The first realization you hit when designing cloud security is that "one line of defense is never enough." Back in the on-premises days of the 1990s, a single perimeter firewall dividing outside from inside was "almost all" of security. In the cloud, that boundary itself has blurred. An API Gateway is exposed to the outside world, but the Lambda behind it may live inside a VPC; S3 is a global service with no perimeter at all. In this environment, security has to be defense in depth — multiple layers each blocking a different kind of attack, so that when one layer is breached, the next one catches what got through.