Staying Safe in Times of Cyber Uncertainty

What is AWS Shared Responsibility Model?

In the cloud, an organization’s cloud service provider (CSP) is not wholly responsible for security. Instead, the cloud provider and the cloud customer share responsibility for the security of the cloud-based deployment, and the cloud provider’s shared responsibility model outlines the responsibilities of each party.

AWS Security Solutions AWS Security Assessment

What is AWS Shared Responsibility Model?

What the AWS Shared Responsibility Model is, and How it Works

The AWS Shared Responsibility Model describes the security responsibilities of the cloud provider and the cloud customer. In general, the cloud provider is responsible for the security of the underlying infrastructure that they lease to their customers, while the customer is responsible for the security of the areas of the cloud infrastructure over which they have control.


The exact breakdown of cloud security responsibilities depends on the details of the cloud service that a customer is using. For example, a cloud customer has greater responsibility for security in an Infrastructure as a Service (IaaS) model than they do under a Software as a Service (SaaS) model.

AWS Shared Responsibility Model for Infrastructure

Amazon’s infrastructure services include compute, storage, networking and related functionality. As an example, for Amazon EC2, the customer is able to install their own operating system, configure it, and run any applications that they want on top of it.


Because EC2 provides the customer with a high level of access and control (i.e. down to the OS level), they also place a great deal of security responsibility on the customer. In these deployment scenarios, the customer is responsible for properly securing their operating system and any related services under their control, such as the Elastic Block Store (EBS), auto-scaling, and networking infrastructure within their virtual private cloud (VPC).


AWS, on the other hand, is responsible for securing their physical infrastructure. This includes the physical servers and networking and their virtualization technology.

AWS Shared Responsibility Model for Containers

Containerized services use EC2 but add an additional layer of abstraction. In this case, the customer doesn’t manage their operating system or platform. 


With this model, a cloud customer has a lower level of security responsibility than with the previous model. They no longer have visibility or control over their operating system, so responsibility for that passes to AWS. Under this model, the customer is primarily responsible for firewall configuration and properly protecting their data (i.e. using encryption and access management).

AWS Shared Responsibility Model for Abstracted Services

For abstracted services, e.g. Amazon S3 and Amazon DynamoDB,the customer is primarily responsible for properly configuring the security of the provided service. For example, if a customer configures DynamoDB to have easily guessable user credentials, then they would be responsible for any resulting data breach.

Cloud Security Beyond CSP-Provided Controls

Cloud service providers offer their customers a number of tools to help manage their cloud security. However, these tools are only designed to provide a foundation for an organization’s cloud security deployment.


Securing cloud-based infrastructure requires deploying many of the same types of security solutions as an organization would use in an on-premises datacenter. These required solutions and capabilities include:


  • Identity and Access Management: Cloud-based infrastructure is directly accessible from the public Internet, making it an easy target for cybercriminals. Identity and Access Management (IAM) solutions are essential to restricting this access to authorized users.
  • Cloud Network Security: Cloud services are not a monolith, and applications communicate within the cloud. Cloud network security solutions are necessary for segmenting cloud assets to reduce the effect of any cloud breach, monitoring traffic and protecting the data plane against exploitation and lateral movement.
  • Cloud Security Posture Management:  These solutions automatically and continuously check for misconfigurations that can lead to data breaches and leaks. This continuous and automated detection allows organizations to make necessary changes on a continuous, ongoing basis.
  • Cloud Workload Protection: Cloud workloads are applications like any other. They need to be protected against exploitation of unpatched vulnerabilities, configuration errors, and other weaknesses.
  • Data Protection: Organizations are increasingly storing sensitive data in the cloud. This data must be protected against breach (including encryption in transit and at rest) and in accordance with applicable laws and regulations.
  • Threat Intelligence: The cyber threat landscape evolves rapidly, and threats to the cloud are not an exception. Cloud security solutions need access to threat intelligence to identify and protect against the latest cyber threats.

Securing the Cloud with Check Point

Cloud providers like AWS reduce many of an organization’s security responsibilities with regard to its infrastructure. A cloud provider abstracts away multiple levels of an organization’s infrastructure stack and is responsible for securing the levels under its control. However, cloud customers do retain some responsibility for their cloud security. While cloud providers offer a number of tools to help their customers to manage this, they are not enough to effectively secure an enterprise cloud environment.


Check Point provides organizations with the tools required to meet their security responsibilities in the cloud. This includes securing the data, applications, and workloads and minimizing misconfigurations, unauthorized access, threats, and anomalies in the cloud. In addition, these cloud security solutions provide full automation to allow organizations to take full advantage of the cloud’s scalability, agility and dynamic nature.


Effectively securing a cloud environment requires an understanding of an organization’s security responsibilities and best practices for meeting them. For help in understanding best practices for improving your cloud security (not just for AWS), read Check Point’s cloud security blueprint and the solutions that Check Point offers to implement it.


To learn more about securing your AWS deployment, read this introduction to the shared responsibility model. You’re also welcome to visit Check Point’s AWS solution page to see how Check Point can simplify and improve your AWS security posture.

Recommended Resources

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice