CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Shared Responsibility Model

cloud Intermediate

Also Known As

shared responsibility cloud security model

TL;DR

The division of security responsibilities between the cloud provider and the customer — the provider secures the infrastructure; the customer secures what runs on it.

Explanation

AWS, GCP, and Azure all use a shared responsibility model. The provider secures: physical facilities, hardware, network infrastructure, and the managed service (e.g. RDS patches). The customer secures: OS patching (IaaS), application code, data encryption, IAM configuration, network security groups, and secrets management. The boundary shifts with the service type: IaaS gives you OS responsibility; PaaS removes it; SaaS removes almost everything. Most cloud breaches are caused by customer-side misconfigurations, not provider-side vulnerabilities.

Diagram 

flowchart TD
    subgraph AWS Responsibility
        PHYS[Physical security<br/>datacenters hardware]
        HYPERV[Hypervisor<br/>network infrastructure]
        MANAGED[Managed service internals<br/>RDS patching S3 durability]
    end
    subgraph Your Responsibility
        OS[OS patching<br/>EC2 instances]
        APP[Application security<br/>code vulnerabilities]
        DATA[Data encryption<br/>classification]
        IAM2[IAM permissions<br/>least privilege]
        NET[Security groups<br/>network ACLs]
    end
    LINE[Shared responsibility line<br/>shifts with service type] -.-> MANAGED & OS
style OS fill:#d29922,color:#fff
style IAM2 fill:#f85149,color:#fff
style DATA fill:#f85149,color:#fff
style LINE fill:#238636,color:#fff

Common Misconception

Using a managed cloud database means the cloud provider handles all database security — the provider handles patching and availability; you are responsible for access control, encryption, and what data you put in it.

Why It Matters

Misunderstanding the shared responsibility model causes teams to assume cloud services are secured by the provider — S3 bucket misconfigurations and open security groups are customer-side failures, not AWS failures.

Common Mistakes

  • Public S3 buckets containing sensitive data — bucket access control is the customer's responsibility.
  • Not patching EC2 instance OS — the provider manages the hypervisor; OS patching is your responsibility on IaaS.
  • Overly permissive IAM roles — least privilege is always the customer's responsibility.
  • Unencrypted data in managed databases — TDE may be available but enabling encryption is the customer's choice.

Code Examples

✗ Vulnerable 
# Customer-side misconfigurations — cloud provider's fault? No:
# 1. S3 bucket: Block Public Access = OFF → public data breach (customer)
# 2. Security group: 0.0.0.0/0 on port 22 → brute forced (customer)
# 3. RDS: no encryption at rest → compliance failure (customer)
# 4. IAM role: AdministratorAccess on EC2 → SSRF → full account takeover (customer)
✓ Fixed 
# Customer responsibilities checklist:
# ✅ S3: Block Public Access enabled on all buckets
# ✅ Security groups: minimal inbound rules, no 0.0.0.0/0 on SSH
# ✅ RDS: encryption at rest + in transit enabled
# ✅ IAM: least-privilege roles, MFA on root, no access keys for humans
# ✅ EC2: automated OS patching (AWS Systems Manager Patch Manager)
# ✅ Secrets: AWS Secrets Manager, not environment variables in userdata
Added 15 Mar 2026
Edited 22 Mar 2026
Views 27

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 2 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 0 pings T
Agents 0
No pings yet today
Amazonbot 7 Perplexity 7 Unknown AI 2 Ahrefs 2 SEMrush 2 Google 1
Also referenced
Infrastructure as Code (IaC) Tools 33 Defence in Depth 29 Cloud Computing Models 25 Principle of Least Privilege 23
How they use it
crawler 21
Related categories
general 1.4k cloud 417
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
AWS secures the cloud (hardware, AZs, managed services); you secure everything in the cloud — your code, your IAM policies, your S3 bucket permissions, your security groups
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
S3 bucket publicly accessible; IAM user with AdministratorAccess for app; security groups with 0.0.0.0/0 on port 22; no MFA on root account
Auto-detectable: ✓ Yes aws-config scout-suite prowler securityhub
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-250
✓ schema.org compliant