AWS takes care of much of the undifferentiated heavy lifting, but security is not owned by a single party.
So who is responsible for security in AWS—you or AWS?
The correct answer is: both.
AWS follows the Shared Responsibility Model, which divides security responsibilities between AWS and the customer. Rather than treating a solution as one monolithic system, AWS views it as a stack of layers, with each party responsible for securing specific parts of that stack.
AWS Responsibility: _Security of the Cloud_
AWS is responsible for securing the foundation on which your workloads run. This includes:
- Physical infrastructure
Data centers, buildings, power, cooling, physical access controls, fences, and guards.
- Global infrastructure and backbone
The private fiber network connecting AWS regions worldwide.
- Underlying service infrastructure
Hardware, host operating systems, and the virtualization layer that powers compute, storage, database, and networking services.
For example, when you run virtual machines using Amazon EC2:
- AWS manages the physical servers.
- AWS manages the host OS and hypervisor.
- AWS patches and secures the virtualization layer.
This significantly reduces operational overhead for customers.
Customer Responsibility: _Security in the Cloud_
While AWS secures the foundation, you are responsible for what you build on top of it. A useful analogy is renting an apartment: the building owner secures the building, but you must lock your own door.
Your responsibilities include:
- Operating system security
Patching and hardening the guest OS on your virtual machines.
- Data protection
Encrypting data at rest and in transit.
- Access control
Managing identities, permissions, and authentication.
- Network security
Configuring firewalls, security groups, and traffic rules.
- Application security
Ensuring your code, configurations, and dependencies are secure.
Most importantly, you always own your data in AWS. Ensuring it is protected, encrypted, and properly accessed is ultimately your responsibility. AWS provides many built-in security features—but it’s up to you to enable and use them correctly.
An Important Nuance
The shared responsibility model is not identical for every AWS service.
Different services abstract different layers:
- More managed services → AWS takes on more responsibility.
- More low-level services → you retain more control (and responsibility).
This flexibility is intentional—it allows you to choose how much control versus convenience you want when designing solutions.
The AWS Root User and Account Security
When you create an AWS account, you sign up using an email address and a password. That email address automatically becomes the root user of the account. The root user has unrestricted access to all AWS resources and settings—there are virtually no limits to what it can do.
This level of access makes the root user extremely powerful, and therefore extremely sensitive. Logging in with the email address and password means you are operating as the root user, with full control over billing, data, infrastructure, and security settings in Amazon Web Services.
Why the root user must be protected
- Unlimited permissions
The root user can create, modify, or delete any resource in the account.
- High-impact risk if compromised
If an attacker gains access, they could delete data, shut down services, or launch expensive workloads such as cryptocurrency mining—leaving you with the bill.
- Single-factor authentication is not enough
A strong password helps, but password-only access means anyone who cracks or steals it can log in.
Multi-Factor Authentication (MFA) is mandatory
To reduce this risk, AWS strongly recommends enabling Multi-Factor Authentication (MFA) on the root user immediately after account creation.
- What MFA adds
An additional verification factor beyond the password, usually a one-time numeric code.
- How it works
After entering your email and password, you must also provide a temporary code generated by a physical or virtual MFA device.
- Common MFA option
A virtual MFA app on your phone that generates time-based, one-time passwords.
AWS supports a variety of MFA mechanisms, such as virtual MFA devices, hardware devices, and Universal 2nd Factor (U2F) security keys.
| Device | Description | Supported Devices |
|---|---|---|
| Virtual MFA | A software app that runs on a phone or other device that provides a one-time passcode. Keep in mind that these applications can run on unsecured mobile devices, and because of that, may not provide the same level of security as hardware or U2F devices. | Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator |
| Hardware | A hardware device, generally a key fob or display card device that generates a one-time six-digit numeric code | Key fob, display card |
| U2F | A hardware device that you plug into a USB port on your computer | YubiKey |
Even if an attacker discovers your password, they cannot access the account without the MFA code. This single step dramatically improves account security.
Best practices for using the root user
- Enable MFA on the root user immediately
- Never use the root user for daily work, including administrative tasks
- Reserve root access only for critical actions, such as account-level configuration or billing changes
- Use IAM users or roles instead for normal operations
Resources:
- _External Site:_ AWS: Enabling a Hardware MFA Device (Console)
- _External Site:_ AWS: Enabling a U2F Security Key (Console)
- _External Site:_ AWS: Enabling a Virtual Multi-Factor Authentication (MFA) Device (Console)
- _External Site:_ AWS: Table of Supported MFA Devices
- _External Site:_ Tasks that require the use of root user credentials