Who is responsible for applying security patches to the hypervisor and the virtualization infrastructure itself?
A question about responsibility for patching the foundation layer (hypervisor) under the shared responsibility model.
The customer is responsible.
The customer's scope of responsibility is the layers above the guest OS (OS, middleware, application, and data).
The hypervisor is infrastructure below the guest OS that customers cannot access, so treating it as a customer responsibility is wrong and this is incorrect.
AWS is responsible.
Correct. The hypervisor and virtualization infrastructure are AWS's foundational infrastructure that isolates multiple tenants (security OF the cloud). Customers cannot access this layer, and only AWS performs maintenance and patching.
Shared controls
Shared controls refer to areas where both parties are involved layer by layer.
The hypervisor is a foundational layer that customers cannot touch, so it is AWS's sole responsibility rather than shared, and this is incorrect.
It depends on the service type; for IaaS it is the customer.
The division of responsibility that changes by service type (IaaS / PaaS / SaaS) applies to the layers the customer can configure, such as the guest OS and middleware.
The hypervisor and virtualization infrastructure are the foundation that AWS manages in every service, so it is not the customer's responsibility even for IaaS, and this is incorrect.
Below the boundary line (hypervisor, facilities, foundational network) is AWS; above it (guest OS, middleware, application) is the customer. The contrast guest OS patches are the customer's / hypervisor patches are AWS's appears frequently.