AWS Shared responsibility model - inherited controls


Hi all,

so far i understand the shared responsibilty model, but what i don't get is:

Why does the customer inherit control of the phsyical and environmental part with "inherited controls", when it says before that the physical parts (hardware, software, networking and facilities) are responsibilities of AWS, as well as securing the data center.

Can someone help out? when does inherited / shared / customer specific controls apply, always? Or just in special use cases?

Thanks, Dejan

2 Answers

Hi, I hope you are well.

Inherited Controls: These are all of the controls the user inherits from AWS like the physical and environmental security controls used by Amazon.

Some of your controls are inherited from AWS, many of the controls are shared inheritance between you as a customer and AWS. Control responsibility is as follows:

  • Shared Responsibility: You will provide security and configurations of your software components and AWS will provide security for its infrastructure.

  • Customer-Only Responsibility: You are fully responsible for guest operating systems, deployed applications, and select networking resources (for example, firewalls). More specifically, you are solely responsible for configuring and managing your security in the cloud.

  • AWS-Only Responsibility: AWS manages the cloud infrastructure, including the network, data storage, system resources, data centers, physical security, reliability, and supporting hardware and software. Applications built on top of the AWS system inherit the features and configurable options that AWS provides. AWS is solely responsible for configuring and managing security of the cloud.

For example, the AWS Artifact is an AWS service that helps you to understand the privacy-related controls that you inherit from AWS. (AWS Artifact provides access to AWS security and compliance reports, such as System and Organization Controls (SOC) reports and payment card)


profile pictureAWS
answered 5 months ago
profile picture
reviewed 5 months ago


thank you for the fast reply, i understand the meaning of inherited controls, but i don't get when it applies?

Is this like a default rule, applying to all services? When does the shared responsibilty model & when the inherited, customer specific?

Or do they all apply at the same time?

Sorry to be so annoying, but this is the only point i don't understand at the moment and it annoys me personally a lot because even after googling it i didn't understand it

Best regards, Dejan

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions