In this world of shared responsibility, AWS provides the security of the cloud and, as an AWS user, you are responsible for providing the security in the cloud. In other words, AWS will take care of securing the data centers, the physical infrastructure, the physical network, the virtualization layer, and the host's operating systems. In turn, as an AWS user, you are responsible for managing and operating the guest operating systems, applying security patches, IAM permissions, security groups, and access policies.

As we know, AWS provides several managed services which make understanding the shared responsibility model sometimes confusing. From a security standpoint, those services can be broken up into three categories:

• Infrastructure services: Those services tend to require the most amount of work as they live at a low level. They are typically virtualized resources such as virtual machines (EC2), network components, and storage such as Amazon Elastic Block Store (EBS).
• Container services: Container services will often live just on top of infrastructure services. The main difference is that Amazon will administrate the operating system and most functionalities of the services. These services include RDS, ElastiCache, and other services that get created through the creation of instances.
• Abstracted services: This last category of services abstracts the notion of server or instance completely. You use those services through a layer of abstraction which puts most of the burden of securing such services on AWS's shoulders. Some of the services we previously saw that live in that category are S3 and DynamoDB.

Refer to the following diagram to understand better what's required to secure a given service and who is responsible for each layer: