AWS Security ChangesHomeSearch

AWS wellarchitected documentation change

Service: wellarchitected · 2026-05-07 · Documentation medium

File: wellarchitected/latest/security-pillar/shared-responsibility.md

Summary

Clarified shared responsibilities for patch management in AWS managed services, distinguishing between single-tenant and multi-tenant architectures.

Security assessment

Expands documentation about security responsibilities (patch management) without referencing a specific vulnerability. This strengthens security guidance but doesn't address an incident.

Diff

diff --git a/wellarchitected/latest/security-pillar/shared-responsibility.md b/wellarchitected/latest/security-pillar/shared-responsibility.md
index 7d57e9202..178f42137 100644
--- a//wellarchitected/latest/security-pillar/shared-responsibility.md
+++ b//wellarchitected/latest/security-pillar/shared-responsibility.md
@@ -21 +21 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-**Inherited Controls** – Controls that a customer fully inherits from AWS.
+**Inherited controls:** Controls that a customer fully inherits from AWS.
@@ -23 +23 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-  * Physical and Environmental controls
+  * Physical and environmental controls
@@ -28 +28 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-**Shared Controls** – Controls that apply to both the infrastructure layer and customer layers, but in separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include:
+**Shared controls:** Controls that apply to both the infrastructure layer and customer layers, but in separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include:
@@ -30 +30 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-  * Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest operating system and applications.
+  * **Patch management:** AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest operating system and applications.
@@ -32 +32 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-  * Configuration Management – AWS maintains the configuration of its infrastructure devices, but customers are responsible for configuring their own guest operating systems, databases, and applications.
+    * For AWS managed services operating on single-tenant architectures (such as Amazon ElastiCache, Amazon RDS, and Amazon OpenSearch Service), patch management responsibility is shared as follows: 
@@ -34 +34 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-  * Awareness and Training – AWS trains AWS employees, but customers must train their own employees.
+      * **AWS responsibility:** Identify vulnerabilities, develop and validate patches, release patches within the service's patching SLA, and notify customers of available updates through the service's documented notification mechanism. 
@@ -35,0 +36 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
+      * **Customer responsibility:** Review available updates and facilitate patching by selecting maintenance windows, applying service updates, or scheduling required restarts within the timeframes communicated by AWS. 
@@ -36,0 +38 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
+    * For AWS managed services operating on multi-tenant architectures (such as Amazon ElastiCache Serverless, Amazon DynamoDB, and Amazon S3), patch management responsibility is shared as follows: 
@@ -37,0 +40 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
+      * **AWS responsibility:** Apply patches without requiring customer action. 
@@ -39 +42,10 @@ This customer/AWS shared responsibility model also extends to IT controls. Just
-**Customer Specific** – Controls that are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: 
+      * **Customer responsibility:** Consult patching and maintenance documentation for each AWS managed service they use to understand specific notification mechanisms, maintenance window options, and update application processes available to them. 
+
+  * **Configuration management:** AWS maintains the configuration of its infrastructure devices, but customers are responsible for configuring their own guest operating systems, databases, and applications.
+
+  * **Awareness and training:** AWS trains AWS employees, but customers must train their own employees.
+
+
+
+
+**Customer specific:** Controls that are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: