What is the AWS shared responsibility model?

The AWS Shared Responsibility Model defines what AWS is responsible for ("security OF the cloud") and what the customer is responsible for ("security IN the cloud"): AWS responsibilities (Security OF the cloud): physical security of data centers; hardware and global infrastructure (servers, routers, switches); hypervisor and virtualization layer; managed service components (e.g., RDS OS patching, Lambda runtime); global network infrastructure; AZ and region physical isolation. Customer responsibilities (Security IN the cloud): operating system patches on EC2; network and firewall configuration (security groups, NACLs); application-level security; data encryption (in transit and at rest); identity and access management (IAM users, roles, policies); customer data protection; network traffic configuration. How responsibility shifts by service type: IaaS (EC2): customer manages OS upward; AWS manages hardware and hypervisor. PaaS (Elastic Beanstalk): AWS manages OS and runtime; customer manages application and data. SaaS (S3): AWS manages most things; customer manages data, access policies, encryption settings. Example scenarios: EC2 gets compromised due to unpatched OS → customer responsibility. AWS data center floods → AWS responsibility. S3 bucket accidentally public → customer responsibility (misconfigured access policy). RDS OS patched incorrectly → AWS responsibility. Application-level SQL injection → customer responsibility. Why it matters: customers cannot audit AWS infrastructure directly — rely on compliance certifications (SOC, ISO, PCI). Use AWS Artifact to download compliance reports.