According to the AWS shared responsibility model, the customer is responsible for security in the cloud, which includes the tasks of managing data encryption and granting least privilege access to IAM users. Data encryption is the process of transforming data into an unreadable format that canonly be accessed with a key or a password. The customer must decide whether to encrypt their data at rest (when it is stored on AWS) or in transit (when it is moving between AWS and the customer or between AWS services). The customer must also choose the encryption method, algorithm, and key management solution that best suit their needs. AWS provides various services and features that support data encryption, such as AWS Key Management Service (AWS KMS), AWS Certificate Manager (ACM), and AWS Encryption SDK5 IAM users are entities that represent the people or applications that interact with AWS resources and services. The customer must grant the IAM users the minimum permissions that they need to perform their tasks, and avoid giving them unnecessary or excessive access. This is known as the principle of least privilege, and it helps reduce the risk of unauthorized or malicious actions. The customer can use IAM policies, roles, groups, and permissions boundaries to manage the access of IAM users.