CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Shared Responsibility Model

Cloud Intermediate
debt(d5/e5/b7/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints.tools list includes aws-config, scout-suite, prowler, and securityhub — all specialist cloud security scanning tools. Common misconfigurations like public S3 buckets, open security groups, and missing MFA are detectable by these tools but not by a standard linter or compiler. The issues are silent in production until a scan runs or a breach occurs, but the tooling does exist to catch them.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix is conceptually a one-liner ('AWS secures the cloud; you secure everything in the cloud'), but the common_mistakes reveal that remediation spans multiple domains: IAM policy rewrites, S3 bucket policy changes, OS patching processes, and database encryption enablement. Each fix is individually modest, but collectively they touch many parts of the infrastructure configuration, making the remediation effort a multi-file/multi-resource exercise.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7). The applies_to covers both web and cli contexts, and the tags (cloud, security, compliance) indicate this is a foundational security posture choice. Every future infrastructure change — new S3 bucket, new EC2 instance, new RDS instance, new IAM role — must be evaluated against the shared responsibility model. It shapes all cloud configuration decisions and imposes a persistent security review overhead on every deployment.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field directly captures the trap: developers assume that using a managed cloud service (e.g., RDS, S3) means the provider handles all security. This contradicts the reasonable mental model that 'managed' implies 'secured for me.' The trap is serious because it contradicts how similar concepts (fully managed SaaS, on-premises managed services) work, and the 'obvious' assumption — that AWS manages a managed database fully — is dangerously wrong in a security context.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

shared responsibility cloud security model

TL;DR

The division of security responsibilities between the cloud provider and the customer — the provider secures the infrastructure; the customer secures what runs on it.

Explanation

AWS, GCP, and Azure all use a shared responsibility model. The provider secures: physical facilities, hardware, network infrastructure, and the managed service (e.g. RDS patches). The customer secures: OS patching (IaaS), application code, data encryption, IAM configuration, network security groups, and secrets management. The boundary shifts with the service type: IaaS gives you OS responsibility; PaaS removes it; SaaS removes almost everything. Most cloud breaches are caused by customer-side misconfigurations, not provider-side vulnerabilities.

Diagram 

flowchart TD
    subgraph AWS Responsibility
        PHYS[Physical security<br/>datacenters hardware]
        HYPERV[Hypervisor<br/>network infrastructure]
        MANAGED[Managed service internals<br/>RDS patching S3 durability]
    end
    subgraph Your Responsibility
        OS[OS patching<br/>EC2 instances]
        APP[Application security<br/>code vulnerabilities]
        DATA[Data encryption<br/>classification]
        IAM2[IAM permissions<br/>least privilege]
        NET[Security groups<br/>network ACLs]
    end
    LINE[Shared responsibility line<br/>shifts with service type] -.-> MANAGED & OS
style OS fill:#d29922,color:#fff
style IAM2 fill:#f85149,color:#fff
style DATA fill:#f85149,color:#fff
style LINE fill:#238636,color:#fff

Common Misconception

Using a managed cloud database means the cloud provider handles all database security — the provider handles patching and availability; you are responsible for access control, encryption, and what data you put in it.

Why It Matters

Misunderstanding the shared responsibility model causes teams to assume cloud services are secured by the provider — S3 bucket misconfigurations and open security groups are customer-side failures, not AWS failures.

Common Mistakes

  • Public S3 buckets containing sensitive data — bucket access control is the customer's responsibility.
  • Not patching EC2 instance OS — the provider manages the hypervisor; OS patching is your responsibility on IaaS.
  • Overly permissive IAM roles — least privilege is always the customer's responsibility.
  • Unencrypted data in managed databases — TDE may be available but enabling encryption is the customer's choice.

Code Examples

✗ Vulnerable 
# Customer-side misconfigurations — cloud provider's fault? No:
# 1. S3 bucket: Block Public Access = OFF → public data breach (customer)
# 2. Security group: 0.0.0.0/0 on port 22 → brute forced (customer)
# 3. RDS: no encryption at rest → compliance failure (customer)
# 4. IAM role: AdministratorAccess on EC2 → SSRF → full account takeover (customer)
✓ Fixed 
# Customer responsibilities checklist:
# ✅ S3: Block Public Access enabled on all buckets
# ✅ Security groups: minimal inbound rules, no 0.0.0.0/0 on SSH
# ✅ RDS: encryption at rest + in transit enabled
# ✅ IAM: least-privilege roles, MFA on root, no access keys for humans
# ✅ EC2: automated OS patching (AWS Systems Manager Patch Manager)
# ✅ Secrets: AWS Secrets Manager, not environment variables in userdata
Added 15 Mar 2026
Edited 22 Mar 2026
Views 48

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 2 pings F 0 pings S 0 pings S 1 ping M 1 ping T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 7 Scrapy 5 Ahrefs 4 SEMrush 4 Unknown AI 2 Google 2 Claude 2 ChatGPT 2 Bing 1 Meta AI 1 PetalBot 1
Also referenced
Defence in Depth 64 Infrastructure as Code (IaC) Tools 59 Principle of Least Privilege 54 Cloud Computing Models 52
How they use it
crawler 36 crawler_json 3
Related categories
general 3k cloud 884
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
AWS secures the cloud (hardware, AZs, managed services); you secure everything in the cloud — your code, your IAM policies, your S3 bucket permissions, your security groups
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
S3 bucket publicly accessible; IAM user with AdministratorAccess for app; security groups with 0.0.0.0/0 on port 22; no MFA on root account
Auto-detectable: ✓ Yes aws-config scout-suite prowler securityhub
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-250
✓ schema.org compliant