What is the AWS Shared Responsibility Model?
The Shared Responsibility Model defines who secures what between AWS and the customer.
AWS — Security of the cloud: physical data centers, hardware, hypervisor, networking infrastructure, and managed-service software.
Customer — Security in the cloud: OS patching (for EC2), IAM users and roles, network ACLs and security groups, encryption keys, application code, and data classification.
Shifts with the service — for EC2 (IaaS) the customer patches the OS; for Lambda or DynamoDB (managed), AWS handles the OS and runtime, customer handles IAM and data.
One-liner: AWS protects the cloud; you protect what you put in it. Misconfigured S3 buckets and leaked IAM keys are your problem, not AWS's.
Memorize 'AWS secures the cloud, you secure what's in it.' Add that responsibility shifts by service (more to customer in EC2, less in Lambda) to show maturity.