You migrated your application to AWS six months ago. The S3 buckets are provisioned. The EC2 instances are running. The RDS database is connected and humming along. You're sleeping well, because you're in the cloud now, and cloud providers are secure, right?
Then the security alert fires. A bucket containing 150,000 customer records has been publicly readable for three months. No one hacked AWS. No one broke into a physical server. The cloud provider's infrastructure was perfectly secure the entire time. The bucket policy was misconfigured on day one. That was your configuration, running in your account.
This is the shared responsibility model in practice, and this exact scenario plays out constantly. Gartner has projected that through 2025, 99% of cloud security failures will be the result of customer error, not provider-side infrastructure compromise. (Gartner) The infrastructure is solid. The gap is in what organizations do once they're inside it.
The shared responsibility model is the foundational security framework that maps exactly who owns what in cloud security, what the provider guarantees versus what you must deliver. Every cloud certification exam tests it. Every compliance audit references it. Every breach post-mortem eventually finds its way back to it.
This guide covers it from first principles: what the model is, how the boundary shifts across IaaS, PaaS, and SaaS, how AWS, Azure, and GCP each frame it, where teams most commonly fail, real breach case studies, and how to operationalize your side of the contract in practice. By the end, you'll know not just what the model says, but what it means for the work you do every day.
What the Shared Responsibility Model Actually Is
The shared responsibility model is a security and compliance framework that divides accountability between a cloud service provider (CSP) and their customer. The division is not arbitrary, it maps precisely to what each party controls.
The provider controls the infrastructure. Physical data centers, server hardware, network equipment, cooling, power systems, and the virtualization layer sitting above bare metal, this is all provider-owned and provider-managed. You cannot access it, patch it, or configure it. It is not, in any sense, your responsibility.
You control everything you deploy within that infrastructure. The operating systems you run on virtual machines. The applications you install. The S3 bucket policies you write. The IAM roles you configure. The network security groups you define. The encryption settings you enable, or forget to enable. The credentials you issue and whether you rotate them. This is your surface area.
AWS formalized this split with language that has since become industry-standard vocabulary across the entire cloud industry:
"Security OF the cloud" , the cloud provider's responsibility "Security IN the cloud" , the customer's responsibility
(AWS Shared Responsibility Model)
This isn't just a legal construct designed to limit provider liability, though it does that too. It's a practical map of the attack surface. When a security incident occurs, understanding which side of this line the vulnerability lived on determines accountability, remediation path, and whether your insurance policy applies.
The three-word summary: the provider secures their platform; you secure your usage of it.
Why This Matters Now More Than Ever
In 2025, roughly 80% of organizations experienced at least one cloud-related security breach in the preceding year. The breaches weren't coming from hypervisor exploits or data center intrusions. They were coming from misconfigured security groups, over-permissive IAM roles, unencrypted storage buckets, and credentials left in code repositories, all customer-side responsibilities, every single one.
The cloud has shifted the attack surface. Pre-cloud, physical security was a meaningful defense layer. In the cloud, the relevant attack surfaces are configuration and access control. The shared responsibility model defines where those surfaces are. Getting it wrong at scale is expensive: the average cost of a data breach in 2025 hit $4.44 million globally, with U.S.-based breaches frequently exceeding $10 million. (IBM Cost of a Data Breach Report 2024)
How the Boundary Shifts: IaaS, PaaS, and SaaS
The shared responsibility boundary is not a fixed line. It slides based on the type of cloud service you're consuming. The core principle: the more abstracted the service, the more responsibility the provider assumes and the less control you retain. Control and responsibility move together.
The general rule: the more abstracted the service, the more responsibility the provider assumes, and the less control you retain.
| Responsibility Layer | IaaS e.g., EC2, Azure VM, GCE |
PaaS e.g., RDS, App Engine, Lambda |
SaaS e.g., Microsoft 365, Workspace |
|---|---|---|---|
| Physical / Hardware | Provider | Provider | Provider |
| Virtualization / Network Fabric | Provider | Provider | Provider |
| Operating System | Customer | Provider | Provider |
| Runtime / Middleware | Customer | Provider | Provider |
| Applications | Customer | Customer | Provider |
| Data & Access Control | Customer | Customer | Customer |
Look at the bottom row. Data and access control are always the customer's responsibility, IaaS, PaaS, or SaaS, without exception. No matter how abstracted the service, what you store, who can access it, and how it's protected is never handed off to the provider.
