Certified - CompTIA Cloud+

The shared responsibility model outlines how security, maintenance, and risk are divided between the cloud provider and the customer. In cloud environments, not all operational tasks fall under the provider’s control. Customers retain specific duties related to configuration, user management, and data protection. This model clarifies expectations and ensures that both parties understand their obligations. It is fundamental to designing secure cloud systems and is emphasized throughout the Cloud Plus exam.
On the Cloud Plus exam, questions involving shared responsibility appear in multiple domains. Candidates may be asked to distinguish between what the cloud provider controls versus what the customer must configure. These questions can involve scenarios in infrastructure, deployment, or incident response. Identifying the appropriate responsibility boundaries is essential to answering correctly. A common exam theme is recognizing that providers manage the platform, but customers control how they use it.
The shared responsibility model applies across all service types, including I A A S, P A A S, and S A A S. In every model, the provider owns and manages the underlying physical infrastructure. As abstraction increases, provider responsibilities expand upward through the stack. However, customers always retain control over data, user access, and system configurations. Knowing where the provider stops and where the customer begins is key to cloud risk management.
Provider responsibilities typically include securing the data center, managing physical access, and maintaining hardware availability. In most environments, the provider also manages the hypervisor and networking fabric. In P A A S and S A A S models, the provider may control the operating system and runtime environment as well. These layers are not visible to the customer and are maintained through provider automation and monitoring. The Cloud Plus exam may present a scenario and expect candidates to identify which layers are managed by the vendor.
Customer responsibilities are always present, even in fully managed S A A S models. Customers are accountable for data classification, identity and access control, and application configuration. In I A A S models, they must also manage the operating system, middleware, and patching. Failing to secure these elements results in vulnerabilities, regardless of provider protections. The exam often tests whether a misconfiguration falls under the customer’s scope or the provider’s.
Certain responsibilities are shared. These include encryption configuration, logging, monitoring, and I A M setup. The provider offers tools and infrastructure support, but the customer must configure them to meet policy goals. For example, encryption at rest may be enabled by default, but key rotation must be implemented by the customer. Cloud Plus frequently tests understanding of these shared boundaries, especially when control is not clearly defined in the scenario.
In the I A A S model, the provider delivers virtual compute, networking, and storage infrastructure. The customer must build everything on top of it, including installing and managing the operating system, applications, and access policies. Security controls must be implemented explicitly by the customer. This model offers the most flexibility and the greatest number of customer responsibilities. Exam questions may test which controls are not preconfigured and require user setup.
In the P A A S model, the provider manages the infrastructure, operating system, runtime, and backend services. The customer focuses on code deployment, data protection, and access control within the application. The trade-off in P A A S is less control in exchange for faster development and reduced administrative burden. Candidates are expected to understand that responsibility does not disappear in P A A S; it simply shifts to different layers.
In the S A A S model, the provider manages the application, hosting platform, and backend infrastructure. The customer is responsible only for managing user access, configuring security options, and controlling how data is entered and shared. Misunderstanding this model leads to misplaced expectations about who is accountable when issues arise. The exam may present a scenario involving exposed data in a S A A S environment and expect candidates to identify whether configuration or platform failure is responsible.
Service-level agreements define the guarantees the provider makes about system uptime, availability, and support. These agreements do not shift responsibility away from the customer. Even if the provider guarantees ninety-nine point nine percent uptime, the customer must still secure their data and manage user roles. Cloud Plus questions may test understanding of S L A language and its relationship to customer planning and incident readiness.
Many security breaches in cloud environments result from customer misconfiguration. Open ports, weak passwords, or public-facing storage buckets are frequent causes. These errors happen because customers assume the cloud is secure by default. In reality, the cloud provides tools and frameworks, but users must apply them correctly. Cloud Plus highlights this risk and includes questions that test knowledge of security defaults, configuration gaps, and common mistakes.
The division of responsibility also shifts depending on deployment model. Public clouds give customers access to shared infrastructure, which places more responsibility on the user to secure their application environment. In private or hybrid models, internal teams may manage parts of the infrastructure while relying on provider-managed components elsewhere. Cloud Plus may test whether candidates can identify who is accountable in a mixed deployment.
Understanding the shared responsibility model helps prevent overreliance on provider controls and ensures that systems are designed with appropriate risk mitigation. The exam does not expect memorization of provider terms but instead tests the reasoning behind who controls what in different architectures. Clear understanding of this model supports secure, resilient, and well-managed cloud implementations across all domains.
