• Home
  • Learn
  • Understanding the AWS Shared Responsibility Model

What is the AWS Shared Responsibility Model?

Find out what the customer’s responsibilities are when it comes to AWS cloud security and learn more about the Shared Responsibility Model.

Request demo
Understanding the AWS Shared Responsibility Model
Definition

Understanding the AWS Shared Responsibility Model

Cloud providers like AWS manage a significant portion of infrastructure security, but that does not mean customers are off the hook. The Amazon shared responsibility model defines exactly where provider responsibility ends and customer responsibility begins.

This article explains the main components of the shared responsibility model and offers a practical breakdown of how responsibility shifts depending on the type of AWS service in use.

Note: A lot of these concepts apply to other cloud service providers as well.

Key Elements

Key Elements of the AWS Shared Responsibility Model

The Amazon shared responsibility model separates responsibilities into two categories: security of the cloud and security in the cloud. AWS is responsible for the physical infrastructure, including data centers, servers, and networking. Customers manage what runs inside the cloud, including data, access controls, application settings, and encryption.

With infrastructure-as-a-service (IaaS) like Amazon EC2, customers handle the operating system, firewall settings, and software patching. In contrast, with serverless or managed services such as AWS Lambda or Amazon S3, AWS takes care of the platform and runtime while customers remain responsible for access permissions and data integrity.

To meet their part of the model, customers must have clear processes for managing configurations, applying patches, and securing identities. AWS may provide the infrastructure, but customers are accountable for securing what they build on top of it.

Understanding and Implementation

Significance of Understanding and Implementing the Model

Misunderstanding the shared responsibility model can lead to gaps in AWS security. When teams assume AWS handles more than it does, key tasks like access control or data encryption may be skipped, increasing the risk of exposure or compliance issues.

Assigning clear roles helps reduce confusion and missed steps. Security teams need to define who handles what across network, configuration, and application layers. That includes deciding who sets firewall policies, who manages patching, and who tracks system activity.

Best Practices for Assigning and Validating Shared Responsibilities

Best Practices for Assigning and Validating Shared Responsibilities

1. Inventory AWS services in use: Identify which services are used and categorize them by service type (IaaS, PaaS, SaaS), since responsibility shifts based on the model.

2. Map responsibilities clearly: Use AWS documentation to separate what AWS manages from what your teams need to handle.

3. Assign ownership by control: Document which team or person is responsible for each task, especially for customer-managed controls like encryption or access policies.

4. Automate configuration checks: Use tools such as AWS Config to monitor compliance with your internal security standards.

5. Audit permissions regularly: Review IAM policies to limit access based on job roles and remove unused credentials.

6. Architect for worst-case scenarios: Build with immutability, indelibility, and air gapping so that if a catastrophic event happens or bad actor gets in, the damage is minimized and there’s always a recovery point available.

Commvault enables this level of proactive isolation and immutability with:

 • Easily configurable data copies in isolated accounts with Air Gap Protect.
 • Air-gapped, cross-account backups by default with Commvault® Cloud Rewind and Clumio.

7. Test response processes: Run simulations to verify that detection and recovery actions work as expected and are assigned to the right teams.

Commvault can help automate the testing and validation of recovery processes with its industry-first Cleanroom™ Recovery solution or through the cross-region, cross-account recovery capabilities within Cloud Rewind and Clumio.

8. Update documentation regularly: As service usage changes, revise your shared responsibility model mappings to reflect current architecture and controls.

Distinctions from Traditional Security Models

Shared Responsibility Model Distinctions from Traditional Security Models

On-premises security models are fully owned and operated by the business. The organization manages everything, including the physical infrastructure, network, operating systems, and applications. All responsibility falls on internal teams, which makes roles and accountability clear.

The AWS shared responsibility model changes that dynamic. AWS handles the physical security and infrastructure, while customers keep control of configurations, data, and access. Some teams assume cloud providers cover all security needs, but that is not the case. Customers are still responsible for managing permissions, encrypting data, and maintaining compliance with internal and external policies.

Each layer of the technology stack introduces a different split between AWS and the customer. For example, AWS secures the hypervisor layer, but customers must configure IAM policies and monitor access. Application-layer controls, data classification, and logging are all customer tasks, regardless of the AWS service in use.

Security Model AspectTraditional On-Premises ModelAWS Shared Responsibility Model
Physical InfrastructureCustomer owns and secures hardwareAWS owns and secures data center facilities
Network SecurityCustomer manages all network layersAWS secures base network; customer configures VPCs and ACLs
Operating System PatchingFully managed by customerAWS handles patching in managed services; customer patches in IaaS
Application ConfigurationCustomer controls deployment and logicCustomer maintains full responsibility
Data EncryptionCustomer implements and manages keysCustomer manages encryption; AWS provides supporting tools
Identity and AccessCustomer sets and audits permissionsCustomer manages IAM policies and MFA
Monitoring and LoggingCustomer implements tools and alertingCustomer activates and manages AWS services like CloudTrail and GuardDuty
This table highlights how accountability shifts from a single owner to a shared model. Misunderstanding those shifts can lead to gaps in protection, especially in areas like access control and audit logging. Knowing which team owns which control helps reduce that risk.
Benefits

Benefits of the AWS Shared Responsibility Model

The shared responsibility model helps organizations distribute cloud security tasks based on control and capability. AWS covers the infrastructure, while customers manage what they deploy and configure within the environment. This division helps security teams focus on what they directly influence.

Scalability improves when AWS handles tasks like infrastructure patching and hardware maintenance. Customers then can spend more time on workload-specific security, such as access controls and data protection. This model also supports dynamic environments where services may shift quickly between development and production.

