Certified - AWS Certified Cloud Practitioner

The shared responsibility model is one of the most important concepts in AWS, but it is not just a theoretical idea—it has direct, daily implications for how organizations use the cloud. Understanding it helps teams know where AWS’s role ends and where their own duties begin. This clarity prevents gaps in security and compliance. For the AWS Certified Cloud Practitioner exam, you will not only need to define the shared responsibility model but also recognize how it applies in real-world situations. In practice, this model guides decision-making across operations, security, and governance.
At the core of the model is the distinction between security “of” the cloud and security “in” the cloud. AWS is responsible for security of the cloud, meaning the physical data centers, the network, and the hardware that run services. Customers are responsible for security in the cloud, which covers how they configure services, manage data, and control user access. Think of it as AWS securing the building while customers secure what they place inside it. For exam preparation, always remember this simple but powerful distinction—it frames every other responsibility.
One of the clearest customer responsibilities is encryption. AWS provides the tools for encryption at rest and in transit, but it is up to customers to enable and manage them. For example, an S3 bucket can be encrypted automatically, but if a company chooses not to activate the option, AWS cannot force it. Customers must decide which data is sensitive and which keys are used to protect it. This responsibility is critical because encryption errors are one of the most common causes of data exposure in the cloud.
Identity and Access Management, or IAM, is another customer responsibility. IAM defines who can log in, what they can access, and what actions they can take. While AWS provides IAM as a service, customers must configure it properly. This includes creating users, setting strong password policies, and applying least privilege principles. For example, developers should not have access to billing data, and finance teams should not have permission to launch servers. Mismanaging IAM is a customer error, not an AWS failure, which makes it a critical area of responsibility in the model.
AWS handles the infrastructure layer—physical security, hardware maintenance, and the foundational networking that connects Regions and Availability Zones. Customers do not need to worry about whether data centers are locked, guarded, or powered properly. AWS invests heavily in securing this layer, offering certifications and audit reports to prove it meets global standards. For exam purposes, remember that physical and infrastructure security are always AWS’s responsibility, no matter what service model is being used. Customers never have to manage these elements themselves.
Data protection is a shared responsibility that highlights the partnership between AWS and its customers. AWS ensures data is replicated across facilities for durability, but customers must classify their own data, apply access controls, and determine retention policies. For instance, AWS makes sure S3 is highly durable, but it cannot decide whether a file should be public or private. Customers are accountable for setting those permissions. The exam may present scenarios where this distinction matters, such as who is responsible for preventing accidental data exposure.
Logging and monitoring practices are also shared. AWS provides tools like CloudWatch, CloudTrail, and Config to give customers visibility into their environments. However, it is the customer’s responsibility to enable these services, review the results, and take action. Simply having logs is not enough; someone must analyze them. For example, AWS can record an event where a storage bucket’s permissions were changed, but only the customer can determine if that change was appropriate and respond if it wasn’t. The shared responsibility lies in AWS providing the data and customers acting on it.
Patching responsibilities are divided depending on the service model. In Infrastructure as a Service, such as EC2, AWS patches the underlying hardware and virtualization layers, but customers must patch their operating systems and applications. In Platform as a Service, such as RDS, AWS manages more layers, including database software, while customers configure security and manage data. In Software as a Service, AWS handles nearly everything, but customers still manage access and data. For the exam, remember that patching is a shared task, shifting depending on which service type is being used.
Compliance audits in practice also reflect shared responsibility. AWS provides certifications and documentation to prove that its infrastructure meets industry standards like HIPAA or PCI DSS. Customers, however, must ensure their applications and processes also comply. For example, AWS can show that its facilities are secure, but a healthcare company must still ensure patient records are stored and accessed according to legal requirements. This division is often tested on the exam, as it highlights the boundaries between AWS responsibilities and customer obligations.
Responsibilities also vary across service types, reinforcing the shared nature of the model. In Infrastructure as a Service, customers control more and must manage more. In Platform as a Service, AWS takes on additional duties, reducing the customer’s workload. In Software as a Service, AWS covers almost everything, leaving customers responsible mainly for user access and data. This variation means customers must always understand which type of service they are using and what responsibilities come with it. The exam may ask which responsibilities remain constant across all models, such as customer control of data.
Examples of SaaS, PaaS, and IaaS illustrate these variations clearly. In IaaS with EC2, customers install and update operating systems. In PaaS with RDS, AWS maintains the database engine while customers manage users and queries. In SaaS with services like WorkMail, AWS provides the entire application, and customers only manage user accounts and data. Recognizing these differences is essential, both for exam questions and for real-world operations, because mistakes often occur when customers assume AWS is handling something that actually belongs to them.
For teams, clarity around the shared responsibility model is essential. Misunderstandings can lead to gaps in security or compliance, often resulting in costly breaches or fines. Teams must know exactly where their duties begin and end, and organizations should document and communicate these roles clearly. AWS provides guidance, but each company must translate the model into policies and procedures that fit its environment. The exam emphasizes this clarity because it is the foundation of safe and effective cloud usage.
Finally, connecting these practices back to the exam is important. Questions may describe scenarios where you must decide who is responsible for encryption, logging, patching, or compliance. Recognizing the practical application of the model ensures you answer correctly. In the real world, it ensures you avoid costly mistakes by assigning tasks to the right party. The shared responsibility model is not just about theory—it is about building clear, accountable practices that protect data and maintain trust in the AWS cloud.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Best practices for dividing tasks within the shared responsibility model begin with creating clear boundaries. Organizations should write down which tasks belong to AWS and which tasks they own. For example, AWS is responsible for securing the physical servers, but the customer must configure firewall rules and encryption settings. Having this documented prevents misunderstandings across teams. In practice, many organizations even maintain checklists or runbooks that specify who does what. For the exam, remember that the most important practice is clarity—knowing exactly where the line between AWS and customer responsibility is drawn.
