Amazon looks after the underlying infrastructure. Customer looks after what they put into it.

• Platform, applications, user access (IAM).
• OS, networking, firewall.
• Client/server side encryption, network protection.

You're responsible for the OS up.

• Compute, storage, DBs, networking
• AWS infrastructure.

Master user. Ya know, like root on Linux and such.

A user

Group of permissions in json of what a user or role can or can't do.

Groups of users. Policies can be applied to groups which effects all users of said group.

Think, Groups but tempoary.

No username/password, but tempoary access to permissions. Can be used for

• Users
• External identities
• Applications
• Other AWS services.

When an IAM user gets a role, it loses it's previous permissions and only has the ones of the role.

Manage all of the above but over several AWS accounts, billing, etc.

Think, IAM policies above. Can be attached to OUs or an individual member account.

Think, IAM groups above.

Machine learning, proactive defence.

Provided to all customers at no cost.

Paid, provides detailed information on attacks. Intergrates with CloudFront, Route 53 and ELB.

Key management, like SSL certs.

Web application firewall.

Checks your application for deviations in security best practices.

Threat detection for AWS resources and infrastructure. Watches network and account activity.