Skip to main content

Demystifying the AWS shared security responsibility model

Written by:
wordpress-sync/blog-feature-snyk-aws-purple-wave

November 13, 2023

0 mins read

Most cloud providers use a shared security responsibility model, meaning they secure some areas of the environment but expect the customer to establish security controls in others. AWS is one of the many cloud providers that follow the concept of shared responsibility. Generally speaking, they split responsibility into two categories. AWS focuses on the security of the cloud, such as the infrastructure that runs all AWS services. The customer is responsible for the security in the cloud, such as protecting the data that interfaces with the cloud instance.

Cloud customers must understand where this demarcation lies to properly secure the apps they build and run on AWS. When organizations clearly see which security considerations fall under their responsibility, they can identify gaps, choose the right tools and processes to fill those gaps, and create an overall stronger security program. 

This article covers how to draw the line between AWS’s responsibilities and the customer’s, along with a few practical tips for covering the customer’s side of the shared responsibility model. 

Security of the cloud

AWS covers the responsibility for the security of the cloud, protecting infrastructure such as software, hardware, networks, databases, and physical facilities. They also maintain their cloud services with regular patch management, configuration management, and training courses. However, it’s up to the customer to execute these updates and training programs.

Security in the cloud

The customer must own the responsibility for security in the cloud, including protecting customer data, implementing encryption across the environment, and enabling identity and access management (IAM) for platforms and applications.

It’s also important to remember that every business’s AWS environment is different, as each organization uses a combination of services that reflects their specific needs. So, each AWS customer must focus on tactics for securing their unique cloud environment. 

How to establish security in the cloud

Because every AWS environment looks different, it can be challenging to pinpoint the best security controls for your specific setup. But, some general starting points still apply to most AWS environments. Here are a few areas to consider:

Data security

AWS strongly recommends prioritizing data security in your cloud environment. A few activities for securing sensitive data include:

  • Client-side encryption and data integrity authentication. Encrypting data locally as it is in transit and at rest and ensuring that this sensitive data remains unaltered. Many AWS customers enable client-side encryption and data integrity authentication with Amazon S3 Encryption Client.

  • Server-side encryption. Securing file systems and/or data by encrypting the data at its destination. AWS S3 offers several methods for enabling server-side encryption.

  • Data classification. Separating sensitive data from non-sensitive data, then appropriately protecting this sensitive data. Many AWS customers leverage Amazon Macie to find and protect their confidential data. 

Identity and access management (IAM) for platforms and applications

Your cloud instance will likely host a great deal of confidential data and environments. To defend these crucial assets, implement IAM controls to monitor who accesses your application build environments and platforms. 

Organizations can manage IAM with a variety of AWS Identity Services. While Amazon provides robust IAM options, access management can become challenging as the environment becomes more complex. Many businesses leverage Snyk to identify and fix faulty IAM configurations in these situations. 

Operating system, network, and firewall configurations

It’s also essential for organizations to properly configure their operating systems and networks and set up robust firewalls. AWS offers services for defense against network attacks, firewalls for every aspect of your cloud environment, and centralized firewall management. They also provide networking traffic protection, which keeps a close watch on networking traffic and blocks unauthorized access in real time.

Up-leveling your security in the cloud

While AWS offers tons of resources for securing your cloud environment, it’s still challenging to pinpoint where to implement these services and monitor them across a complex cloud ecosystem.

In addition, AWS’s security services can’t help teams secure the application side of the cloud environment. They can’t find and fix code vulnerabilities or identify vulnerable third-party components — two activities that are essential for keeping your apps, operations, and customers safe.

The Snyk platform connects both sides of this equation: security for the application and the AWS environment where the app lives. Our platform makes meeting your side of the shared responsibility model easier and extends those efforts to secure your application build process.

Here are a few ways that Snyk interfaces with AWS services:

Automating security controls across the SDLC

The Snyk platform can automate security controls across the AWS application stack, integrating with application services like AWS CodePipeline, Amazon CodeCatalyst, Amazon ECR, Amazon EKS, AWS CloudFormation, and AWS Control Tower. A few examples of automations include:

  • Scanning open source packages using Snyk’s unique first-party integration with AWS CodePipeline.

  • Automating and monitoring security controls in CI/CD using Amazon CodeCatalyst.

  • Scanning container images in Amazon ECR and leverage base image upgrade recommendations.

  • Detecting insecure configurations in your AWS CloudFormation, Terraform, or Amazon EKS files.

  • Accelerating onboarding to the Snyk platform using AWS Control Tower.

Centralized security intelligence and flexible governance

In addition, Snyk can send security intelligence and events to AWS security services such as Amazon Inspector, AWS Security Hub, Amazon EventBridge, and AWS CloudTrail Lake. A few examples of these security intelligence functions include:

  • Leveraging Snyk’s vulnerability insights within Amazon Inspector to prioritize the most severe vulnerabilities first.

  • Implementing Amazon EventBridge to build near-real-time notification and response workflows around Snyk audit logs and security issues.

  • Using role-based access controls (RBAC) and monitoring Snyk audit activity across your applications in AWS CloudTrail Lake

  • Ingesting Snyk security findings into AWS Security Hub to help visualize and route security events to automated workflows.

By centralizing these alerts, the Snyk platform ensures that your team won’t miss an important event or security insight.

Want to learn more about how we can help you up-level your the security of your applications on AWS? Check out our Snyk & AWS partnership page or try Snyk for free directly from the AWS Marketplace!

wordpress-sync/blog-feature-snyk-aws-purple-wave

How to Perform an Application Security Gap Analysis

In this guide we'll walk through the steps to run a Application Security Gap Analysis for asset visibility, AppSec coverage and prioritization.