If the code is shipped on any of these platforms in any way, including docker, how much concern is needed about security? Penetration testing, DOS and DDOS attacks mitigation and things like these?
Security concern is necessary for any application whether you ship on your own datacenter or on one of the cloud vendor's platforms.
Many of the same concerns you mentioned needs to be address in either case. But at least with cloud vendors, you don't have to worry about physical security for example, but then, you are putting a lot of trust in them (like they don't share your data with others). But it is reasonable to assume that Google will do a better job at Physical security than you can for example.
The same amount is needed as on any other non-cloud platform.
The first things which come to mind are roles/permissions, AV, database injection, ddos, resource monitoring (limiting server costs), private ssh keys, https vs http, VPN / NAT / routing, etc.
The cloud platforms often have tools to help mitigate these things but they aren't necessarily on by default and you still have to monitor and build a secure app.
It's pretty easy for a burglar to enter your house if you leave the door open.
YES. Security is ALWAYS a concern, ESPECIALLY in web development. There are so many moving parts and pieces that it is super easy to have solid code but outdated crypto, or modern crypto but unsanitized user input, or sanitized user input but using a plugin which is vulnerable, etc... Remember there are a ton of layers to security... Your question asks "applications that run on AWS." Well, the thing is, if the application itself is vulnerable, it really doesn't matter which platform it is running on. So the platform itself has its own security conerns and then the software has separate ones... If either has vulnerabilities or improper setup, the system can be breached.
If I were ever deploying anything "For real" I would ALWAYS get a security audit/pentest done. I am not just saying that either... I've spent many hours testing my web applications and servers and had them peer-reviewed as well by pentesters.
Take a look at OWASP Top 10 to get an idea of where to start but also look up "hardening a Ubuntu Server" or something like this for whatever type of server you are running on.
As other already replied, as soon as your code is connected to the internet, security is a thing, no matter if it's in a public cloud or elsewhere.
That said, how to do it, and what to focus on, might change a little bit, since some security aspects are covered by the cloud vendor (obvious example: physical access to your servers and disks). When you start using managed services (ie PaaS os SaaS, and no longer only IaaS), some responsibilities ownership move. An obvious example would be: if you provision EC2 hosts to deploy your own MongoDB onto it, your responsible of applying security patches on this host and software (plus all the usual network and access security). On the other hand, if you use a managed database (like RDS), you're now responsible for setting up correctly all the accesses, but the vendor takes care of security patches for you.
These are examples, to show that:
On the AWS side, there are many resources, but one I like to share frequently with my teams is this talk which does a great job covering many aspects and should remove all uncertainty (then you need to get the job done!):
AWS Security Roadshow - The AWS Shared Security Responsibility Model in Practice