Compliance Requirements that Vary Among AWS Services
💡 Definition
Compliance requirements that vary among AWS services refers to how an organization's responsibilities for meeting regulatory and industry standards change depending on the specific AWS service being used, particularly in the context of the Shared Responsibility Model. The level of shared responsibility shifts based on whether the service is Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
🔑 Key Concepts
- Shared Responsibility Model: The fundamental principle is that AWS is responsible for the security of the cloud, while the customer is responsible for security in the cloud. The dividing line of these responsibilities is not static across all services.
- IaaS (e.g., EC2): Customer has the most responsibility. This includes the guest operating system (OS) (including updates and security patches), application software, and the configuration of network access controls (e.g., Security Groups, NACLs). AWS manages the underlying physical infrastructure, virtualization layer, and global infrastructure.
- PaaS (e.g., RDS, Elastic Beanstalk): AWS takes on more responsibility for managing the underlying infrastructure, OS, and sometimes even the runtime environment. Customer responsibility focuses more on application code, data (including encryption), and database settings.
- SaaS (e.g., S3, DynamoDB, some AWS Marketplace offerings): AWS manages almost the entire stack, up to the application layer. Customer responsibility is significantly reduced, typically limited to data classification, access management (e.g., IAM policies for S3 buckets), and configuration of service-specific features.
- Compliance Scope: The scope of a customer's audit and compliance efforts must adjust based on the service model, focusing on the components they control.
⚙️ How it Works
When planning to use an AWS service, an organization must understand its compliance obligations for that specific service. For example, deploying a database on an EC2 instance (IaaS) means the customer is responsible for patching the database OS, whereas using RDS (PaaS) offloads much of that responsibility to AWS. This understanding informs security controls, audit processes, and overall compliance strategy.
🎯 Use Cases
- Compliance Planning: Deciding which services to use based on the ease of meeting compliance requirements for specific data types or regulations.
- Audit Preparation: Clearly defining boundaries of responsibility when undergoing external audits.
- Risk Assessment: Understanding where customer security controls are most critical for each service.
💰 Pricing Model
- N/A. This is a conceptual aspect of compliance and service usage.
📝 Exam Tips (CLF-C02)
- Keywords: "Shared Responsibility Model", "IaaS, PaaS, SaaS", "Customer responsibility shifts".
- Crucially understand that customer responsibility is highest for IaaS and lowest for SaaS.
- Be able to identify common services (EC2, RDS, Lambda, S3) and associate them with their respective service models and implied shared responsibilities.
See Also: * Shared Responsibility Model * AWS Compliance * IaaS * PaaS * SaaS