Principle of Shared Responsibility in Cloud-Native Applications

Using the cloud means you can focus on your application and use a third party for most of your infrastructure. The cloud provides virtual interfaces that abstract away the details of operating infrastructure.

That’s great for convenience, but what about security? Who is responsible for keeping your cloud-native application safe and secure? You or the cloud provider? Or both?

For cloud-native applications, The principle of shared responsibility answers this question. The principle of shared responsibility dictates who is responsible for what level of security within your application and its infrastructure in a cloud environment.

Put simply, the principle of shared responsibility states that keeping your application safe and secure in a cloud infrastructure is the joint responsibility of both you and the cloud provider. Specifically, it explains which parts of the security of your application are owned by you and which parts are owned by the cloud provider.

The specific answer to who owns what varies from one cloud service to another and one cloud provider to another. According to the principle, it is the responsibility of the cloud provider to give you, the application owner, a statement explaining what parts of the overall application security are your concern and what parts are the concern of the cloud provider.

Let’s illustrate this with an example. Let’s take a look at the AWS EC2 service. The different layers of security responsibility for this service are shown below:

Security responsibility requirements for AWS EC2


When you operate an application running on one or more EC2 instances, you create an agreement between you and AWS for managing the security of the application operating on those services. For the EC2 service, AWS is responsible for the following security aspects of running your application:

  • Physical plant, facilities security. AWS is responsible for maintaining the security of the physical data center and the physical plant that operates that data center.
  • Hardware and network security. AWS is responsible for securing all the hardware necessary for running the EC2 service and the physical networking between systems.
  • Physical servers. AWS is responsible for securing the physical servers that implement the EC2 service.
  • Server virtualization system. AWS is responsible for keeping the server virtualization layer safe including all security in the virtualization host operating system and the virtualization software itself.
  • Security Tooling. AWS provides the tools to keep your application safe and secure, including identity and access management (IAM) and similar services.

You are responsible for the rest of the security of your application, including:

  • Operating system. The security of the operating system running on the virtual server. On EC2, you can choose which operating system you want the server to run and what OS components are installed. As such, you are responsible for making sure it is secure.
  • System/Utility Software. The security of all the software running on top of the operating system in this virtual server. This includes third-party software, processes, daemons, etc., whether the software was included in the operating system by default or added explicitly by you.
  • Your application. The security of your application, services, databases and everything you use to operate, install and monitor your application.
  • Application data. The security for all data you store or transfer on and off the server.
  • Credentials. You can access credentials for many infrastructure components, operating environments and third-party software. These credentials provide access to various non-public aspects of your application and its infrastructure. You are responsible for securing all of these credentials, keeping them out of the hands of bad actors.
  • Policies and Procedures. You are responsible for all policies to ensure a secure system configuration and other system constraints and requirements.

The principle of shared responsibility is the cornerstone for keeping a cloud-native application safe and secure in a public cloud operating environment. While the specific requirements vary from service to service and provider to provider, it is your responsibility to determine which aspects of security you are responsible for and make sure you conform with all rules and requirements specified by the cloud provider for your application to remain safe and secure in a cloud environment.

Lee Atchison

Lee Atchison is an author and recognized thought leader in cloud computing and application modernization with more than three decades of experience, working at modern application organizations such as Amazon, AWS, and New Relic. Lee is widely quoted in many publications and has been a featured speaker across the globe. Lee’s most recent book is Architecting for Scale (O’Reilly Media).

Lee Atchison has 59 posts and counting. See all posts by Lee Atchison