YES. Security is ALWAYS a concern, ESPECIALLY in web development. There are so many moving parts and pieces that it is super easy to have solid code but outdated crypto, or modern crypto but unsanitized user input, or sanitized user input but using a plugin which is vulnerable, etc... Remember there are a ton of layers to security... Your question asks "applications that run on AWS." Well, the thing is, if the application itself is vulnerable, it really doesn't matter which platform it is running on. So the platform itself has its own security conerns and then the software has separate ones... If either has vulnerabilities or improper setup, the system can be breached.
If I were ever deploying anything "For real" I would ALWAYS get a security audit/pentest done. I am not just saying that either... I've spent many hours testing my web applications and servers and had them peer-reviewed as well by pentesters.
Take a look at OWASP Top 10 to get an idea of where to start but also look up "hardening a Ubuntu Server" or something like this for whatever type of server you are running on.