Who is responsible for the physical security of AWS data centers (such as building access controls, surveillance cameras, and placement of security personnel)?
A question about who is responsible for the physical security of data centers under the shared responsibility model.
The customer's responsibility
The customer's scope of responsibility covers the resources the customer launches and configures (data, OS, applications, and network settings).
Customers cannot physically access the data center building or facilities, so implementing physical security is impossible, making this incorrect.
AWS's responsibility
Correct. AWS fully manages the physical security (buildings, surveillance, and personnel) of its owned and operated data centers. This is the security OF the cloud in the shared responsibility model—customers cannot access the facilities, so AWS bears sole responsibility.
A shared control (divided between AWS and the customer)
Shared controls refer to areas where both AWS and the customer each bear responsibility at their own layer, such as patch management and configuration management.
Customers have no involvement in physical security whatsoever, so it is not shared—it is AWS's sole responsibility, making this incorrect.
The building is AWS's responsibility, but operating the surveillance cameras is the customer's responsibility.
Although this split may appear plausible, AWS is responsible for all physical security, including physical access control, surveillance cameras, and placement of security personnel.
Customers cannot enter the data center and have no scope to operate any part of the physical security, so this is incorrect.
The baseline of the shared responsibility model is the boundary between security OF the cloud (AWS) and security IN the cloud (customer). Facilities, hardware, and the virtualization layer that customers cannot touch are AWS's sole responsibility; data, OS, and applications that customers configure are the customer's responsibility.