The bottom line here is this: the idea that a CSP takes care of everything for you is a fallacy that really needs to die.
Thompson, Graham. All-in-One CCSK Certificate of Cloud Security Knowledge Exam Guide. Page 3. McGraw Hill. New York: 2020.
I was dealing with a situation lately where a group was looking at licensing a cloud-based resource, but no one had checked the cloud service provider’s (CSP) shared responsibility model. The group assumed the vendor’s model was similar to the bigger vendors. Turns out they were wrong.
One of the “must dos” when looking to on-board a new service offering from a CSP is to check the shared responsibility model. In some cases, a vendor may have a single model for all offerings, but that is not always the case. For example, with the CSP the group was looking at, there were two different service offerings and they had different shared responsibility models.
If you aren’t familiar with the concept of a shared responsibility model, here is the one for Microsoft Azure. Every CSP should have this, though you may have to ask for it. Never assume the CSP is going to take care of something for you. Verify what they will and will not handle with the appropriate shared responsibility model document.