I don’t think grouping EMR with RDS is accurate. With EMR, you have SSH access to the underlying instances and can also bring your own AMI. With RDS, you have zero control on the OS level. I think they are fundamentally different from a shared responsibility model perspective.
4 Answers
Shared Responsibility Model for Container Services
The AWS shared responsibility model also applies to container services, such as
Amazon RDS and Amazon EMR . For these services, AWS manages the
underlying infrastructure and foundation services, the operating system and the
application platform.
https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
file no longer exists
I think the reason they are grouped together is shown on the slide at 6:40 in the video. Specifically, the part about you being responsible for access management separate from IAM. That’s true in RDS and EMR, where you can grant access to the underlying resources independent of IAM. ie, database users. Think of how you can allow anyone to connect to the mySQL command line.
Also, with RDS the Customer is responsible for the administration of backups. AWS is responsible for performing the backups.
So RDS cannot belong to Abstracted Services.
Also refer Figures 1, 2 & 3 in https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf for distinction in shared responsibility models.
I’m doing some work with this at the moment, and agree with you. Having RDS instances in my client’s VPC is one thing, but having EMR clusters which deploy vendor AMI instances into a VPC for a client in a regulated industry without a full understanding of the risk impacts is quite another.