WAF++ WAF++
Back to WAF++ Homepage

Responsibilities (Security)

The Shared Responsibility Model

Cloud security is a shared responsibility between cloud provider and customer. Misunderstanding this boundary is one of the most common causes of cloud security incidents.

Fundamental Principle

Cloud provider is responsible for: Security OF the Cloud
  ├── Physical security of the data centers
  ├── Hardware infrastructure (servers, network, storage)
  ├── Hypervisor security
  └── Global network infrastructure

Customer is responsible for: Security IN the Cloud
  ├── Operating system configuration and patches (EC2)
  ├── Network configuration (VPC, security groups, NACLs)
  ├── IAM and access controls
  ├── Data encryption
  ├── Application security
  └── Monitoring and incident response

Detailed Responsibility Matrix

Responsibility Area IaaS (EC2, VMs) PaaS (RDS, Lambda) SaaS (Office 365, Salesforce)

Physical security

Cloud provider

Cloud provider

Cloud provider

Hypervisor/Host OS

Cloud provider

Cloud provider

Cloud provider

Network configuration

Customer

Shared

Cloud provider

Operating system (Guest OS)

Customer

Cloud provider

Cloud provider

Middleware / Runtime

Customer

Cloud provider

Cloud provider

Application data

Customer

Customer

Customer

IAM & access controls

Customer

Customer

Customer (User Mgmt)

Data encryption

Customer

Shared (CMK = Customer)

Shared

Monitoring & alerting

Customer

Customer

Shared

Patch management

Customer

Cloud provider (managed)

Cloud provider

Backup configuration

Customer

Customer (Policy)

Customer (Policy)
"Managed Service" means the cloud provider patches the platform. It does not mean that they protect your data, configure your IAM policies or set up your monitoring.

WAF++ Scope of Responsibility

The WAF-SEC controls cover the customer side of the Shared Responsibility Model.

WAF++ Control What is covered Customer side

WAF-SEC-010 IAM Baseline

MFA configuration, root account protection, IAM password policy

Fully customer

WAF-SEC-020 Least Privilege

IAM policy design, role structure, wildcard avoidance

Fully customer

WAF-SEC-030 Encryption at Rest

CMK configuration, encryption policy, KMS rotation

Key management = customer

WAF-SEC-040 TLS Enforcement

ALB/NLB TLS policy, API Gateway, CloudFront security policy

Configuration = customer

WAF-SEC-050 Network Segmentation

VPC design, security groups, NACLs, VPC endpoints

Fully customer

WAF-SEC-060 Secrets Management

Secrets Manager configuration, CI/CD integration, rotation

Fully customer

WAF-SEC-070 Vulnerability Management

Container scanning configuration, patch policy, SBOM

Fully customer

WAF-SEC-080 Security Monitoring

GuardDuty activation, CloudTrail configuration, alerting

Fully customer

WAF-SEC-090 Policy-as-Code

OPA/wafpass integration in CI/CD, SCP configuration

Fully customer

WAF-SEC-100 Incident Response

Playbooks, runbooks, response automation

Fully customer

Team Responsibilities

In modern cloud organizations with multiple teams, dividing security responsibility is crucial. WAF++ recommends the following role distribution:

Platform Team (Cloud Platform / Infrastructure)

The platform team is responsible for the security foundation:

  • Provision and maintain IaC base modules (VPC, IAM roles, KMS, security groups)

  • Operate the security monitoring stack (GuardDuty, Security Hub, SIEM integration)

  • Manage SCPs and org policies

  • Operate the secrets management system (Secrets Manager, Vault)

  • Maintain WAF++ checker integration in the CI/CD platform

Security decisions of the platform team:

  • Which regions are permitted?

  • Which KMS keys are used for which data categories?

  • How are VPCs and networks structured?

  • Which security guardrails apply organization-wide?

Dev Teams (Product Teams / Development Teams)

Dev teams are responsible for the security of their applications and services:

  • Correct use of security modules provided by the platform team

  • No wildcards in application-specific IAM policies

  • No hardcoded secrets in application code and IaC

  • Addressing security findings from vulnerability scans

  • Implementing security controls at the application level

Security decisions of dev teams:

  • What specific permissions does their application need?

  • How are application secrets obtained at runtime?

  • How are container images kept up to date?

Security Team (CISO / Cloud Security)

The security team is responsible for governance, oversight and risk management:

  • Definition of security policies and standards (Policy Owner)

  • Review and approval of exceptions to security standards

  • Operation of the Security Operations Center (SOC) or oversight of the SOC function

  • Conducting or commissioning penetration tests and red team exercises

  • Incident response coordination

  • Regulatory compliance monitoring (ISO 27001, GDPR, BSI C5)

Security decisions of the security team:

  • Which risks are acceptable? (Risk acceptance)

  • Which exceptions to controls are approved? (Exception process)

  • Which new threats require new controls?

Compliance Team

The compliance team is responsible for audit and evidence management:

  • Collection of audit evidence from the WAF++ framework

  • Coordination of external audits (ISO 27001 certification audit, SOC 2 audit)

  • Translation of regulatory requirements into technical control requirements

The "Security as Code" Principle

WAF++ follows the principle: Security decisions are code, not exceptions.

This means:

No Manual Bypass Without Documentation

Every deviation from a WAF-SEC control requires:

  1. Exception Request: Documented form with justification, risk assessment and time period

  2. Risk Acceptance: Approval by Security Team and CISO

  3. Compensating Controls: What replaces the missing control?

  4. Review Date: Exception periods are maximum 90 days (then review or extension)

  5. Audit Trail: Exception is documented in the repository (not in email)

# exceptions/WAF-SEC-020-exception-001.yml
exception_id: "EXC-WAF-SEC-020-001"
control: "WAF-SEC-020"
resource: "arn:aws:iam::123456789:role/legacy-batch-role"
reason: "Legacy system not yet migrated to least privilege. Migration planned Q2 2026."
risk_level: "medium"
approved_by: "CISO - Max Mustermann"
approved_date: "2025-12-01"
expiry_date: "2026-03-31"
compensating_controls:
  - "CloudTrail alerting on usage of this role"
  - "Manual quarterly review"

Security Reviews in the PR Process

Every change to security-relevant resources requires a security review in the pull request:

  • IAM policies: mandatory review by platform team or security team

  • Security group changes: review by platform team

  • KMS key policies: review by security team

  • New external integrations: review by security team

CODEOWNERS file in the infrastructure repository ensures that these reviews are automatically requested.

# CODEOWNERS
/modules/iam/           @platform-team @security-team
/modules/network/       @platform-team
/modules/kms/           @security-team
/modules/secrets/       @security-team
/.github/workflows/     @platform-team @security-team

Responsibility Matrix (RACI)

Security Task Platform Team Dev Team Security Team Compliance

Implement WAF++ controls (IaC)

Responsible

Responsible

Consulted

Informed

Define security policies

Consulted

Informed

Responsible

Accountable

Approve exceptions

Consulted

Requestor

Responsible

Accountable

Escalate security incidents

Informed

Informed

Responsible

Informed

Provide audit evidence

Responsible

Responsible

Accountable

Responsible

Conduct penetration tests

Informed

Informed

Accountable

Informed

Create compliance reports

Consulted

Consulted

Consulted

Responsible