IaaS: Maximum Control, Maximum Responsibility
Infrastructure-as-a-Service gives you the most control and burdens you with the most security obligations. Launch an EC2 instance and AWS manages the hypervisor downward, the hardware, the physical rack, the network fabric. You own everything from the guest OS upward.
That means: OS patching (missing a CVE on your EC2 fleet is your failure, not AWS's). Application security. Network Security Group and firewall rules. IAM policies attached to the instance profile. Encryption-at-rest for any EBS volumes you attach. TLS configuration for any traffic your application serves.
IaaS is the territory of teams who need full control, custom kernel configurations, specific OS builds, software that doesn't fit a managed service container. The tradeoff for that control is the complete security burden that comes with it. Running an unpatched EC2 instance is just running an unpatched Linux server, you happen to be renting the metal from AWS.
PaaS: The Shared Middle Ground
Platform-as-a-Service shifts the OS and runtime burden to the provider. AWS RDS is the clearest example: Amazon patches the database engine, manages the underlying OS, handles hardware failure, and handles database software upgrades. Your obligation narrows to: database users and permissions, network access rules (VPC security groups), encryption settings (both at-rest and in-transit, both require you to enable them), and backup configuration, which RDS automates once you set the retention window.
PaaS is where most teams get complacent. Because the provider handles so much, it's easy to assume the provider handles everything. It doesn't. An RDS instance that's publicly accessible, uses default credentials, has encryption at rest disabled, and no audit logging enabled is a liability, entirely the customer's creation. RDS didn't misconfigure itself.
Lambda, Azure App Service, Google App Engine, and Azure SQL follow similar patterns. The runtime is managed. Your code, configuration, secrets management, and IAM permissions, those remain yours.
SaaS: Narrow but Never Zero
Software-as-a-Service carries the smallest customer burden, but it is non-zero, and the consequences of ignoring it are significant. The provider manages infrastructure to application code. You manage who has access, what permissions they hold, and what data you store in the service.
The textbook example: a company moves to Microsoft 365, doesn't enforce multi-factor authentication across the tenant, and a phishing campaign compromises executive accounts. Microsoft's infrastructure didn't fail. Identity management, a customer responsibility in every service model, failed. No amount of Azure uptime SLA protects against unfenced access.
AWS, Azure, and GCP: How Each Provider Frames It
The core principle is universal, but the three major providers document and emphasize shared responsibility in meaningfully different ways. Understanding the nuances matters for certification exams, compliance audits, and working effectively in each environment.
AWS: "Security of the Cloud" vs. "Security in the Cloud"
AWS's framing is the most widely cited in the industry and has effectively become the default vocabulary.
AWS also introduces the concept of Shared Controls, areas where both AWS and the customer have separate but parallel obligations for the same concern:
- Patch Management: AWS patches provider infrastructure and underlying base OSes for managed services. Customers patch the guest operating systems on EC2 instances and their own application dependencies.
- Configuration Management: AWS configures and secures its infrastructure devices. Customers configure their own guest OSes, databases, and applications.
- Awareness and Training: AWS trains Amazon's employees. Customers train their own users and security practitioners.
The failure pattern here is consistent: teams see the word "shared" and interpret it as "AWS handles half of this." The accurate read is that the split is parallel, each party has complete ownership of a distinct domain within the same concern. AWS patching the RDS engine doesn't mean your application's SQL injection vulnerabilities are handled.
| AWS Owns - Security OF the Cloud | You Own - Security IN the Cloud |
|---|---|
| Physical data centers & global infrastructure (105 AZs across 33 regions as of 2025) | Customer data classification, protection & encryption |
| Compute, storage, database, & networking hardware | IAM users, groups, roles, and policies |
| Hypervisor layer & managed service runtime patches | Guest OS patching on EC2 and other IaaS instances |
| AWS network fabric, edge locations, & availability zones | Security groups, NACLs, VPC routing, & firewall rules |
Key AWS security tools in the customer's toolbox:
- AWS IAM - identity and access management for every AWS resource
- AWS CloudTrail - API call logging for audit trails and anomaly detection across your account
- AWS Config - continuous configuration compliance monitoring and drift detection
- AWS GuardDuty - ML-powered threat detection using CloudTrail, VPC Flow Logs, and DNS logs
- AWS Security Hub - centralized security findings aggregation across accounts and services
Azure: Identity-First and Organizational Hierarchy
Microsoft Azure follows the same underlying model but puts identity at the center more explicitly than any other provider. (Microsoft Azure Shared Responsibility)
The reason: Microsoft Entra ID (formerly Azure Active Directory) is Azure's core identity plane. The model makes identity management unambiguously a customer responsibility across all service types, directory services, conditional access policies, MFA enforcement, and privileged identity management are customer-owned, even when the SaaS product is Microsoft's own (Microsoft 365).
