[takeda]

I don't think moving things to AWS makes things more secure by default. It is actually easier to create services in AWS or GCP (never used azure) that are publicly open than implement proper security (I remember specifically RDS defaulting to public IP unless you set up private subnets, same with GCP SQL (although they blocked all access but default, though once again it is easier to unblock it for all than e.g. using their proxy), GCP VMs automatically get public address unless you explicitly disable it, don't remember EC2 but I think it was similar.. So the argument of not needing to have someone who knows about security is a good one. You need that person as much (if not more) with public cloud.