The Shared Responsibility Model - Applying Security Practices to a Network Workload on AWS for Communications Service Providers

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

The Shared Responsibility Model

Security and Compliance is a shared responsibility between AWS and the customer. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, known as Security of the Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. The customer’s responsibility is determined by the AWS Cloud services they select. This determines the amount of configuration work the customer must perform as part of their security responsibilities, known as Security in the Cloud. For example, for Amazon Elastic Compute Cloud (EC2) service, the customer will be responsible for the necessary security configurations and management from its networking, operating system, and application configuration including its patching and permissions. However, for abstracted services like Amazon Simple Storage Service (S3) where AWS operates the infrastructure, operating system and environment, the customer is provided access endpoints to use, store, and retrieve data. The customer will be responsible for managing the stored data to include applying encryption and appropriate access permissions. Applying this shared responsibility model to telco workloads means that, while AWS provides a secure infrastructure, CSPs and their Virtual Network Function/Container Network Function (VNF/CNF) vendors should implement security measures to protect the workload. They can do this by adopting AWS security best practices and recommendations, and by following telco security standards as defined by multiple standard organizations such as 3GPP, ETSI, and IETF at the application level, to verify that the overall system is secured from each layer.

Shared responsibility model for cloud security between customer and AWS, showing division of duties.

The Shared Responsibility Model in an AWS Region

Shared responsibility varies when using AWS services residing in a customer’s data center; for example, when the Radio Access Network (RAN) functions such as Virtual Distributed Unit (vDU) are deployed on AWS Outposts. AWS Outposts is a family of fully-managed solutions delivering AWS infrastructure and services to virtually any on-premises or edge location. In AWS Outposts, the customer takes the responsibility of securing the physical infrastructure to host the AWS Outposts equipment in their own data centers. As a managed service, it inherits our well-tested security procedures, and includes built-in tampering and dedicated security components such as the Nitro Security card and key.

The preceding figure summarizes the shared responsibility model between AWS and the customer. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities owned by AWS. The customer assumes responsibility and management of the guest operating system and associated application or network functions as well as the configuration of the AWS services used.

Shared responsibility model diagram showing customer and AWS security roles in cloud services.

Shared Responsibility Model at the edge with AWS Outposts

The preceding figure shows an edge model with AWS Outposts, where the responsibility of the physical security, networking, cooling, and electricity for AWS Outposts is owned by the customer.