AWS has a Shared Responsibility Model. They are responsible for the Cloud, and you are responsible for what you do in the Cloud.
They protect the infrastructure, you need to protect the software and data that runs on it, including security configurations (VPNs, security groups, IAM roles), OS/software upgrades, and data encryption.
You and your team are responsible for all the tasks that you are allowed to do in the cloud service. For example, if you use RDS, you are not responsible for upgrading the operating system, but you are responsible for the data you save.
The more control you have, the more security effort you need to perform.