The cloud shared responsibility model sounds simple: cloud providers secure the infrastructure; customers secure their data and applications. In practice, the model is more nuanced, frequently misunderstood, and the source of the majority of cloud security incidents.
What Cloud Providers Actually Cover
AWS, Azure, and GCP are responsible for the physical security of data centers, the security of the hypervisor and host infrastructure, the availability and security of managed services at the infrastructure level, and network security at the provider boundary. They are remarkably good at this — cloud infrastructure security substantially exceeds what most organizations can achieve on-premise.
What You're Responsible For
Everything built on top of that foundation is your responsibility: identity and access management (including protecting credentials), network configuration (security groups, VPC design), encryption of data at rest and in transit, configuration of cloud services, application security, and security monitoring. The most common cloud breaches result from misconfiguration and compromised credentials — both entirely in the customer's responsibility zone.