AWS security operates on a shared responsibility model comprising of parts to be managed by you and parts managed by AWS. This model consists of three parts—infrastructure security, application security, and services security:

• Infrastructure security: AWS has a whole host of industry recognized compliance certifications against various security-centric standards such as Payment Card Industry (PCI), NIST, SSAE, and ISO, as well as PCI DSS 2.0 Level 1, ISO 9001, 27001, 27017, 27018, and so on.
• Application security: Services that support security implementation—such as IAM policies, origin protection, ACM integration, keys/certificate rotation, and so on—in applications makes them more secure without sacrificing performance. 
• Services security: This includes a set of things that Amazon provides by default and what you can do with them to make your applications more secure. For example, the security options and features available on CloudFront across a growing number of edge locations and regions across cities, countries, and continents include a standardized implementation of security features. This ensures that you get a consistent security footprint with CloudFront everywhere. Additionally, AWS provides various features and options such as SSL/TLS options, private content protection mechanisms, origin access identities to protect the origin, a Web Application Firewall (WAF) to protect against malicious bots, CloudTrail to track the usage of AWS services, and so on. 

Essentially, AWS is responsible for managing the security for the virtualization layer, the compute, storage, and network infrastructure, and the global infrastructure (regions, AZs, and endpoints) and physical security. In addition, AWS is responsible for the operating system or the platform layer for EC2 or other infrastructure instances for AWS container services (Amazon RDS, Amazon EMR, and so on). AWS also manages the underlying service components and the operating system for AWS abstracted services (Amazon S3, DynamoDB, SQS, SES, and so on). 

Strict controls and procedures are followed by AWS engineers, operations, and others in terms of who can access the edge infrastructure or systems. For maintenance activity, bastion hosts act as a centralized point that the engineers will log in to, and they are the only point from which the edge hosts can be accessed from. Additionally, two-factor authentication is required to access these bastion hosts, and end-to-end encryption is also implemented. Constant testing and probing is done to ensure that the security best practices are being followed. 

In subsequent sections, we will present some practical ways to make your content more secure. Hence, we will keep our focus on your responsibilities rather than Amazon's. This includes implementing security controls for users and roles, policies and configuration, applications and data (storage, in transit, and at rest), firewalls, network configuration, and the operating system.

In the next section, we will discuss the basics and best practices of a minimally viable approach—a good starting point to implement some of the security controls that can mature into a comprehensive security strategy over time.