Topics / ☁️AWS Cloud Practitioner

The Shared Responsibility Model

By Pritesh Yadav 17 min read

In AWS, security is shared: AWS secures the cloud itself (the hardware, the buildings, the network, the host software that runs managed services), while you secure what you put in the cloud (your data, your access controls, your configurations). The exact split shifts depending on the service: with a raw server like EC2 you handle far more than with a fully managed service like S3 or Lambda. The single rule that never changes is that your data and who can access it are always your responsibility.

Most confused here: Security OF the cloud (AWS) vs security IN the cloud (you); guest OS patching is yours on EC2 but AWS's on RDS/Lambda; AWS encrypts nothing for you by default — you choose to enable it and you manage data classification; security groups, IAM, and bucket access are always the customer's job.

Q1 A company runs its application on Amazon EC2 instances. A new security flaw is found in the Linux operating system running inside those instances. Who is responsible for applying the patch?

  1. AWS, because AWS owns all the underlying servers
  2. The customer, because the guest operating system on EC2 is their responsibility
  3. AWS, because operating system patches are always handled by the provider
  4. It is automatically patched by AWS Systems Manager with no owner
Answer: B
Why B is correct: EC2 is an Infrastructure-as-a-Service offering. AWS secures the physical host and hypervisor, but the customer controls and therefore patches the guest operating system (the OS running inside the instance) and any software on it.
Why the other options are wrong:
  • A — Owning the physical servers does not make AWS responsible for the customer's guest OS; that line is drawn at the hypervisor.
  • C — The provider patches the OS only for managed services, not for EC2 instances you control.
  • D — Systems Manager can help automate patching, but it is a tool the customer chooses to use; responsibility still sits with the customer.
Common trap: Candidates assume "AWS owns the hardware, so AWS patches everything." On EC2 the OS is inside the customer's responsibility zone — the opposite of RDS.

Q2 A team migrates a self-managed database from EC2 to Amazon RDS. Which patching responsibility changes as a result of this move?

  1. The customer now must patch the underlying database host operating system
  2. Nothing changes; patching responsibility is identical for EC2 and RDS
  3. AWS now becomes responsible for the data stored inside the database
  4. AWS now takes over patching the database engine and underlying operating system
Answer: D
Why D is correct: RDS is a managed service. AWS handles the operating system and database engine patching (within maintenance windows you can schedule), which were the customer's job when the database ran on EC2.
Why the other options are wrong:
  • A — This is backwards; moving to RDS removes OS patching from the customer, it does not add it.
  • B — Patching responsibility is a major difference between self-managed EC2 and managed RDS.
  • C — The data inside the database is always the customer's responsibility, no matter how managed the service is.
Common trap: People think "managed service" means AWS now owns the data too. AWS takes over the engine and OS, but never the data itself.

Q3 Under the AWS Shared Responsibility Model, which task is an example of "security OF the cloud" handled by AWS?

  1. Configuring IAM user permissions for employees
  2. Encrypting sensitive customer records before upload
  3. Protecting the physical data centers and destroying decommissioned hardware
  4. Setting inbound rules on a security group
Answer: C
Why C is correct: "Security of the cloud" is AWS's job: the physical buildings, environmental controls, hardware, and secure disposal of old drives. Customers never touch these.
Why the other options are wrong:
  • A — IAM permission configuration is "security in the cloud" — the customer's job.
  • B — Encrypting customer data is a customer choice and responsibility.
  • D — Security group rules are configured by the customer.
Common trap: "Physical security" is the easiest AWS-side item to recognize, but the other three options are all customer-side configuration tasks designed to look similar.

Q4 A developer stores files in Amazon S3 and accidentally makes a bucket publicly readable, exposing private data. Who was responsible for preventing this exposure?

  1. The customer, because access configuration of the bucket is their responsibility
  2. AWS, because S3 is a fully managed service
  3. AWS, because storage security is part of security of the cloud
  4. No one; public buckets are a known limitation of S3
Answer: A
Why A is correct: Even though S3 is fully managed, who can access the data (bucket policies, access control, Block Public Access settings) is firmly the customer's responsibility. AWS secures the infrastructure; the customer secures access to their data.
Why the other options are wrong:
  • B — "Fully managed" covers the infrastructure, not your access decisions.
  • C — AWS secures the storage hardware and service, but access permissions are set by the customer.
  • D — Public access is a configuration the customer controls, not a limitation; AWS even blocks public access by default on new buckets.
Common trap: "S3 is managed, so AWS must secure it." Management of the service never transfers ownership of access control or data away from the customer.

Q5 Which statement about encryption under the Shared Responsibility Model is correct?

  1. AWS automatically encrypts all customer data at rest with no action needed
  2. Customers decide whether to enable encryption and are responsible for classifying their data
  3. Encryption is solely AWS's responsibility for all services
  4. Only AWS can hold encryption keys; customers may not manage them
Answer: B
Why B is correct: Deciding what data is sensitive (classification) and choosing to turn on encryption are customer responsibilities. AWS provides the tools (like KMS and built-in encryption options), but the customer decides when and how to use them.
Why the other options are wrong:
  • A — Encryption is not universally automatic; many options are opt-in choices the customer makes, and the customer still owns data classification.
  • C — Encryption is a shared capability the customer enables, not solely AWS's job.
  • D — Customers can absolutely manage their own keys (for example with customer-managed KMS keys).
Common trap: Assuming "AWS encrypts my data for me by default." AWS gives you encryption tools, but data classification and the decision to encrypt remain yours.

Q6 A company builds an application using AWS Lambda. Which responsibility still belongs to the customer in this serverless model?

  1. Patching the operating system that runs the Lambda function
  2. Maintaining the physical servers behind the service
  3. Securing the function code and the IAM permissions it uses
  4. Patching the language runtime maintenance on the underlying fleet
Answer: C
Why C is correct: With Lambda, AWS manages the servers, OS, and runtime maintenance. The customer is still responsible for the code they write and the IAM role/permissions the function uses to access other resources.
Why the other options are wrong:
  • A — Lambda is serverless; AWS patches the OS, not the customer.
  • B — Physical servers are always AWS's responsibility.
  • D — Runtime maintenance on the underlying fleet is handled by AWS in this managed model.
Common trap: Candidates over-apply the EC2 mindset and pick OS patching. With serverless, the customer's remaining job shrinks down mostly to code and access permissions.

Q7 As a workload moves from EC2 to RDS to S3 to a fully serverless service, how does customer responsibility generally change?

  1. It increases, because managed services need more customer configuration
  2. It stays exactly the same across all service types
  3. It disappears entirely once a fully managed service is used
  4. It decreases, because AWS takes on more of the operational and infrastructure tasks
Answer: D
Why D is correct: The more managed the service, the more AWS handles (OS, patching, scaling, hardware), so the customer's slice of responsibility shrinks toward data, access, and configuration. This is the core idea of the sliding scale of responsibility.
Why the other options are wrong:
  • A — Managed services reduce, not increase, customer operational burden.
  • B — The split clearly shifts depending on how managed the service is.
  • C — It never disappears entirely; data and access control always remain with the customer.
Common trap: Thinking responsibility ever hits zero. Even with the most managed service, the customer always owns their data and who can reach it.

Q8 Who is responsible for configuring security groups (the virtual firewalls that control traffic to EC2 instances)?

  1. The customer, because security group rules control access to their resources
  2. AWS, because network security is part of security of the cloud
  3. AWS, because security groups are managed infrastructure
  4. A third-party managed security provider by default
Answer: A
Why A is correct: Security groups are configured by the customer to decide what traffic is allowed in and out of their instances. This is firewall configuration — squarely "security in the cloud."
Why the other options are wrong:
  • B — AWS secures the underlying network fabric, but rule configuration is the customer's task.
  • C — AWS provides the security group feature, but the customer sets the rules.
  • D — No third party manages this by default; it is the customer's responsibility.
Common trap: Mixing up the physical network (AWS) with virtual firewall rules (customer). AWS protects the network; you decide who gets through your firewall.

Q9 A customer stores personal data in Amazon DynamoDB, a fully managed database. Regarding the data itself, what is true under the Shared Responsibility Model?

  1. AWS becomes responsible for the data because the service is fully managed
  2. The customer remains responsible for the data and controlling access to it
  3. Responsibility for the data is split fifty-fifty between AWS and the customer
  4. AWS owns the data but the customer owns the schema
Answer: B
Why B is correct: No matter how managed the service is, customer data and access control to it are always the customer's responsibility. AWS manages the database infrastructure; the customer governs the data.
Why the other options are wrong:
  • A — Full management never transfers data ownership to AWS.
  • C — Data responsibility is not split; it sits entirely with the customer.
  • D — AWS does not own the customer's data in any service.
Common trap: The word "fully managed" lures candidates into handing data responsibility to AWS. Data is the one constant the customer always owns.