Azure also maps the responsibility model to its organizational hierarchy: management groups, subscriptions, resource groups, and individual resources. Security controls, RBAC role assignments, Azure Policy definitions, network security groups, are applied at each level of this hierarchy. Understanding where in that structure your security obligations begin is essential for Azure practitioners. If you've worked through KodeKloud's AZ-900 course, you'll recognize this from cloud governance.
Key Azure security tools in the customer's toolbox:
- Microsoft Entra ID - identity platform, conditional access, privileged identity management (PIM)
- Azure Policy - governance enforcement through policy definitions applied to subscriptions and resource groups
- Microsoft Defender for Cloud - unified security posture management and workload threat protection across Azure and multi-cloud
- Microsoft Sentinel - cloud-native SIEM and SOAR for logging, alerting, and automated response
GCP: Shared Fate and Default-Secure by Design
Google Cloud Platform follows the core model but introduces a distinctive philosophical framing: Shared Fate. (Google Cloud Shared Fate)
Where AWS and Azure frame a clear split of responsibilities, Google's Shared Fate model describes a more collaborative relationship, Google provides prescriptive security blueprints, default-secure configurations, and working reference architectures, and takes joint responsibility for security outcomes when customers follow them. It's less "here's the boundary, your side is your problem" and more "we'll actively help you get your side right."
In practice, this manifests as:
- Automatic, default encryption at rest for all data stored in any GCP service, no configuration required by the customer
- VPC Service Controls and Security Command Center bundled into the platform
- Google-maintained security blueprints for common architectures that customers can deploy directly rather than designing from scratch
GCP also carries the benefit of Google's exceptional scale in operating in adversarial environments, the same infrastructure and security tooling that protects Gmail, YouTube, and Google Search underpins GCP, with decades of hardening built in.
Key GCP security tools in the customer's toolbox:
- Cloud IAM - identity and access management for GCP resources with fine-grained condition support
- Security Command Center - centralized asset inventory, vulnerability detection, and threat monitoring
- Cloud Audit Logs - admin activity, data access, and system event logging across GCP services
- VPC Service Controls - service perimeters that restrict data movement between GCP services
The Four Customer Responsibilities That Never Transfer
Regardless of service model, provider, or how managed the platform is, four areas of security remain permanently in the customer's domain. These four are also, consistently, the four most common breach vectors.
1. Identity and Access Management
Who can access what, and how much access they have, is always yours to solve. This encompasses:
- Enforcing multi-factor authentication for all accounts, especially privileged ones
- Following least privilege, granting only the minimum access needed, not the access that's convenient to configure
- Auditing and rotating credentials regularly
- Not using root or global administrator accounts for routine operations
The most persistent IAM failure pattern: overprivileged service accounts. A Lambda function that processes payment webhooks doesn't need AdministratorAccess , it needs s3:PutObject to one specific bucket and dynamodb:PutItem to one specific table. When a function with AdministratorAccess is compromised via dependency injection or a misconfigured trigger, the blast radius is the entire AWS account. Not the function. The account.
2. Data Classification and Encryption
You're responsible for knowing what data you have, where it lives, how sensitive it is, and ensuring it's protected appropriately. Cloud providers give you powerful encryption tooling, KMS for key management, SSE for server-side encryption, TLS for data in transit, but the decision to use it, and how to configure it, is yours.
Three questions you should be able to answer at any time:
- Is encryption at rest enabled for every storage resource that holds sensitive data?
- Is TLS enforced for all connections, or does your application still accept plaintext?
- Can you identify which storage buckets, database tables, or file shares hold PII, PHI, or payment data?
If any of those are "I'm not sure," you have a gap. The provider didn't create that gap.
