Distribute security ownership

The AWS shared responsibility model defines how AWS and its customers share responsibility for cloud security and compliance. In this model, AWS secures the infrastructure that runs all of the services offered in the AWS Cloud, and AWS customers are responsible for securing their data and applications.

You can mirror this model inside your organization and distribute the responsibilities between your cloud and application teams. This helps you scale your cloud security programs more effectively because the application teams take ownership of certain security aspects of their applications. The simplest interpretation of the shared responsibility model is that if you have access to configure the resource, then you are responsible for the security of that resource.

A key part of distributing security responsibilities to application teams is building self-service security tools that help your application teams automate. Initially, this can be a joint effort. The security team can translate security requirements into code-scanning tools, and then application teams can use those tools to build and share solutions with their internal developer community. This contributes to greater efficiencies across other teams that need to meet similar security requirements.

The following table outlines the steps for distributing ownership to application teams and provides examples.

Step	Action	Example
1	Define your security requirements – What are you trying to achieve? This might come from a security standard or compliance requirement.	An example security requirement is least-privilege access for application identities.
2	Enumerate controls for a security requirement – What does this requirement actually mean from a control perspective? What do I need to do to achieve this?	To achieve least-privilege for application identities, the following are two sample controls: Use AWS Identity and Access Management (IAM) roles Do not use wildcards in IAM policies
3	Document guidance for the controls – With these controls, what guidance can you provide to a developer to help them comply with the control?	Initially, you might start by documenting simple example policies, including secure and unsecure IAM policies and Amazon Simple Storage Service (Amazon S3) bucket policies. Next, you can embed policy-scanning solutions within continuous integration and continuous delivery (CI/CD) pipelines, such as using AWS Config rules for proactive evaluation.
4	Develop reusable artifacts – With the guidance, can you make it even easier and develop reusable artifacts for developers?	You might create infrastructure as code (IaC) to deploy IAM policies that follow the principle of least privilege. You can store these reusable artifacts in a code repository.

Self-service might not work for all security requirements, but it can work for standard scenarios. By following these steps, organizations can empower their application teams to handle more of their own security responsibilities in a scalable way. Overall, the distributed responsibility model leads to more collaborative security practices within many organizations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Define a plan

Develop a disclosure program