The cloud vendor is correct because the vendor is accountable for deploying and maintaining physical security controls at the data centers they operate such as biometric gates mantraps and around the clock surveillance cameras.

The cloud vendor is responsible under the shared responsibility model for the physical security of the facility that houses the infrastructure. Protecting the building perimeter access controls environmental safeguards and onsite cameras is a provider obligation so tenants do not install those controls for provider managed infrastructure.

Both the cloud vendor and the tenant are incorrect because tenants do not control the provider data center perimeter or install facility level physical controls. Tenants manage their data identity and access and configuration but not the vendor owned facility hardware and entry systems.

The retailer using the cloud is incorrect because the customer cannot deploy physical access controls inside a provider owned data center. The retailer is responsible for security of its own premises and its use of cloud services but not for the vendor operated facility physical security.

The colocation facility operator is incorrect for a typical public cloud scenario because the question targets the cloud vendor responsibility. While a colocation operator would handle physical controls in a colocation arrangement the modern public cloud providers usually own and operate their data centers and therefore take on that responsibility.

Full AWS Practitioner Certification Question