3. Network Configuration and Exposure
The provider builds the underlying network fabric. You build your virtual network topology inside it, security groups, network ACLs, VPC configuration, subnet design, route tables, and firewall rules.
The most persistent misconfiguration: overly permissive inbound rules. An EC2 instance with 0.0.0.0/0 inbound on port 22 (SSH) is exposed to every host on the internet. That's not an AWS configuration, that's one checkbox in a security group rule that you clicked or left at a default value. The box doesn't have to be malicious to be wrong. It just has to be open.
Network security auditing is continuous operational practice, not a one-time setup activity. Rules get added for temporary access that never gets revoked. Ports get opened for debugging during an incident and forgotten. Security groups accumulate rules because it's faster to add than to audit.
4. Guest OS and Application Patching (IaaS)
If you're running EC2 instances, Azure VMs, or GCE instances, you are operating a fleet of Linux or Windows servers. That means you have a patching operation whether you acknowledge it or not.
AWS patches the hypervisor. You patch the OS running on top of it and every application dependency installed within it. A known CVE published for OpenSSH in February that you haven't patched by March is a vulnerability in your responsibility zone, not AWS's. AWS Systems Manager Patch Manager, Azure Update Management, and GCP OS Config can automate a significant portion of this work, but deploying and configuring those tools is, you guessed it, your responsibility.
Real Breach Case Studies: What Failure Looks Like
Theory is useful. Examples are more useful. Here are three documented incidents where misunderstanding the shared responsibility model directly contributed to the outcome.
Capital One (2019) - $80M Fine, 106 Million Records Exposed
In 2019, Capital One suffered one of the largest financial data breaches in history. 106 million customer records were exposed. The attacker didn't compromise AWS's infrastructure. The attack vector was:
- A misconfigured Web Application Firewall (WAF) on an EC2 instance allowed a Server-Side Request Forgery (SSRF) request
- The SSRF request hit the EC2 instance metadata service (IMDS)
- The WAF's IAM role had excessive permissions, far beyond what a WAF requires
- Using those credentials, the attacker accessed S3 buckets containing customer data
Every failure point here was customer-side: WAF configuration, IMDS access controls (IMDSv2 was not enforced), and IAM role scope. AWS's infrastructure performed exactly as designed. Capital One paid an $80 million fine to the OCC.
The takeaway: IMDSv2 is now available and requires a session-oriented request, enforcing it on all EC2 instances eliminates this class of credential theft. Least privilege IAM would have limited the blast radius even if SSRF succeeded. Both are customer responsibilities.
Microsoft Exchange Server (2021) - SolarWinds Aftermath and On-Prem Confusion
The ProxyLogon vulnerabilities (CVE-2021-26855 and related CVEs) exploited on-premises Microsoft Exchange Server deployments worldwide in early 2021. Organizations running Exchange on-premises rather than Microsoft 365 were affected. Those running Microsoft 365 (Exchange Online) were not, because the cloud-managed service was already patched by Microsoft.
This case illustrates the model's inverse: organizations that chose on-premises or hybrid deployments retained full responsibility for patching, including zero-day patches. Those who had moved fully to SaaS had delegated that responsibility to Microsoft, and they were protected.
The takeaway: The shared responsibility model's value runs both directions. SaaS reduces your patching surface area enormously. If you operate any on-premises or IaaS components, patching timelines become critically important.
Twitch (2021) - Internal Systems Exposed via Misconfiguration
In October 2021, a 125GB data dump attributed to a Twitch engineer's misconfiguration exposed internal source code, payout data for thousands of streamers, and proprietary internal tooling. The root cause was reported to be a misconfigured server change that allowed improper access to internal systems.
The takeaway: Even large, security-sophisticated organizations with mature DevOps practices experience configuration failures. The shared responsibility model doesn't prevent human error, it defines whose error it is. The answer, consistently, is "the customer's." Continuous monitoring and CSPM are the operational controls that catch configuration changes before they become incidents.
Operationalizing the Model: Closing Your Gap in Practice
Understanding the shared responsibility model is table stakes. Embedding it into how you build and operate infrastructure is the actual objective. Here's how mature engineering teams translate the model from a policy document into operational practice.
