Cloud Shared Responsibility

๐Ÿ”ฅ Vibe Prompt

"Map security responsibilities for AWS services: EC2, S3, RDS, Lambda. Who secures what?"

Shared Responsibility Model

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Customer (Security IN the Cloud)   โ”‚
โ”‚  โ”œโ”€โ”€ Data encryption (at rest/transit)โ”‚
โ”‚  โ”œโ”€โ”€ OS patching (EC2)              โ”‚
โ”‚  โ”œโ”€โ”€ Firewall rules (SG, NACL)      โ”‚
โ”‚  โ”œโ”€โ”€ IAM policies & access          โ”‚
โ”‚  โ””โ”€โ”€ App-level security (WAF, code) โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  AWS (Security OF the Cloud)        โ”‚
โ”‚  โ”œโ”€โ”€ Physical security (data center)โ”‚
โ”‚  โ”œโ”€โ”€ Network infrastructure         โ”‚
โ”‚  โ”œโ”€โ”€ Hypervisor isolation           โ”‚
โ”‚  โ”œโ”€โ”€ Managed service security       โ”‚
โ”‚  โ””โ”€โ”€ Global infrastructure          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Responsibility by Service Type

| Service Type | Example | Customer Responsible For | |-------------|---------|------------------------| | IaaS (EC2) | Virtual server | OS, apps, firewall, patches | | PaaS (RDS) | Managed DB | Data, access, schema | | SaaS (SES) | Email service | Content, usage | | FaaS (Lambda) | Serverless | Code, dependencies, env vars |

Cloud Security Pillars

1. IAM & Access Control
   - Least privilege, MFA, roles

2. Infrastructure Protection
   - VPC, Security Groups, WAF

3. Data Protection
   - Encryption at rest (KMS), in transit (TLS)

4. Detective Controls
   - CloudTrail, GuardDuty, Security Hub

5. Incident Response
   - Automated remediation, playbooks

Cloud Security Best Practices

| Area | Practice | |------|----------| | Account | Use multiple accounts (prod, dev, logging) | | Network | VPC with private subnets, no public IPs | | Storage | S3 block public access, encrypt by default | | Compute | Use latest AMIs, scan images | | Data | Encrypt everything, rotate keys | | Monitor | Enable CloudTrail + GuardDuty + Security Hub |

AWS Security Services

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  IAM         - Users, roles, policies       โ”‚
โ”‚  KMS         - Encryption key management    โ”‚
โ”‚  CloudTrail  - API activity logging         โ”‚
โ”‚  Config      - Resource compliance          โ”‚
โ”‚  GuardDuty   - Threat detection             โ”‚
โ”‚  Security Hub - Central security dashboard  โ”‚
โ”‚  Detective   - Root cause analysis          โ”‚
โ”‚  Macie       - Sensitive data discovery     โ”‚
โ”‚  WAF         - Web application firewall     โ”‚
โ”‚  Shield      - DDoS protection              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Multi-Account Strategy

Organization Root
โ”œโ”€โ”€ Security (CloudTrail, GuardDuty, Log Archive)
โ”œโ”€โ”€ Infrastructure (Shared services: VPC, network)
โ”œโ”€โ”€ Production (Prod workloads, strict controls)
โ”œโ”€โ”€ Staging (Pre-prod, less strict)
โ””โ”€โ”€ Development (Dev, relaxed controls)

Key Questions

  • Who can access this resource?
  • Has access been revoked for leavers?
  • Is data encrypted at rest and in transit?
  • Are API calls being logged?
  • Are there any public S3 buckets?
  • Are security groups too permissive?

Chapter Summary

  • Understand core concepts and principles
  • Master implementation methods and techniques
  • Familiar with common issues and solutions
  • Able to apply in real projects

Further Reading

  • Official documentation and API references
  • Open source examples on GitHub
  • Technical books and online courses
  • Community discussions and tech blogs

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now