In addition to the division of responsibilities for safety, there is also a division of responsibilities for controls. AWS` responsibility is for its physical and environmental controls. Corporate responsibilities relate to service and communication controls (i.e., IAM controls). The following are examples of controls managed by AWS, AWS customers, and/or both. One of the most common AWS services at this level of abstraction is Amazon`s Elastic Compute Cloud (Amazon EC2). Finally, at the other end of the abstraction scale are “bare metal services,” where organizations can deploy EC2 instances directly to AWS hardware rather than in a virtualized environment. As described by AWS, bare metal services can be valuable to customers who “want to access physical resources for applications that take advantage of low-level hardware features that are not always available or fully supported in virtualized environments, as well as for applications intended to run directly on the hardware.” However, the shared responsibility model changes with the addition of containers and other services that move the operating model to the service provider. If we move to the left of the operating model, away from IaaS and data centers and to PaaS, the responsibility of the service provider increases. A customer has fewer responsibilities in the cloud and easier availability when migrating to the left side of the diagram. Note the following illustrations and differences in the ability to work or operate in the cloud. As your shared responsibility in the cloud evolves, so do your incident response or forensics options. As a customer, when planning your incident response, you also need to make sure that you plan the skills you have in your operating model and that you plan for possible interactions before they occur in the model you choose. Planning and understanding these trade-offs and adapting them to your governance needs is an essential step in responding to incidents.
How is the AWS shared responsibility model evolving under the GDPR? The short answer – this is not the case. AWS is responsible for securing the underlying infrastructure that supports the cloud and the services provided. while APN customers and partners, acting as data controllers or data processors, are responsible for all personal data they place in the cloud. The shared responsibility model illustrates the different responsibilities of AWS and our customers and APN partners, and the same separation of responsibilities applies under the GDPR. This may be because many sources explaining shared responsibility in the cloud focus solely on the AWS security model for EC2. When customers use other AWS services, the division of responsibilities changes. Under these circumstances, there may be a misunderstanding of where the level of abstraction occurs. Most cloud consumers use a combination of IaaS, PaaS, and SaaS services, as well as on-premises or hybrid cloud solutions, so it`s important to know the division of responsibilities for each type of service. Today, cloud service providers offer many cloud services with varying degrees of abstraction that can offload responsibility from the consumer. There are three main levels of abstraction, also known as three main categories of cloud services: IaaS, PaaS, and SaaS.
To help you implement the privacy principles of the GDPR when using our infrastructure, we recommend that you protect aws account credentials and configure individual user accounts with Amazon Identity and Access Management (IAM) so that each user receives only the permissions necessary to perform their business tasks. We also recommend that you use multi-factor authentication (MFA) with each account, use SSL/TLS to communicate with AWS resources, configure API/user activity logging with AWS CloudTrail, and use AWS encryption solutions and all standard security controls within AWS services. You can also use advanced managed security services, such as Amazon Macie, to help you discover and secure personal data stored in Amazon S3. It`s extremely important to create a proper incident response and forensics runbook that fits your operating model. Your success depends on your understanding of the types of tools you need to create or purchase for the operating model you choose. .