security audits. Auditors will ask you to prove that you own your side of the model (IAM policies, encryption, logging, patching).
  • When evaluating managed vs self-managed. Moving from EC2 to RDS or Lambda shifts infrastructure security to AWS, but your data and access controls stay with you.
  • When preparing for interviews or certifications. The shared responsibility model appears on every AWS certification exam and in most cloud security interview questions.
Quick self-check before going live

For any new workload, answer these three questions: (1) Who patches the OS and runtime? (2) Who configures encryption and network access? (3) Who manages IAM permissions and secrets? If any answer is “I am not sure,” you have a gap in your security posture.

Common beginner mistakes

The number one mistake

“I thought AWS was handling that.” This single assumption is behind most cloud security incidents. AWS secures the building. You secure every door, window, and lock inside it. If you take away one thing from this page, make it this.

  1. Assuming “AWS handles security.” AWS handles infrastructure security. Your configuration, IAM policies, data encryption, network rules, and application code are entirely yours. AWS provides excellent tools to help, but using them is your job.

  2. Not patching EC2 instances. AWS does not touch your guest OS. An EC2 instance running Ubuntu that has not been updated in six months likely has critical CVEs. Use Systems Manager Patch Manager to automate this.

  3. Leaving logging turned off. CloudTrail records every API call in your account. Without it enabled beyond the default 90-day event history, you have no durable audit trail when something goes wrong. This is like removing the security cameras from your building and hoping nothing happens.

  4. Treating encryption as optional. Encryption at rest for S3, EBS, and RDS should be the default for all workloads, not just regulated ones. The performance impact is negligible and AWS KMS handles key management.

  5. Storing secrets in code or environment variables. Database passwords, API keys, and tokens belong in Secrets Manager or SSM Parameter Store. Never put them in your source code, Lambda environment variables, or EC2 user data scripts. Hardcoding a password in your code is like taping your house key to the front door.

  6. Confusing managed service security with full security ownership. RDS patches the database engine for you, but if you set the database to publicly accessible with a weak password, that is a customer misconfiguration. Managed does not mean “fully secured by AWS.”

  7. Using long-lived access keys instead of roles. Static access keys in code or config files are a common source of credential leaks. Use IAM roles with temporary credentials wherever possible.

Practical security checklist

These are the highest-impact actions on the customer side of the boundary. If you are setting up a new AWS account or reviewing an existing one, start here:

Day-one priorities

If you only do three things, make them: enable MFA on root, enable CloudTrail in all regions, and turn on S3 Block Public Access at the account level. These three controls prevent the most common and most damaging beginner mistakes.

  1. Enable MFA on the root account and all IAM users. This is the single most effective control against credential compromise.
  2. Apply least privilege to every IAM role and user. Start with zero permissions and add only what is needed.
  3. Enable CloudTrail in all regions and send logs to a protected S3 bucket with object lock.
  4. Enable GuardDuty for automated threat detection across your account.
  5. Enable S3 Block Public Access at the account level to prevent accidental public buckets.
  6. Turn on default encryption for S3 buckets, EBS volumes, and RDS instances.
  7. Lock down security groups. Never allow 0.0.0.0/0 inbound on SSH or RDP.
  8. Automate EC2 patching using Systems Manager Patch Manager.
  9. Store secrets in Secrets Manager. Not in environment variables, code, or config files.
# Check if MFA is enabled on the root account
aws iam get-account-summary \
  --query 'SummaryMap.AccountMFAEnabled'

# List CloudTrail trails and check if they are logging
# Step 1: List your trails
aws cloudtrail describe-trails \
  --query 'trailList[*].{Name:Name,MultiRegion:IsMultiRegionTrail}' \
  --output table

# Step 2: Check logging status for a specific trail
aws cloudtrail get-trail-status \
  --name my-trail \
  --query '{IsLogging:IsLogging,LatestDeliveryTime:LatestDeliveryTime}'

# Check S3 account-level public access block status
aws s3control get-public-access-block \
  --account-id $(aws sts get-caller-identity --query Account --output text)

# Check if GuardDuty is enabled
aws guardduty list-detectors

Compliance and audits

When your organisation needs PCI DSS, HIPAA, SOC 2, or ISO 27001 compliance, the shared responsibility model defines the split:

  • AWS covers physical security, hardware integrity, network infrastructure, hypervisor isolation, and managed service platform controls. AWS publishes compliance reports through the AWS Artifact portal that auditors can review.
  • You cover application-level access controls, data classification and handling, user activity logging, vulnerability scanning, incident response procedures, and employee security training.
A common misconception about compliance

Running on AWS does not make your application compliant. It means the infrastructure underneath is compliant. Your auditor will still ask you to prove that your IAM policies follow least privilege, that your data is encrypted, that you have audit logs, and that you have an incident response plan.

