Here are some notes I took during the AWS transformation day 2018
Customers interact with AWS via API, even when using AWS CLI.
 Forms the outer application access ring which is accessed by 
Amazon mangages security of the cloud Customer manages security in the cloud
Findings were that AWS "[..] was protected against unauthorized access, use, or modification to meet AWS' commitments and system requirements [..]"
AWS only protects it's own path against cyberrisk, but not the customer's application/data path.
Get IAM right. This can work in conjunction with AWS CloudTrail and AWS Config. CloudTrail and ElasticSearch can for example prove that no other regions except for the allowed ones were used. This might be neccessary for compliance with privacy laws in Germany.
All data passing through these services is "washed", so that for example invalid HTTP requests or DDoS attacks are dropped.
Optional AWS Shield can further protect data.
— Betram Dorn AWS Security and Compliance Specialist