Encryption key management is one of the most sensitive areas customers must handle. AWS provides the Key Management Service, or KMS, which helps create and store encryption keys securely. However, customers decide who has permission to use those keys, how often they are rotated, and when they should be retired. Mismanaging keys can expose sensitive data even if it is encrypted. A common best practice is to apply least privilege policies for key access and to enable key rotation. For exam purposes, remember that AWS provides the service, but customers are responsible for managing key usage policies.
Backups are another customer responsibility, though AWS provides tools to make them easier. Services like RDS automatically support backups, but customers must configure retention policies and test recovery processes. S3 provides durability for stored data, but customers must decide when to use versioning or lifecycle policies. Backup responsibility also includes ensuring backups comply with legal requirements, such as retaining data for specific periods. For the exam, know that AWS ensures durability of storage systems, but customers must define backup strategies that meet their business and compliance needs.
Real-world misconfigurations highlight why understanding the model is so important. Many data breaches reported in the news are not due to AWS infrastructure failures but because customers left S3 buckets public, used overly broad IAM permissions, or failed to enable encryption. These errors show how customer responsibilities, if neglected, create vulnerabilities. AWS cannot prevent these missteps because they occur at the customer’s configuration level. The exam may present scenarios like this, testing whether you recognize that the responsibility lies with the customer, not AWS.
Governance frameworks support the shared responsibility model by providing structure. Frameworks like NIST or ISO can be mapped to AWS services, ensuring both AWS and customers meet their obligations. For example, AWS may provide compliance certifications for infrastructure, while the customer applies IAM policies to satisfy the access control requirements of the framework. Governance frameworks act as roadmaps, aligning security practices with both shared responsibility and industry standards. For exam preparation, remember that governance helps enforce shared tasks consistently across an organization.
Documentation of shared tasks is a critical practice. By writing down who owns what, organizations avoid confusion and ensure accountability. For instance, a team might document that AWS handles hardware patching, while the customer’s IT department handles operating system patching. Documentation also supports audits, providing evidence that responsibilities are understood and fulfilled. Without documentation, roles may be assumed but not enforced, creating risk. The exam may highlight documentation as a best practice for applying the shared responsibility model effectively.
Training employees on the shared responsibility model ensures everyone knows their role. Security and compliance are not the job of one person but of the entire organization. Training helps developers understand how to configure IAM roles, helps finance teams recognize the importance of tagging for cost allocation, and helps executives appreciate the need for compliance reviews. Education turns the model into daily practice instead of abstract theory. For the exam, remember that awareness and training are key to applying the shared responsibility model consistently.
Incident response is another area where responsibilities are divided. AWS is responsible for responding to infrastructure failures, such as power outages or hardware malfunctions. Customers, however, must respond to incidents within their applications or data, such as a compromised IAM user account or a misconfigured firewall. This means organizations must have their own incident response plans, integrated with AWS tools like CloudTrail and GuardDuty. For exam purposes, know that AWS ensures the infrastructure remains secure, but customers must respond to incidents that occur in their own workloads.
Infrastructure failures fall under AWS’s responsibility. If a disk in a data center fails, AWS replaces it and ensures redundancy protects customer data. Customers don’t see these details—they simply trust AWS to handle them. This reliability is one of the main reasons businesses adopt the cloud. The exam may test whether you know which tasks AWS owns by default, such as maintaining hardware and networking equipment. Customers never need to manage these layers themselves.
Security automation helps customers manage their share of the model more effectively. Services like AWS Config, Trusted Advisor, and Security Hub can automatically identify misconfigurations, while Lambda functions can fix issues in real time. For example, if a storage bucket becomes public accidentally, automation can detect and correct it immediately. Automation reduces human error and enforces best practices at scale. For the exam, remember that AWS provides the tools, but customers must implement automation to secure their environments.
Continuous improvement is a theme throughout the shared responsibility model. Customers should regularly review their configurations, update IAM policies, rotate encryption keys, and audit logs. AWS continues to add features and services, so customers must evolve their practices as well. This ongoing effort ensures environments remain secure, compliant, and efficient over time. On the exam, continuous improvement will often be connected to both governance and operational excellence, showing that security is never a one-time project.
From an exam perspective, practical application of the shared responsibility model is a common theme. Expect scenario-based questions asking who is responsible for patching, encryption, or compliance tasks in specific services. These questions test whether you can apply the model, not just recite definitions. By studying real-world applications, you’ll be able to answer confidently and recognize the model’s importance beyond theory.
At its core, the shared responsibility model is a cornerstone of cloud computing. It defines how AWS and its customers work together to keep systems safe, reliable, and compliant. AWS secures the infrastructure, but customers must secure their configurations, data, and access. When both sides fulfill their roles, the cloud becomes a powerful, trusted platform. For exam success, and for real-world practice, mastering the shared responsibility model ensures you can adopt AWS confidently while avoiding the missteps that lead to breaches or compliance failures.
As we close this episode, remember that applying the shared responsibility model effectively prevents costly mistakes. Clear boundaries, strong encryption, careful IAM management, and proactive monitoring all ensure customer responsibilities are met. AWS provides the secure foundation, but it is the customer’s job to build safely upon it. For the exam, understanding these practical applications is essential. For real-world adoption, this clarity builds trust and makes the shared responsibility model not just a concept but a daily practice of cloud success.