Q10 Which of the following is a customer responsibility regardless of which AWS service is used?

  1. Replacing failed physical hard drives in the data center
  2. Maintaining the hypervisor that isolates instances
  3. Securing the global AWS network backbone
  4. Managing user identities and their access permissions (IAM)
Answer: D
Why D is correct: Identity and Access Management — creating users, roles, and deciding what each can do — is always the customer's job across every AWS service. Managing who can access your resources never shifts to AWS.
Why the other options are wrong:
  • A — Replacing physical hardware is AWS's responsibility.
  • B — The hypervisor is part of the infrastructure AWS maintains.
  • C — The global network backbone is secured by AWS.
Common trap: The three AWS-side options all describe deep infrastructure, which can sound like "things only experts handle," tempting candidates away from the plain answer of IAM.

Q11 A company uses Amazon RDS and assumes that because AWS patches the database engine, AWS also protects against weak database user passwords. Why is this assumption wrong?

  1. AWS does not patch RDS engines, so the premise is false
  2. RDS does not support user accounts at all
  3. Creating database accounts and managing their credentials is the customer's responsibility
  4. AWS automatically enforces strong passwords on all RDS databases
Answer: C
Why C is correct: Even on a managed service, the customer controls application-level and database-level account credentials and access. AWS patches the engine and OS, but it does not manage the passwords you create for database users.
Why the other options are wrong:
  • A — AWS does patch the RDS engine, so the premise is true; the flaw is the leap to password protection.
  • B — RDS databases certainly support user accounts.
  • D — AWS does not automatically enforce password strength on the database users you create.
Common trap: Assuming managed-service responsibility extends to credentials and access. Patching the engine and securing access are two different jobs with two different owners.

Q12 Which pairing correctly matches the party to the responsibility?

  1. AWS — classifying which customer data is confidential
  2. AWS — maintaining the virtualization layer and host hardware
  3. Customer — securing the physical facilities and badge access
  4. Customer — patching the firmware on AWS storage arrays
Answer: B
Why B is correct: The virtualization layer (hypervisor) and the physical host hardware are part of "security of the cloud," which AWS owns and maintains for every customer.
Why the other options are wrong:
  • A — Data classification is a customer responsibility, not AWS's.
  • C — Physical facility security is AWS's job, not the customer's.
  • D — Firmware on AWS hardware is maintained by AWS, never the customer.
Common trap: Each wrong option swaps the correct owner, mirroring how the exam flips responsibilities to test whether you really know the boundary line.

Q13 A customer wants encryption in transit (data protected as it travels over the network) for traffic to their application. Under the model, who configures this?

  1. The customer, who is responsible for protecting data in transit to and within their application
  2. AWS, because all network encryption is automatic
  3. AWS, because in-transit encryption is part of security of the cloud
  4. Neither party; in-transit encryption is not supported on AWS
Answer: A
Why A is correct: Protecting customer data — including how it is encrypted in transit for the customer's application — is a customer responsibility. AWS provides certificates and TLS-capable services, but the customer chooses to configure and enforce that protection.
Why the other options are wrong:
  • B — Encryption in transit for your application is not automatic everywhere; it is a customer configuration.
  • C — AWS secures its own backbone, but in-transit protection for the customer's data is the customer's job.
  • D — AWS fully supports in-transit encryption; it is widely used.
Common trap: Believing AWS encrypts all traffic automatically. Both in-transit and at-rest protection of customer data are customer-driven decisions.

Q14 An auditor asks which controls AWS provides evidence for versus which the customer must demonstrate. Which item would the customer need to demonstrate themselves?

  1. Physical access logs for the data center
  2. Environmental controls such as fire suppression in facilities
  3. Secure decommissioning of failed disks
  4. That least-privilege IAM policies are applied to their users
Answer: D
Why D is correct: How the customer grants permissions (applying least-privilege so users get only the access they need) is a customer control they must demonstrate. AWS cannot prove this for you because it depends on your configuration choices.
Why the other options are wrong:
  • A — Data center physical access logs are AWS's evidence to provide.
  • B — Environmental facility controls are AWS's responsibility.
  • C — Secure hardware disposal is performed and evidenced by AWS.
Common trap: Candidates pick a physical-security item because it "sounds auditable," but those are exactly what AWS handles and certifies for you, not the customer.

