= OREILLY Q Cnapter 5. Ihe AWS Snared Kesponsipility Model This chapter covers the following subjects: « Understanding the Shared Responsibility Model: This part of the chapter introduces you to the overall definition of the Shared Responsibility model. * Amazon Responsibilities: This section provides examples of Amazon’s responsibilities for security in your AWS implementation. * Client Responsibilities: This section provides examples of client re- sponsibilities for securing the resources in AWS. Whereas some organizations are hesitant to move to the cloud due to sometimes false fears that their security will suffer, other organizations embrace the opportunities for greatly enhanced security. One major rea- son this is a reality is the existence of the AWS Shared Responsibility model. This model helps us fully understand the security environment when we operate in AWS. This chapter makes this subject simple and pro- vides excellent examples of the various parts of the model. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess if you should read the entire chapter. Table 5-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz. questions covering the material in those headings so you can assess your knowledge of these specific ar- eas. The answers to the “Do I Know This Already?” quiz appear in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” x Preparing for certification? ‘Take Practice Exam => View Study Guide > Table 5-1 “Do I Know This Already?” Foundation Topi Question MappingFoundation Topics Section Questions Understanding the Shared Responsibility Model 1-3, Amazon Responsibilities 4 Client Responsibilities 5 Caption ‘The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assess- ment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security. 1. The AWS Shared Responsibility model divides security responsibilities between which two parties? a. The AWS customer b, The AWS partner ¢. The community cloud vendor d. AWS 2, Client responsibilities will vary in the Shared Respo x Preparing for certification? ‘Take Practice Exam => View Study Guide > based on what major factor? a. The number of AWS employees in the region used b} b. The amount of customer data intended for cloud storagec. Which services the customer chooses to use of AWS d. How much money the customer is willing to spend on support 3. Which is not a common category of IT security controls in the AWS Shared Responsibility model? a. Inherited b, Deferred c. Customer specific d. Shared 4, Which of the following is not an example of an Amazon responsibility in the AWS Shared Responsibility model? a. Physical security of the data center b. Cloud software c. Edge locations d. IAM policies 5. Which of the following is not an example of a client responsibility in the AWS Shared Responsibility model? a. Data integrity authentication b. Guest operating system ‘Take Practice Exam => View Study Guide > c. Virtualization software on the host. d. Customer data Preparing for certification? xFoundation Topics Understanding the Shared Responsibility Model Key. The AWS Shared Responsibility model is very simple. It divides the se- curity responsibilities between two parties—the AWS customer (you!) and Amazon (AWS). The fact that you are no longer responsible for a massive portion of the security required for scalable data centers is a huge advan- tage. You can leverage the massive budgets of Amazon and their intense expertise. The next two sections of this chapter provide examples of responsibilities in each part of the model. But for now, realize the Amazon responsibili- ties include the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. It is your (the customer’s) responsibility to secure the guest operating system (including updates and security patches), application software, and the AWS network security group firewall. Be aware that the client responsi- bilities will vary depending on which services the client chooses to use. The client responsibilities further vary based on the level of integration of AWS services consumed and their IT infrastructure. Laws and regulations that must be followed will also vary. As shown in Figure 5-1, AWS is considered “security of the cloud” and the customer's responsibility is considered “security in the cloud.” ‘Take Practice Exam => View Study Guide > Preparing for certification? xFigure 5 The AWS Shared Responsibility Model In addition to partitioning the operational security concerns between the AWS client and AWS themselves, the Shared Responsibility model also ap- plies to IT controls that are in use. Amazon categorizes these controls into three categories: « Inherited controls: These are security controls the customer fully in- herits from AWS. Perfect examples are the physical and environmen- tal security controls used by Amazon. * Shared controls: These are controls that apply to both the infrastruc- ture layer of Amazon and the customer responsibilities. Note that these shared controls apply to each domain in completely separate contexts or perspectives. AWS provides the requirements for the infra- structure, and then the client must provide their 0 x mentation within their use of the services. A great and Access Management (IAM). The IAM service m meet regulatory compliance, and function as inten Preparing for certification? ‘Take Practice Exam => View Study Guide > customer should create well-crafted policies.* Customer-specific controls: These are security controls the customer is solely responsible for, and they vary based on the services the cus- tomer selects, of course. A great example would be when you apply specific patches to one of your operating systems on an EC2 instance. Amazon Responsibilities Remember, Amazon is considered responsible for security of the cloud. AWS is responsible for protecting the infrastructure that runs the services chosen. This includes the hardware and software required to power the AWS service as well as the networking and facilities used. LS We) =) (e4 Specific Amazon responsibilities would include the following: © Cloud software, including compute, storage, networking, and database software © Hardware « AWS Global Infrastructure, including regions, Availability Zones, and Edge Locations Client Responsibilities Remember, the client is considered responsible for security in the cloud. The specific services selected will cause variations in the client responsi- bilities. For example, if you are relying heavily on Simple Storage Service (S3) for storage, you will be responsible for knowledge and proper config- uration of the security permissions for your resources. ‘ x would be if the client chooses to use EC2 and run an o) Windows Server 2016. The client is required to keep t updated and patched and is also responsible for the aj Preparing for certification? ake Practice Exam > View Study Guide > they require on this guest operating system. The client is responsible for the appropriate security group configuration for the EC2 instance as well.LS ue) Specific examples of client responsibilities would include the following: * Customer data * Platform, applications, [AM © Guest operating systems * Network and firewall configurations * Client-side data encryption * Server-side encryption (file system and/or data) * Networking traffic protection (encryption, integrity, and identity) Figure 5-2 shows an example of a customer checking the security group settings that would apply to an EC2 instance. This is a perfect example of client responsibilities. AWS is responsible for making sure the security group functions as intended, but it is the client's responsibility to config- ure it correctly. OD 6 eyeresnamenncoms : toe ee a Lo sove rae Gowp ap siasnns ste Oc tere = een + pane wew = . 0 sosmecer pees sce von ees sum crap: stash eso = el eT sstte we ew = | preporing fer certiteation? ‘Take Practice Exam => wee sme ae f MS ite > Figure 5-2 Checking the Security Group Settings for an EC2 InstanceExam Preparation Tasks ‘As mentioned in the section “How to Use This Book” in the Introduction, you have a few choices for exam preparation: the exercises here, Chapter 16, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online. Review All Key Topics Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 5-2 lists these key top- ics and the page numbers on which each is found, Key. Table 5-2 Key Topics for Chapter 5 Key Topic — Page Description Element Number | ‘The AWS Shared Responsibility Overview 65 model x Preparing for certification? ‘Take Practice Exam => View Study Guide > Examples of client List responsibilities List Examples of Amazon 67Key Topic a. Page Description Element Number responsibilities Define Key Terms Define the following key terms from this chapter and check your answers in the Gloss The AWS Shared Responsibility model security of the cloud security in the cloud Q&A The answers to these questions appear in Appendix A. For more practice with exam format questions, use the Pearson Test Prep Software Online. 1. What would be an example of IT security controls that a customer in- herits from Amazon? 2, Provide at least three examples of client responsibilities under the AWS Shared Responsibility model. 3. Provide at least two examples of Amazon responsibilities under the AWS Shared Responsibility model. ‘Take Practice Exam > View Study Guide > Preparing for certification? x