AWS Shared Responsibility Model: What You Actually Need to Know 2026
Updated April 23, 2026 | 6 min read
This guide is for anyone preparing for AWS CLF-C02 or SAA-C03 in 2026 who keeps getting shared responsibility questions wrong and needs a clear mental model.
The Core Concept
AWS handles the security of the cloud. You handle security in the cloud. This sounds simple, but the boundary moves depending on which service you use. On EC2, you patch the OS. On RDS, AWS patches the OS but you manage the data and access controls. On S3, AWS manages everything except the bucket policies and encryption settings you choose.
AWS Responsibilities: Security OF the Cloud
AWS is responsible for protecting the infrastructure that runs all services:
- Data center physical security (guards, cameras, biometrics)
- Hardware (servers, storage, networking equipment)
- Software that powers the cloud (hypervisor, host OS)
- Virtualization layer and global network
- Availability and durability of managed services
Customer Responsibilities: Security IN the Cloud
You are responsible for what you put in the cloud and how you configure it:
- Customer data and intellectual property
- IAM users, roles, policies, and MFA
- Guest operating system patches (for EC2)
- Application security and code
- Network traffic protection (security groups, NACLs)
- Encryption settings and key management
How It Changes by Service Type
Security is only one piece of the puzzle. For the broader architecture principles that govern every AWS service, see our Well-Architected Framework guide. Need a quick pre-exam review? Our printable cheat sheet covers both topics.
| Service | AWS Manages | You Manage |
|---|---|---|
| EC2 | Hypervisor, host OS, hardware | Guest OS, apps, data, IAM, security groups |
| RDS | OS patching, backups, underlying infra | Data, IAM access, encryption, parameter groups |
| S3 | Everything except your config | Bucket policies, ACLs, encryption, versioning |
| Lambda | Runtime, OS, scaling, patching | Code, IAM execution role, environment variables |
| IAM | Infrastructure, global service availability | All policies, users, roles, MFA, passwords |
Common Exam Traps
- Trap 1: "Who patches the OS on RDS?" Answer: AWS. Many people guess customer because EC2 requires customer patching.
- Trap 2: "Who is responsible for S3 data encryption?" Answer: The customer chooses whether to enable it. AWS provides the mechanism.
- Trap 3: "Who manages network ACLs?" Answer: The customer. AWS manages the underlying network, but you configure NACLs and security groups.
- Trap 4: "Who is responsible for physical security?" Answer: Always AWS. This never shifts to the customer.
Ready to test your knowledge?
Practice tests with detailed explanations for every answer.
CLF-C02 Mock SAA-C03 MockFrequently Asked Questions
What is the AWS Shared Responsibility Model?
AWS is responsible for security OF the cloud (hardware, software, networking, facilities). The customer is responsible for security IN the cloud (data, IAM, OS patches, encryption, network traffic protection).
Who patches the OS on EC2?
The customer. AWS manages the hypervisor and host OS, but the guest OS on EC2 instances is the customer responsibility.
Who manages encryption keys in KMS?
AWS manages the underlying KMS infrastructure, but the customer manages key policies, rotation settings, and access control.
Is this on the CLF-C02 exam?
Yes. Expect 2-4 questions on every exam. Common traps involve confusing AWS responsibilities with customer responsibilities.
How does it differ for managed services?
With managed services, AWS takes on more responsibility (OS patching, backups, underlying infrastructure). The customer is still responsible for data, IAM access, and encryption settings.
Master security concepts with practice
Free unlimited practice tests for CLF-C02 and SAA-C03.
Start Free Mock Exam