Infrastructure as Code + Policy as Code
If your infrastructure is defined in Terraform, CloudFormation, or Bicep, your security policy can be enforced at the definition layer, before anything is deployed. Tools like HashiCorp Sentinel, AWS Config Rules, Azure Policy, and Open Policy Agent (OPA) let you codify rules:
- "No S3 bucket may have
block_public_access = false" - "All RDS instances must have
storage_encrypted = true" - "No security group rule may allow
0.0.0.0/0inbound on port 22"
These rules run at plan time or on pull request, failing the deployment before it reaches the environment. This turns the shared responsibility model from a document into a constraint that enforces itself on every deployment, regardless of which engineer is making the change.
For a practical introduction to IaC, KodeKloud's Terraform courses cover the fundamentals through advanced patterns including modules, state management, and CI/CD integration.
Cloud Security Posture Management (CSPM)
Policy-as-Code prevents new violations. CSPM handles the existing environment. CSPM tools continuously scan your cloud resources, across accounts, regions, and providers, against security benchmarks (CIS AWS Foundations, CIS Azure, NIST, PCI-DSS, SOC 2, HIPAA), flagging misconfigurations and tracking your posture over time.
Native CSPM options by provider:
- AWS Security Hub - aggregates findings from GuardDuty, Inspector, Macie, and third-party tools; runs CIS benchmark checks
- Microsoft Defender for Cloud - secure score, regulatory compliance dashboard, workload threat protection across Azure and multi-cloud
- Google Security Command Center - asset inventory, vulnerability findings, anomaly detection, and compliance monitoring
Third-party CSPM platforms add multi-cloud visibility from a single pane: Wiz, Orca Security, Lacework, Prisma Cloud by Palo Alto Networks. If your organization runs across AWS and Azure simultaneously, native tools give you a fragmented view, a dedicated CSPM platform or a SIEM with cross-cloud connectors becomes essential.
Continuous Monitoring over Periodic Audits
A quarterly compliance audit tells you the security posture at a single point in time. Cloud environments change continuously, new resources are provisioned, configurations are modified, IAM permissions are granted, security group rules are added. Point-in-time audits miss everything that changes between them.
The monitoring posture needs to match the rate of change:
- AWS CloudTrail - every API call, who made it, when, from where
- AWS Config - records configuration state of every resource, tracks changes over time
- Azure Monitor + Sentinel - unified logging, alerting, and SIEM functionality
- GCP Cloud Audit Logs - admin activity, data access, and system event logging
Build alerting on top of this data for high-signal events: MFA disabled on a root account, a security group modified to allow broad inbound access, IAM policy attached with *:* permissions, an S3 bucket's public access block setting changed. These events are low-volume and high-consequence, they warrant immediate automated notification.
Zero Trust Architecture
Traditional perimeter security assumed that anything inside the network perimeter was trusted. Cloud environments have no meaningful perimeter. A misconfigured security group is all that separates an EC2 instance from the public internet. Network-level trust assumptions don't hold.
Zero Trust replaces network-based trust with continuous verification: every request is authenticated, every user and service gets the minimum access necessary for the task at hand, and lateral movement is constrained by micro-segmentation. The principle applies at every layer, network, identity, data, and workload.
Zero Trust is not a product you buy, it's an architectural principle you implement. In practice, it means:
- Service-to-service communication authenticated via IAM roles or workload identity, not static credentials
- Kubernetes workloads using service accounts with tightly scoped RBAC, not cluster-admin
- API access controlled by short-lived tokens, not long-lived API keys stored in environment variables
- Network traffic between services restricted to exactly what's needed via security groups, network policies, or service mesh (Istio, Linkerd)
For engineers working in Kubernetes environments, KodeKloud's Certified Kubernetes Security Specialist (CKS) course covers the Kubernetes security model in depth, network policies, admission controllers, pod security standards, and runtime security.
The Model in Multi-Cloud and Hybrid Environments
The shared responsibility model becomes more complex, not less relevant, as organizations run workloads across multiple clouds and on-premises environments simultaneously.
