Newsletter · Edition #9 · Cloud · 3 min read
Why “we use AWS” isn’t a compliance answer
The cloud provider secures the cloud. Securing what you put in it is still your job.
“We’re on AWS, so we’re secure” is one of the most expensive misconceptions in cloud compliance. The shared responsibility model is explicit about where the provider’s job ends and yours begins.
Their half vs your half
The provider secures the physical infrastructure, hypervisor and managed-service backend. You own identity and access, network configuration, encryption choices, data classification, logging and everything you deploy. Most breaches happen on your half.
The evidence auditors want
A compliant AWS environment produces evidence: least-privilege IAM, enforced MFA, encrypted storage, restrictive security groups, and centralised logging you actually review. “We use a certified cloud” proves the provider’s controls, not yours.
The bottom line
Inherit the provider’s certifications for their layer — and prove your own controls for yours. Auditors assess the second half.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
