CLF-C02 Shared Responsibility and Protection Boundaries Guide

The shared responsibility model is one of the most exammed ideas on CLF-C02 because it prevents weak assumptions. AWS secures the cloud infrastructure it operates. Customers still secure what they put in the cloud, how they configure it, and who can access it.

Shared responsibility model: Security split where AWS is responsible for security of the cloud and the customer is responsible for security in the cloud.

What AWS is really testing

The exam usually wants you to classify whether the responsibility belongs to:

• AWS
• the customer
• or a shared area where AWS manages more of the platform but the customer still owns data, access, and configuration choices

If the stem asks who patches the guest operating system on an EC2 instance, that is not the same question as who protects the physical datacenter.

The baseline split

Managed services change the customer boundary, not the customer duty

One reason this topic matters is that the customer boundary shifts depending on the service model:

    flowchart LR
	  A["EC2"] --> B["Customer manages guest OS, patching, and application layer"]
	  C["RDS"] --> D["AWS manages more of the database platform layer"]
	  E["Lambda"] --> F["AWS manages even more of the runtime platform"]

What stays true:

• AWS never becomes responsible for your least-privilege decisions
• AWS never decides who should access your data
• AWS does not remove the need to configure services securely

A practical comparison

Why this gets tricky on CLF-C02

Answer choices often mix one AWS-owned infrastructure responsibility with one customer-owned configuration responsibility. The wrong answer is usually the one that assumes “moving to cloud means AWS secures everything for me.”

Managed service does not mean zero customer responsibility. It usually means AWS manages more of the platform, while the customer still owns access, data, and policy decisions.

Decision order that usually wins

When this topic appears, classify the item in this order:

1. Is the stem about physical infrastructure, platform operation, configuration, identity, or data?
2. If it is about datacenters, hardware, or core managed-service infrastructure, lean toward AWS responsibility.
3. If it is about permissions, encryption choices, network rules, or data handling, lean toward customer responsibility.
4. If the workload uses a more managed service, remember that the boundary shifts, but data and access control still stay with the customer.
5. Reject any answer that treats “managed service” as “AWS now secures everything automatically.”

Common traps

• assuming AWS patches guest operating systems on EC2
• assuming AWS classifies or governs customer data automatically
• treating managed database service as if the customer has no security work left
• forgetting that configuration mistakes are usually the customer’s lane

Harder scenario question

A company stores sensitive customer records in AWS and uses IAM users with overly broad permissions. Which statement is strongest?

• A. AWS is responsible because the data is in the AWS Cloud
• B. AWS is responsible only if the workload uses a managed service
• C. The customer is responsible for access configuration and protection choices, even though AWS secures the underlying infrastructure
• D. No one is responsible if encryption is enabled

Correct answer: C. This is exactly the type of question CLF-C02 asks. AWS secures the underlying cloud platform, but the customer still owns identities, permissions, and data protection choices.

Quiz