In an on-premise data center, as an owner, you are responsible for end-to-end security whereas in cloud, security is a shared responsibility between the cloud provider and the customer.
Below is a diagram from AWS website depicting the shared responsibility model.
Shared responsibility model changes depending on the service but can be broadly categorized as , security OF the cloud which the AWS is responsible for and Security IN the cloud which is a customer’s responsibility.
SECURITY OF THE CLOUD
AWS is responsible for protecting the global infrastructure which includes regions, availability zones, edge locations, regional edge caches, global network of metro fibers, and transit centers. All the services offered by AWS run in their global infrastructure. All AWS data centers are secured at various layers including Perimeter layer, Infrastructure layer, Data layer and Environmental layer
As a customer you cannot physically visit the datacenter and look at the security measures implemented by AWS. However, several auditors have verified and confirmed AWS’s security and compliance and issued security certifications.
Apart from the global infrastructure, AWS manages and controls the host OS and virtualization layer for all the services offered and for managed services such as RDS, Redshift and DynamoDB, AWS is also responsible for guest OS security patches, database patches and firewall configuration.
SECURITY IN THE CLOUD
AWS customers maintain complete control over their content and are responsible for everything they put in the cloud. They are responsible for choosing which AWS services to use and who to grant access to, to their AWS account. They choose the region for storing data in the cloud and whether to encrypt the data or not. Customers are in complete control of managing access rights granted to individual IAM users and protecting account credentials.
IaaS services offered by AWS such as Amazon VPC, Amazon EC2 and Amazon S3 are under customer’s control where you, as a customer, are responsible for all security configuration and management including guest OS management, patching and security, configuring security groups, as well as application software.
Shared responsibility model changes depending on the service. In case of managed services, customers are only responsible for configuration of logical access control whereas Guest OS patching and security configuration is taken care of by AWS. Customer maintains complete control of personal data stored in managed services.