Newsletter · Edition #9 · Cloud · 3 min read

Why “we use AWS” isn’t a compliance answer

The cloud provider secures the cloud. Securing what you put in it is still your job.

“We’re on AWS, so we’re secure” is one of the most expensive misconceptions in cloud compliance. The shared responsibility model is explicit about where the provider’s job ends and yours begins.

Their half vs your half

The provider secures the physical infrastructure, hypervisor and managed-service backend. You own identity and access, network configuration, encryption choices, data classification, logging and everything you deploy. Most breaches happen on your half.

The evidence auditors want

A compliant AWS environment produces evidence: least-privilege IAM, enforced MFA, encrypted storage, restrictive security groups, and centralised logging you actually review. “We use a certified cloud” proves the provider’s controls, not yours.

The bottom line

Inherit the provider’s certifications for their layer — and prove your own controls for yours. Auditors assess the second half.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →