Account Security vs. Application and Service Security
An AWS account is going to draw unwanted attention due to the amount of raw data you will be working with. Furthermore, it is all fairly accessible through the native application programming interface (API). AWS does provide a multitude of native tools to help you configure permissions for your users and keeps an active log for all actions taken for review, monitoring, and auditing purposes.
Applications and Services hosted in AWS can still be directly threatened by a variety of different attacks. Cross-site scripting (referred to as XSS) and general brute-force attacks are aimed at user endpoints while DDoS (distributed denial-of-service) attacks will attempt to overwhelm your environment through a massive wave of simulated interactions with your applications. Even if such attacks do not have the endgame of stealing your information, there are other ways they can harm your operations.
Both fronts are equally important and minimizing the risk to you and your customers’ data is a constantly changing fight.