Think of it like a building inspection

A building inspector certifies that the foundation, wiring, and plumbing meet code. That does not mean the business operating inside the building is compliant with health regulations, fire escape procedures, or data privacy laws. AWS passes the infrastructure inspection. You still need to pass everything above the floor.

Real-world examples

These three scenarios show how the boundary moves depending on the service. Pay attention to what stays the same in each one.

Scenario 1: EC2 web application

You launch an EC2 instance running Nginx on Ubuntu to serve a web application.

  • AWS secures: the physical server, the hypervisor isolating your instance from others, and the network backbone.
  • You secure: patching Ubuntu, configuring Nginx, managing TLS certificates, writing secure application code, setting up security groups to restrict inbound traffic, and configuring IAM so only authorised users can manage the instance.

EC2 is the most “hands-on” option. Think of it like renting a bare warehouse. The landlord keeps the walls standing and the roof intact. You bring your own shelves, lighting, locks, and alarm system.

Scenario 2: RDS PostgreSQL database

You create an RDS PostgreSQL instance.

  • AWS secures: the OS, database engine patches, automated backups, and multi-AZ failover.
  • You secure: database users with least-privilege grants, encryption at rest, placing the instance in a private subnet, restricting security group access to your application servers, and managing the data inside the database including PII handling.

RDS is like renting a furnished office. The landlord handles the plumbing and electricity. You still choose who gets a key and what documents go in the filing cabinet.

Scenario 3: Lambda function processing S3 uploads

You deploy a Lambda function triggered when files land in an S3 bucket.

  • AWS secures: the entire compute environment (OS, runtime, patching, scaling).
  • You secure: the function code and its dependencies (including known CVEs in libraries), the IAM execution role (granting only the permissions the function actually needs), any secrets the function uses (stored in Secrets Manager, not environment variables), and the S3 bucket configuration (Block Public Access enabled, bucket policy locked down, encryption turned on).

Lambda is like a co-working space. Almost everything is managed for you. But if you leave your laptop unlocked with your passwords on screen, that is your problem, not the building manager’s.

Regardless of whether you used EC2, RDS, or Lambda, you were always responsible for IAM, data, encryption choices, and network access. The infrastructure layer changed. The customer responsibilities at the top of the stack stayed the same.

Frequently asked questions

What is the AWS Shared Responsibility Model?

The AWS Shared Responsibility Model divides security duties between AWS and the customer. AWS secures the cloud itself: physical data centres, hardware, networking, the hypervisor, and managed service infrastructure. Customers secure everything in the cloud: their data, IAM configuration, OS patching on EC2, application code, network rules, encryption choices, and logging setup. The split shifts depending on the service. Lambda customers own less infrastructure than EC2 customers, but IAM, data, and application code are always the customer's responsibility.

Who patches EC2 instances, AWS or me?

You do. AWS provides the hypervisor and the underlying hardware, but the guest operating system on an EC2 instance is entirely yours. That includes installing OS security updates, patching installed software, and hardening the OS configuration. If you want AWS to handle OS patching, use a managed service like RDS (where AWS patches the database engine and OS) or Lambda (where AWS manages the entire runtime). For EC2, AWS Systems Manager Patch Manager can automate your patching schedule.

Does AWS handle security for managed services like RDS or Lambda?

Partially. For RDS, AWS patches the database engine, manages the underlying OS, and handles high-availability infrastructure. For Lambda, AWS manages the entire compute environment including the runtime. But you are still responsible for IAM permissions, data encryption settings, network configuration, secrets handling, and the security of your application code or database queries. Managed services reduce your infrastructure burden. They do not eliminate your security responsibilities.

Is AWS responsible if my S3 bucket is public?

No. AWS provides the tools to control S3 access (bucket policies, ACLs, S3 Block Public Access, and IAM policies), but the configuration is your responsibility. A publicly accessible S3 bucket is a customer misconfiguration, not an AWS infrastructure failure. AWS even provides S3 Block Public Access at the account level to prevent accidental exposure, but you must enable and enforce it.

Does AWS compliance automatically make my application compliant?

No. AWS holds compliance certifications (SOC 2, PCI DSS, HIPAA, ISO 27001) that cover the infrastructure layer. You inherit those controls for the hardware and managed platform, but you must implement your own controls for application security, data handling, access management, audit logging, incident response, and employee training. Compliance is shared the same way security is shared. AWS covers the infrastructure controls, and you cover everything you build on top.

Last verified: 29 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.