Many cloud-related breaches can be traced to misunderstanding shared responsibility boundaries. One common pitfall is assuming that the provider secures all aspects of the environment by default. When customers do not configure identity roles or secure public-facing storage buckets, vulnerabilities are introduced. The Cloud Plus exam may present these types of failures and expect the candidate to identify which security tasks were improperly delegated or overlooked by the customer.
Identity and access management responsibilities are often misunderstood. Providers offer I A M tools that allow users to define granular access policies. However, the customer is responsible for creating roles, assigning scopes, and verifying that only authorized users have access to sensitive data or systems. Misuse of permissions is a shared concern because the tools are supplied by the provider, but the logic and enforcement depend on the customer. Cloud Plus questions may focus on improperly assigned roles or missing policies.
Encryption responsibilities are another area where duties are split. The provider may offer encryption capabilities for data at rest and in transit, along with managed key storage services. However, the customer must choose to enable encryption, select key rotation policies, and control access to the encryption keys. Failing to activate these features leaves data unprotected even if the tools are available. Cloud Plus may test recognition of when encryption is present but not correctly configured.
Logging and monitoring services are available in most cloud platforms, but they are not always enabled by default. Providers supply the infrastructure to collect and store logs, but the customer must activate logging, assign retention policies, and review the data. If logs are not monitored, security incidents may go undetected. Cloud Plus scenarios often ask what failed in a breach response, and the correct answer may be failure to enable or analyze logs related to a service or system.
Data loss prevention is also a customer responsibility in most models. Providers may offer tools for backup, snapshotting, or replication, but the customer is responsible for configuring them and testing their effectiveness. Cloud Plus candidates should understand that recovery time objective, or R T O, and recovery point objective, or R P O, are determined by how the customer applies those tools. The exam may include a scenario involving data loss, asking which configuration was missing or misaligned.
Compliance obligations cannot be delegated entirely to the cloud provider. Although providers maintain certifications and offer services that support compliance, the customer is responsible for how their application handles sensitive data, who can access it, and where it is stored. This is especially important in industries such as healthcare, finance, or government. Cloud Plus may include a compliance scenario that tests understanding of encryption enforcement, access control, or data residency alignment.
Audit and verification tasks fall under the customer’s operational responsibilities. Providers may offer audit logs, access reports, and event traces, but it is the customer’s duty to analyze this information, detect anomalies, and document findings. Tenants are responsible for producing their own audit evidence when needed for investigations or compliance checks. Exam questions may reference gaps in audit trails and ask whether the customer or provider failed to maintain verification readiness.
Tenants must actively manage configuration hygiene across all their services. Even in highly abstracted models such as S A A S, customers configure access rules, data sharing settings, and integration permissions. Providers may set defaults, but customers must review and revise them to meet organizational needs. Many Cloud Plus questions involve errors caused by using defaults without understanding their implications. Candidates should be prepared to identify when responsibility rests with the customer due to lack of customization or review.
Responsibility boundaries shift not just between service models, but also during the service lifecycle. As new features are added to a cloud platform, customers must review the implications of these changes. A new authentication method, default logging change, or updated access scope may introduce new responsibilities or risks. Cloud Plus may ask about post-deployment scenarios that test whether configuration drift or platform updates have been accounted for properly.
Contracts and service-level agreements clarify provider obligations, but they do not replace due diligence. If a provider guarantees system uptime, it does not absolve the customer from maintaining backups or planning for failover. A service-level agreement may promise response time for outages, but it does not monitor customer configurations. Cloud Plus questions may use S L A descriptions to test whether the candidate understands the limitations of relying solely on contractual assurances.
Shared responsibility frameworks vary between providers, but the core concept remains consistent. The lower you are in the stack, such as in I A A S, the more responsibility you have. As you move toward S A A S, the provider takes on more control, but never all of it. Understanding this gradient helps candidates interpret diagrams, narratives, and deployment decisions in the exam. Cloud Plus tests the ability to assign correct responsibility at different levels of abstraction.
Security hardening must always be initiated by the customer. Providers may offer security baselines, templates, or best practices, but implementation requires customer action. This includes setting firewall rules, removing unused accounts, disabling open ports, and configuring two-factor authentication. The exam may test awareness of default vulnerability exposure, where an environment was launched with provider defaults but not reviewed or secured by the tenant.
The shared responsibility model is not static. As the service usage grows, changes to architecture, scaling, or integration expand the customer’s risk exposure. Continuous review of security, identity, compliance, and backup practices is necessary to maintain alignment with the model. Cloud Plus scenarios may simulate growth-related risk, where a small-scale deployment becomes more complex, and responsibility increases accordingly. Candidates must recognize that shared responsibility is a living process, not a one-time agreement.