This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
The Shared Responsibility Model
    Security and Compliance is a
    shared
    responsibility between AWS and the customer. AWS is
    responsible for protecting the infrastructure that runs all of the
    services offered in the AWS Cloud, known as Security
    of the Cloud. This
    infrastructure is composed of the hardware, software, networking,
    and facilities that run AWS Cloud services. The customer’s
    responsibility is determined by the AWS Cloud services they select.
    This determines the amount of configuration work the customer must
    perform as part of their security responsibilities, known as
    Security in the
    Cloud. For example, for Amazon Elastic Compute Cloud
    (EC2) service, the customer will be responsible for the necessary
    security configurations and management from its networking,
    operating system, and application configuration including its
    patching and permissions. However, for abstracted services like
    Amazon Simple Storage Service (S3) where AWS operates the
    infrastructure, operating system and environment, the customer is
    provided access endpoints to use, store, and retrieve data. The
    customer will be responsible for managing the stored data to include
    applying encryption and appropriate access permissions. Applying
    this shared responsibility model to telco workloads means that,
    while AWS provides a secure infrastructure, CSPs and their Virtual
    Network Function/Container Network Function (VNF/CNF) vendors should
    implement security measures to protect the workload. They can do
    this by adopting AWS security best practices and recommendations,
    and by following telco security standards as defined by multiple
    standard organizations such as
    3GPP,
    ETSI, and
    IETF at the
    application level, to verify that the overall system is secured from
    each layer.
  
Shared responsibility varies when using AWS
    services residing in a customer’s data center; for example, when the
    Radio Access Network (RAN) functions such as Virtual Distributed
    Unit (vDU) are deployed on
    AWS Outposts. AWS Outposts is a family of fully-managed solutions
    delivering AWS infrastructure and services to virtually any
    on-premises or edge location. In AWS Outposts, the customer takes
    the responsibility of securing the physical infrastructure to host
    the AWS Outposts equipment in their own data centers. As a managed
    service, it inherits our well-tested security procedures, and
    includes built-in tampering and dedicated security components such
    as the
    Nitro
      Security card and key.
The preceding figure summarizes the shared responsibility model between AWS and the
    customer. AWS operates, manages, and controls the components from the host operating system
    and virtualization layer down to the physical security of the facilities owned by AWS. The
    customer assumes responsibility and management of the guest operating system and associated
    application or network functions as well as the configuration of the AWS services used. 
    The preceding figure shows an edge model with AWS Outposts, where
    the responsibility of the physical security, networking, cooling,
    and electricity for AWS Outposts is owned by the customer.