Who is responsible for patching a security vulnerability contained in the code of a customer application that runs on an Amazon EC2 instance?
A question asking, in the shared responsibility model, who is responsible for patching customer application code on EC2.
AWS is responsible.
AWS handles the security of the EC2 physical hardware, hypervisor, and network infrastructure (security OF the cloud).
The content and vulnerabilities of application code written by the customer are outside AWS's scope of management, so making it AWS's responsibility is wrong and incorrect.
Shared controls
Shared controls refer to areas such as patch management where both parties are involved across layers.
Application code is entirely the customer's software asset and AWS is not involved at all, so it is not shared, and this is incorrect.
The customer is responsible.
This is correct. The code of an application that runs on EC2 is a software asset created and owned by the customer. Finding, fixing, and redeploying vulnerabilities are all part of security IN the cloud, which the customer performs, and AWS is not involved in the content of the code.
If an automatic scan detects it, AWS fixes it.
Scanning tools such as Amazon Inspector help detect vulnerabilities, but they do not fix the code.
The customer must perform the fix and deployment after detection, so the premise that AWS fixes it is wrong and incorrect.
With EC2 (IaaS) the customer's scope is broad: the guest OS, middleware, and application code are all the customer's responsibility. AWS handles up to the hardware, hypervisor, and facility.