In a multi-cloud setup, each provider operates its own model with its own tools, its own vocabulary, and its own defaults. An IAM misconfiguration in AWS isn't automatically caught by Defender for Cloud. A violated GCP bucket policy won't surface in AWS Security Hub. Achieving a unified security posture across multiple providers is entirely the customer's responsibility, and the tooling to do so is the customer's to deploy and operate.
| Multi-Cloud Challenge | Practical Implication | Tooling Approaches |
|---|---|---|
| Policy consistency | AWS IAM, Azure RBAC, and GCP IAM use different constructs for the same controls | OPA/Gatekeeper, HashiCorp Sentinel, CSPM platforms |
| Visibility consolidation | Security findings from three providers need aggregation into a single view | Wiz, Prisma Cloud, Splunk, Chronicle SIEM |
| Default configuration drift | Secure-by-default settings differ across providers — GCP encrypts at rest by default; AWS requires explicit configuration for some services | Terraform with required_providers, pre-commit security scanning |
| Compliance coverage | Compliance frameworks (PCI-DSS, HIPAA) require controls consistently applied, not per-provider | Lacework, Orca, Drata (multi-cloud compliance automation) |
For hybrid environments that include on-premises infrastructure: the model extends there too. Hardware you own and operate in your own data center is managed entirely by you, physical security, hardware replacement, network fabric, everything. There's no responsibility to share with a provider because there is no provider. Moving workloads to the cloud doesn't reduce that on-prem responsibility until you've actually migrated or decommissioned them.
Your Customer Security Responsibilities Quick-Reference Checklist
Before shipping production workloads to any cloud provider, run through this checklist. These are the most commonly missed items across each responsibility category.
Identity and Access
- [ ] Root/global admin accounts have MFA enforced and are not used for daily operations
- [ ] All IAM users, service accounts, and machine identities follow least-privilege
- [ ] Unused credentials and access keys are rotated or removed
- [ ] Service-to-service access uses IAM roles, not static long-term credentials
- [ ] Privileged access is time-limited and audited (AWS STS, Azure PIM, GCP IAM Conditions)
Data Protection
- [ ] Encryption at rest is enabled for all storage containing sensitive data (S3, EBS, RDS, GCS, Azure Blob)
- [ ] Encryption in transit (TLS 1.2+) is enforced; plaintext connections are rejected
- [ ] Data classification policy exists and is documented
- [ ] Encryption keys are managed via a dedicated key management service (AWS KMS, Azure Key Vault, GCP Cloud KMS), not hardcoded
- [ ] Backup and recovery for data assets is configured and periodically tested
Network Configuration
- [ ] No public-facing resources have
0.0.0.0/0inbound rules on sensitive ports (22, 3389, 5432, 3306) - [ ] Security groups follow deny-by-default with explicit allows
- [ ] VPC flow logs are enabled for traffic visibility
- [ ] Public S3/GCS bucket access is blocked at the account level unless explicitly required
- [ ] RDS/Cloud SQL instances are not publicly accessible
Monitoring and Visibility
- [ ] CloudTrail / Azure Monitor / Cloud Audit Logs are enabled in all regions/accounts
- [ ] Alerting is configured for high-signal events: IAM changes, root login, public access modifications
- [ ] A CSPM tool is actively scanning for configuration violations
- [ ] Incident response runbooks exist for the most likely breach scenarios
Shared Responsibility and Cloud Certification Exams
The shared responsibility model isn't just operational knowledge, it's explicitly tested on every major cloud certification:
- AWS Certified Cloud Practitioner (CLF-C02): Directly tested in the Cloud Concepts domain. Exam questions ask you to identify whether a specific control is the provider's or the customer's responsibility.
- AWS Certified Solutions Architect - Associate (SAA-C03): Appears throughout the Security Design domain, including service-specific boundary identification for EC2, RDS, Lambda, and S3.
- AZ-900 (Microsoft Azure Fundamentals): The Azure shared responsibility matrix is explicitly listed in exam objectives with questions on SaaS vs. PaaS vs. IaaS responsibility splits.
- Google Cloud Digital Leader / Professional Cloud Architect: GCP frames this through its Shared Fate model, tested through scenario-based questions about service-level responsibility identification.
- CKS (Certified Kubernetes Security Specialist): Kubernetes security follows an analogous model for managed vs. self-managed clusters, control plane security is provider-managed in GKE, EKS, and AKS; customer-managed when self-hosted. Node security, network policies, and workload isolation shift accordingly.
Understanding the model is prerequisite knowledge for any cloud certification path. If you're actively pursuing certification, KodeKloud's cloud certification roadmap maps the fastest routes across AWS, Azure, and GCP certification tracks, including which certs include heavy security coverage.
Nimesha Jinarajadasa
For a broader context on selecting the right cloud platform for your career, KodeKloud's AWS vs Azure vs GCP comparison covers where each provider leads and where they're comparable.
Nimesha Jinarajadasa
The Bottom Line
The shared responsibility model is one of the most consequential frameworks in cloud security, and one of the most persistently misunderstood. The mental model is straightforward: the provider secures the infrastructure. You secure your usage of it.
The boundary moves based on what you consume. With IaaS, you carry the full operational security burden above the hypervisor. With PaaS, you give up control of the runtime and gain the provider's management of it. With SaaS, your surface narrows to data, user access, and identity. In every model, data and access control are yours.
The teams that avoid breach aren't the ones with the largest security budgets, they're the ones who have embedded the model into how they operate day to day. Policy-as-Code that enforces standards on every Terraform plan. CSPM that runs continuously rather than quarterly. IAM reviews that happen on a schedule rather than only after an incident. Alerting that fires when a security group rule changes, not when the breach is discovered.
The model tells you where your obligations are. That's the starting point. Operationalizing those obligations into your engineering workflow, that's the actual security posture.
If you want to move from understanding this on paper to being able to demonstrate it in a real environment, deploying infrastructure, introducing misconfigurations, detecting them with native tooling, and remediating, KodeKloud's cloud security labs provide real AWS, Azure, and GCP environments to practice in without managing accounts or worrying about costs. When you're ready to validate your knowledge formally, the cloud certification roadmap and top cloud certifications guide show exactly where to invest your preparation time for maximum career impact.
Nimesha Jinarajadasa
FAQs
Q1: If I get breached through a misconfiguration, is the cloud provider liable?
No. Under the shared responsibility model, misconfigurations on the customer side are the customer's legal and financial liability. Provider SLAs cover infrastructure uptime and the security of the managed platform, not the security posture of how you deploy and configure resources within it. This is why organizations handling regulated data (HIPAA, PCI-DSS, GDPR) are responsible for their own compliance posture even when running entirely on cloud infrastructure. A provider's compliance certifications (FedRAMP, ISO 27001, SOC 2 Type II) cover the provider's infrastructure, not your deployment on top of it. (AWS Compliance Programs)
Q2: Does the model change for serverless or managed Kubernetes?
Yes, meaningfully. With serverless (AWS Lambda, Google Cloud Functions, Azure Functions), the provider takes over OS, runtime, and patching, narrowing your surface area to function code, IAM permissions, environment variable secrets management, and network configuration for VPC-attached functions. With managed Kubernetes (EKS, AKS, GKE), the provider manages the control plane. You manage: worker node OS patching (for self-managed node groups), pod security standards, network policies, RBAC configurations, and workload runtime security. The surface area is smaller than self-managed Kubernetes but far from zero, and it's the kind of non-obvious residual responsibility that gets teams into trouble. If you're working toward CKS certification, KodeKloud's CKS course covers this model in production depth.
Q3: What's the single highest-impact thing a team can do?
Audit IAM permissions. Over-privileged accounts and service roles are the most common mechanism for lateral movement and privilege escalation in cloud breaches. Reviewing and tightening IAM, removing unused permissions, converting wildcard policies to service-specific policies, eliminating static credentials, addresses the highest-risk surface area across every cloud model. Then: enforce MFA, enable account-level S3 Block Public Access, enable CloudTrail in all regions. These four actions eliminate the majority of common breach vectors.
Q4: How does the model apply to compliance frameworks like SOC 2, PCI-DSS, or HIPAA?
The provider gives you compliant infrastructure, their data centers, network fabric, and physical security already pass the relevant audits. What they don't give you is a compliant deployment. Your SOC 2 audit covers your controls: access management, change management, availability, and confidentiality of the data your organization processes. Running on AWS doesn't make you SOC 2 compliant, it means the infrastructure layer is already covered by AWS's SOC 2 certification. You still implement, document, and audit every control at the application and operational security layer. (AWS Compliance Programs)
Q5: What's the difference between the shared responsibility model and a cloud provider's SLA?
The SLA covers availability, uptime commitments, region failover, data durability guarantees (S3's eleven nines of durability, for example). The shared responsibility model covers security accountability. They address different concerns. You can have 99.99% uptime and still have a breach, because uptime is about infrastructure availability and the shared responsibility model is about security configuration. PCI-DSS auditors care about the latter; your business stakeholders probably care about both.
Discussion