AWS has a shared responsibility model. In other words, AWS is responsible for doing some work and the customer is responsible for some more parts.

What AWS is responsible for is mainly on the data center level (Hardware, software) and physical security that they will have to take care of. Everything else is customer's responsibility. If you opt for some managed services, AWS will take care of some of the additional responsibilities for you such as managing the OS, etc.

AWS is responsible for security of the cloud and customer is responsible for security in the cloud.

Data is the customer's Responsibility. The customer owns the data 100%. AWS does not own any customer data.

What about IT controls?

IT Controls also have a shared responsibility model.

If you're wondering what IT controls mean, IT controls are policies and procedures to ensure that IT used by an organization operate as intended and data is reliable and compliant

IT controls - Wiki

Below are some examples of IT controls that have shared responsibility:

• Inherited Controls: Inherited controls are those that the customer fully inherits from AWS. These are physical and environmental controls.

• Shared Controls: Shared controls are those which apply to both infrastructure and customer layers but in separate contexts.

  • Patch Management: AWS does patching of infra software, etc. Guest OS and apps patch management are the customer.

  • Configuration Management: Config management of infra devices. Customer is responsible for DB, app config management.

  • Awareness and training: AWS trains AWS employees, customer trains theirs.

• Customer Specific: controls what is the customer responsibility based on the app they're deploying in AWS. Eg:

  • Service and communications security or zone security which may require a customer to route or zone data within specific security requirements.

More References:

AWS Shared Responsibility Model