Certified Security - Specialty

Sign Up Free or Log In to participate!

“Container” services (as defined in the Shared Responsibility Model module)

I don’t think grouping EMR with RDS is accurate. With EMR, you have SSH access to the underlying instances and can also bring your own AMI. With RDS, you have zero control on the OS level. I think they are fundamentally different from a shared responsibility model perspective.

I’m doing some work with this at the moment, and agree with you. Having RDS instances in my client’s VPC is one thing, but having EMR clusters which deploy vendor AMI instances into a VPC for a client in a regulated industry without a full understanding of the risk impacts is quite another.

4 Answers

Shared Responsibility Model for Container Services

The AWS shared responsibility model also applies to container services, such as

Amazon RDS and Amazon EMR . For these services, AWS manages the

underlying infrastructure and foundation services, the operating system and the

application platform.


Jeremy Simkins

file no longer exists

I think the reason they are grouped together is shown on the slide at 6:40 in the video.   Specifically, the part about you being responsible for access management separate from IAM.   That’s true in RDS and EMR, where you can grant access to the underlying resources independent of IAM.  ie, database users.   Think of how you can allow anyone to connect to the mySQL command line.

Also, with RDS the Customer is responsible for the administration of backups. AWS is responsible for performing the backups.

So RDS cannot belong to Abstracted Services.

Also refer Figures 1, 2 & 3 in https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf for distinction in shared responsibility models.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?