Compliance efforts benefit from clear responsibility lines. Regulatory frameworks like GDPR, HIPAA, and NIST CSF require that organizations show which party manages each control. The shared responsibility model helps map those obligations.

These benefits depend on following structured practices. Role assignments, configuration audits, and ownership tracking – covered earlier – support better outcomes across security, compliance, and operational recovery. This clarity helps reduce the risk of missed responsibilities and supports faster response when issues occur.

Organizations can see even greater benefits when leveraging integrated third-party solutions to help manage the areas where their responsibilities begin. For example, Commvault provides the following:

  • Simplified management: Commvault integrates broadly across AWS services – as well as other on-premises and cloud technologies – to automate policy-based protection from a single pane of glass.
  • Enhanced security: Commvault provides greater protection against ransomware and other cyberthreats with AI-forward threat scanning, as well as providing air-gapped, immutable, indelible backup copies for improved recoverability.
  • Lower TCO: In addition to the cost benefits of helping to mitigate risk and reduce the impact of potential threats, Commvault also helps organizations control data protection-related cloud costs by optimizing how the data is collected and stored. With Commvault, organizations can keep fewer full snapshots and store data deduplicated and compressed without compromising recovery point objectives, realizing significant cost savings.
Case Study

Case Study: Sony Strengthens Cyber Resilience Across AWS

Sony Group, the global entertainment and electronics giant, faced significant challenges in unifying cyber resilience across its complex multi-cloud environment. With extensive AWS and Azure deployments, its Data Center Services team needed a solution that could bridge its on-premises, cloud, and SaaS workloads while meeting strict security requirements.

“Our strategy is to connect globally from our data centers to our cloud solution,” explains Cassandra Cinar, senior director of Data Center Services at Sony. “To achieve that, we need a unified platform for recovery across cloud, on-premises, and software-as-a-service workloads.”
Sony’s security requirements were particularly demanding. The company needed a solution that could protect data across virtually all AWS users globally while supporting the company’s diverse multi-architecture environment. Additionally, the solution needed to help Sony comply with internal financial systems as well as SOC and GDPR requirements.

After evaluating multiple options, Sony standardized on Commvault Cloud for its comprehensive cyber resilience capabilities. The implementation now covers 5,000 endpoints across multiple data centers, regions, and cloud providers, including its extensive AWS footprint.

The results have been substantial. Sony reduced hardware and media storage and backup costs by approximately 80% through encryption, compression, and the transition to disk-based and cloud storage in AWS and Azure. The company also improved its recovery point objectives and gained the ability to recognize threats sooner, recover faster, and reduce downtime.

“The key differences among security solutions lie in their deployment and recovery capabilities,” Cinar said. “Commvault’s robust and comprehensive infrastructure satisfies all our needs for recovery, service-level agreements, and crucial functionalities like threat detection and other security features.”

Sony’s experience demonstrates how organizations can successfully navigate the AWS shared responsibility model by implementing a unified approach to data protection and security across hybrid environments. Their partnership with Commvault and Accenture allowed them to establish consistent protection policies across their entire AWS infrastructure while maintaining compliance with both internal and external requirements.

Commvault’s Role

Commvault’s Role in Managing Shared Responsibilities

Commvault helps address customer responsibilities under the AWS shared responsibility model by providing enterprise-grade tools for data protection, recovery, and compliance. Its platform supports hybrid and multi-cloud environments, so organizations can manage their data consistently across AWS and other infrastructure.

Commvault extends the responsibility of securing and protecting data in the cloud to mission-critical data center workloads through air-gapped, immutable backups stored within an isolated tenant in Amazon S3.

This enables organizations to provide this added layer of recoverability across the broadest ecosystem, including infrastructure and applications like SAP, Oracle, Microsoft SQL Server, Active Directory, Epic Systems, VMware, and ServiceNow, among others. Commvault protects these workloads, backing them up into AWS and providing additional layers of security and resilience to align with the shared responsibility model.

Simplifying with built-in automation, Commvault reduces manual steps in backup and recovery, helping teams respond faster and with fewer errors. Centralized visibility across workloads gives IT and security teams the ability to monitor data activity, verify controls, and stay aligned with industry regulations.

Commvault also enables organizations to provide faster recoveries at lower cost for emerging native workloads like Amazon S3 and Amazon DynamoDB with their Clumio solution, optimizing protection and making this critical protection more accessible. Organizations leveraging Clumio can meet their shared responsibility for protecting data within native AWS services with a simple, turnkey solution optimized for cost and efficiency.

Understanding the AWS shared responsibility model is critical for protecting your data and applications in the cloud. When you know exactly which security controls fall under your responsibility, you can build stronger defenses and respond faster to threats.
Commvault can help organizations close security gaps and strengthen their data protection strategy in AWS, so let us show you how our platform can support your cloud security goals by requesting a demo.

related resources

Explore related resources

View all resources

video

Cloud Security: Understanding your role in the shared responsibility model

Learn about your responsibility in protecting your SaaS application data from threats.
stakes, errors and cyberattacks.

Watch now

solution brief

Cyber Resilience for Applications, Databases and Data Lakes on AWS

Gain confidence that your organization can quickly recover critical AWS data and maintain a state of continuous business, even in the face of operational mi

Read more

1-Pager

Simple Data Protection and Resilience for AWS

Designed to secure petabytes of AWS data at scale, Clumio offers unparalleled cyber resilience to help keep your data safe and ready for rapid recovery.

Read more