Q15 A startup runs containers on Amazon EC2 instances that they manage themselves. Which combination of responsibilities is correct?

  1. AWS patches the guest OS; the customer maintains the physical host
  2. The customer patches the guest OS and container images; AWS secures the host hardware and hypervisor
  3. AWS secures everything because containers are a managed service
  4. The customer secures the data center; AWS configures the application
Answer: B
Why B is correct: When you run containers on EC2 you manage, you own the guest operating system and the container images on top of it, while AWS owns the physical host and hypervisor underneath. This is the standard IaaS division of labor.
Why the other options are wrong:
  • A — Roles are reversed; the customer patches the guest OS and AWS owns the physical host.
  • C — Self-managed EC2 containers are not a fully managed service, so AWS does not secure everything.
  • D — Customers never run the data center, and AWS never configures the customer's application.
Common trap: The word "containers" makes people assume a managed service. On self-managed EC2, the EC2 responsibility split still applies — OS and images are yours.

Q16 Which scenario shows AWS failing to meet its "security of the cloud" responsibility (rather than a customer mistake)?

  1. A customer leaves an S3 bucket open to the public internet
  2. An employee is given overly broad IAM permissions
  3. An intruder bypasses physical access controls at an AWS data center
  4. A customer never patches the OS on their EC2 instance
Answer: C
Why C is correct: Physical data center access control is purely AWS's responsibility. A breach of those controls would be an AWS-side failure, unlike the other options which are customer configuration mistakes.
Why the other options are wrong:
  • A — Bucket access configuration is a customer responsibility.
  • B — IAM permission decisions belong to the customer.
  • D — Patching the EC2 guest OS is the customer's job.
Common trap: Three options describe very common real-world breaches — but they are all customer-caused. Only the physical data center item lands on AWS's side.

Q17 A customer enables automatic backups on Amazon RDS. Who is responsible for ensuring the backup and retention settings actually meet the company's recovery needs?

  1. The customer, because configuring backup retention and recovery requirements is their responsibility
  2. AWS, because it physically stores the backup data
  3. AWS, because backups are a fully managed feature
  4. No one, because RDS backups never need configuration
Answer: A
Why A is correct: AWS provides the backup feature and stores the data durably, but choosing the retention period and confirming it meets the business's recovery objectives is a customer configuration decision. The customer owns the policy; AWS provides the mechanism.
Why the other options are wrong:
  • B — Storing the data durably is AWS's role, but the configuration choices are the customer's.
  • C — A managed feature still requires the customer to set it to meet their own needs.
  • D — Backups absolutely require configuration like retention settings.
Common trap: Equating "AWS stores it" with "AWS decides the policy." AWS handles durability; the customer decides retention and whether it meets their requirements.

Q18 Which statement best summarizes the dividing line of the Shared Responsibility Model?

  1. AWS is responsible for security in the cloud; the customer is responsible for security of the cloud
  2. AWS and the customer always share every responsibility equally
  3. AWS is responsible for security of the cloud; the customer is responsible for security in the cloud
  4. The customer is responsible for everything once they sign up for AWS
Answer: C
Why C is correct: The classic phrasing is that AWS handles security of the cloud (the infrastructure, facilities, and host software) while the customer handles security in the cloud (their data, access management, and configurations). This single sentence captures the whole model.
Why the other options are wrong:
  • A — The two halves are swapped; AWS handles "of," the customer handles "in."
  • B — Responsibilities are split by area, not shared equally on every item.
  • D — The customer is not responsible for physical infrastructure and host software; AWS owns those.
Common trap: The "of" vs "in" wording is easy to reverse under pressure. Anchor it: AWS protects the cloud itself; you protect what you do inside it.

Continue reading

☁️ AWS Cloud Practitioner

Cloud Concepts, Value Proposition & Cloud Economics

☁️ AWS Cloud Practitioner

AWS Well-Architected Framework & the Six Pillars

☁️ AWS Cloud Practitioner

IAM — Identity & Access Management