Sort each item — physical data centers, IAM permissions, network exposure, data encryption, patching, secrets — into 'cloud provider' or 'you'. The provider secures the cloud; you secure what's in it. The most-confused cloud idea, made clear.
For each item, decide who's responsible: the cloud provider or you. You'll get instant feedback. The provider secures of the cloud; you secure in the cloud.
Score: 0 / 10
Physical data centers & hardware
Hypervisor & core infrastructure
Patching the managed-service platform (e.g. RDS engine)
IAM permissions & policies
Network exposure (security groups, public access)
Encrypting your data & managing key usage
Application & API security
Secrets management & rotation
Guest OS patching on your VMs
Classifying & protecting your data
What just happened
▹The cloud provider secures the cloud — physical sites, hardware, hypervisor, and the platform of managed services. That part you inherit for free.
▹You secure what's IN the cloud — IAM, network exposure, data encryption, app & API security, secrets, and (for VMs) the guest OS. Most breaches live in this column.
▹Almost every cloud incident is a YOUR-side configuration mistake: a public bucket, an open security group, an over-permissive role. Knowing where the line sits is the first step to not crossing it.