Security in the Amazon EC2 environment is a responsibility shared by both the end user and Amazon. Within this environment there are specific parts that Amazon has control of and parts that are controlled by the user. Huge operational efficiencies can be gained in a shared security model, however this comes at the cost of the flexibility to have total control over an environment. The ability to utilize tried and true controls, like IDS and vulnerability scanners, becomes limited when there is a shared responsibility for the network layer. In EC2, Amazon holds the responsibly of network routing and segmentation between customers.
Source: https://thehackernews.com/2015/05/shared-security-aws.html