Shared Security Responsibility Model - Navigating GDPR Compliance on AWS

Shared Security Responsibility Model

Security and Compliance is a shared responsibility between AWS and the customer. When customers move their computer systems and data to the cloud, security responsibilities are shared between the customer and the cloud service provider. When customers move to the AWS Cloud, AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. For abstracted service, such as Amazon S3 and Amazon DynamoDB AWS is also responsible for the security of the operating system and platform. Customers and APN Partners, acting either as data controllers or data processors, are responsible for anything they put in the cloud or connect to the cloud. This differentiation of responsibility is commonly referred to as security of the cloud versus security in the cloud. This shared model can help reduce customers’ operational burden, and provide them with the necessary flexibility and control to deploy their infrastructure in the AWS Cloud. For more information, see the AWS Shared Responsibility Model.

The GDPR does not change the AWS shared responsibility model, which continues to be relevant for customers and APN Partners who are focused on using cloud computing services. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers or APN Partners (as either data controllers or data processors) under the GDPR.