The correct answer is Cloud Service Customer (CSC). Cloud Service Customer (CSC) bears the larger security obligation when operating an IaaS deployment and bears the smaller obligation when using a SaaS deployment.

In an IaaS model the customer is responsible for everything they install and manage on the virtual machines and networks. This includes the guest operating system, middleware, runtimes, applications, data, and identity and access configurations. Because those layers are controlled by the customer the Cloud Service Customer (CSC) holds the larger security obligation in IaaS.

In a SaaS model the provider delivers and secures the application and the underlying infrastructure while the customer typically manages only their data and user access. That means the Cloud Service Customer (CSC) has a much smaller operational security burden when using SaaS.

Managed Service Partner is incorrect because a managed service partner is an external operator or vendor that may perform tasks on behalf of the customer or provider and does not define the baseline shared responsibility boundary between provider and customer.

Cloud Intermediation Broker is incorrect because a broker is an intermediary that facilitates or enhances cloud services and does not inherently assume the primary security obligations that the shared responsibility model assigns to the customer.

Cloud Infrastructure Provider (CIP) is incorrect because the infrastructure provider is responsible for the physical hosts, network, and hypervisor. The provider does not take on the customer duties for guest OS and application security in IaaS and so it is not the party that bears the larger obligation in that model.

Full AWS Practitioner Certification Question