{
    "slug": "cloud_security_shared_model",
    "term": "Shared Responsibility Model",
    "category": "cloud",
    "difficulty": "intermediate",
    "short": "The division of security responsibilities between the cloud provider and the customer — the provider secures the infrastructure; the customer secures what runs on it.",
    "long": "AWS, GCP, and Azure all use a shared responsibility model. The provider secures: physical facilities, hardware, network infrastructure, and the managed service (e.g. RDS patches). The customer secures: OS patching (IaaS), application code, data encryption, IAM configuration, network security groups, and secrets management. The boundary shifts with the service type: IaaS gives you OS responsibility; PaaS removes it; SaaS removes almost everything. Most cloud breaches are caused by customer-side misconfigurations, not provider-side vulnerabilities.",
    "aliases": [
        "shared responsibility",
        "cloud security model"
    ],
    "tags": [
        "cloud",
        "security",
        "compliance"
    ],
    "misconception": "Using a managed cloud database means the cloud provider handles all database security — the provider handles patching and availability; you are responsible for access control, encryption, and what data you put in it.",
    "why_it_matters": "Misunderstanding the shared responsibility model causes teams to assume cloud services are secured by the provider — S3 bucket misconfigurations and open security groups are customer-side failures, not AWS failures.",
    "common_mistakes": [
        "Public S3 buckets containing sensitive data — bucket access control is the customer's responsibility.",
        "Not patching EC2 instance OS — the provider manages the hypervisor; OS patching is your responsibility on IaaS.",
        "Overly permissive IAM roles — least privilege is always the customer's responsibility.",
        "Unencrypted data in managed databases — TDE may be available but enabling encryption is the customer's choice."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "principle_of_least_privilege",
        "cloud_computing_models",
        "infrastructure_as_code_tools",
        "defence_in_depth"
    ],
    "prerequisites": [
        "aws_fundamentals",
        "principle_of_least_privilege",
        "security_misconfiguration"
    ],
    "refs": [
        "https://aws.amazon.com/compliance/shared-responsibility-model/"
    ],
    "bad_code": "# Customer-side misconfigurations — cloud provider's fault? No:\n# 1. S3 bucket: Block Public Access = OFF → public data breach (customer)\n# 2. Security group: 0.0.0.0/0 on port 22 → brute forced (customer)\n# 3. RDS: no encryption at rest → compliance failure (customer)\n# 4. IAM role: AdministratorAccess on EC2 → SSRF → full account takeover (customer)",
    "good_code": "# Customer responsibilities checklist:\n# ✅ S3: Block Public Access enabled on all buckets\n# ✅ Security groups: minimal inbound rules, no 0.0.0.0/0 on SSH\n# ✅ RDS: encryption at rest + in transit enabled\n# ✅ IAM: least-privilege roles, MFA on root, no access keys for humans\n# ✅ EC2: automated OS patching (AWS Systems Manager Patch Manager)\n# ✅ Secrets: AWS Secrets Manager, not environment variables in userdata",
    "quick_fix": "AWS secures the cloud (hardware, AZs, managed services); you secure everything in the cloud — your code, your IAM policies, your S3 bucket permissions, your security groups",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/cloud_security_shared_model",
        "html_url": "https://codeclaritylab.com/glossary/cloud_security_shared_model",
        "json_url": "https://codeclaritylab.com/glossary/cloud_security_shared_model.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Shared Responsibility Model](https://codeclaritylab.com/glossary/cloud_security_shared_model) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/cloud_security_shared_model"
            }
        }
    }
}