Know what AWS secures vs what you must secure for each service pattern.
AWS operates the cloud; customers configure secure use of services in the cloud.
Select a service tab. Lines are illustrative—always read the current AWS documentation.
| AWS | Customer |
|---|---|
| Host hardware, AZ resilience | Guest OS hardening, security groups, key pairs/IAM |
| EBS infrastructure | Encryption selection, snapshot policies |
| AWS | Customer |
|---|---|
| Durability/availability of object store | Bucket policies, ACLs/block public access, KMS keys |
| Managed encryption at rest options | Who can decrypt; lifecycle & logging to trusted account |
| AWS | Customer |
|---|---|
| Managed DB engine maintenance windows | Subnet groups, parameter groups, master cred rotation strategy |
| Automated backups infrastructure | Access to snapshots; app-level encryption decisions |
| AWS | Customer |
|---|---|
| Runtime execution environment | Function code, dependencies, env secrets, IAM role |
| Platform patching | VPC config, concurrency, dead-letter & observability |