Well-Architected Framework
Document shared responsibilities
Clear documentation of shared responsibilities prevents security gaps and compliance failures. When multiple teams or cloud providers share infrastructure ownership, undocumented boundaries create vulnerabilities and audit risks. This practice ensures everyone understands their security obligations and compliance requirements.
Shared responsibility models vary by cloud provider, deployment model, and organizational structure. Your documentation must reflect your specific environment while maintaining clarity for auditors and security teams.
Define responsibility boundaries
Mapping your infrastructure components to ownership areas helps clarify who is responsible for what. In cloud environments, you need to distinguish between provider-managed services and customer-managed resources. Your documentation should cover who owns security for each layer, from physical infrastructure to application code.
Responsibility matrices work well for showing ownership of security controls, compliance requirements, and operational tasks. These matrices typically include specific team names, roles, and contact information for each responsibility area. You also want to define escalation paths for when responsibilities overlap or conflict.
Clear handoff points between teams and providers prevent gaps in security coverage. Your documentation should cover the specific security controls each party implements and how they coordinate during incidents or compliance audits. This includes defining who validates security configurations and who responds to security events.
Implement accountability mechanisms
Regular review processes help validate that your documented responsibilities align with actual practices. Quarterly reviews with all stakeholders work well for updating responsibility matrices based on organizational changes or new compliance requirements.
Automated checks can verify that teams are fulfilling their documented responsibilities. Terraform Cloud's policy as code features help enforce security controls and generate audit trails of responsibility fulfillment. Dashboards that show compliance status across all responsibility areas become more effective when you integrate Vault's audit logging and Boundary's session tracking capabilities.
Clear communication channels for responsibility-related issues prevent confusion during critical moments. Your process should cover how teams coordinate during security incidents, compliance audits, or infrastructure changes. This includes documenting how to resolve responsibility conflicts or gaps when they arise.
Next steps
In this overview, you learned about documenting shared responsibilities to establish clear accountability and prevent security gaps.
Refer to the following documents to learn more about compliance and governance practices:
- Policy as code to enforce security policies through infrastructure as code
- Audit trails to maintain comprehensive logs for compliance and security monitoring
If you are interested in learning more about shared responsibility models and compliance frameworks, you can check out the following resources:
- Terraform Cloud Policy as Code - Enforce security policies and compliance requirements
- Vault Audit Devices - Track access and changes for compliance monitoring
- Boundary Session Management - Monitor privileged access and session activity
- AWS Shared Responsibility Model - Understand cloud provider and customer security responsibilities
- Azure Shared Responsibility - Learn about Microsoft's shared responsibility approach
- Google Cloud Shared Responsibility - Explore Google Cloud's security responsibility model