Posted On: Nov 29, 2021

We’re pleased to announce that AWS Control Tower now offers new guardrails to provide more control over the physical location of where customer data is stored and processed, a concept known as data residency. Control Tower data residency guardrails help ensure customer data, the personal data you upload to the AWS services under your AWS account, is not stored or processed outside a specific AWS Region or Regions.

A lot of companies have workloads and applications that operate globally, and increasingly, data residency requirements mean they need to plan for the geographical location of their customer data. If you’re a public sector organization, or if you operate in a regulated industry like finance, government, or healthcare, data residency is often a necessary part of your modern data strategy.

With Control Tower’s new data residency guardrails you can specify the AWS Region or Regions your customer data is stored and processed in, and if you need even more granular control, you can choose from 17 new guardrails that are purpose-built to enable data residency controls, such as "Disallow Amazon Virtual Private Network (VPN) connections”, or “Disallow internet access for an Amazon VPC instance”. You can see the compliance status of the guardrails and whether your data residency requirements are being met in the AWS Control Tower console. For a full list of available guardrails, see documentation on Control Tower guardrails.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Customers can automate the creation of new AWS accounts using AWS Control Tower’s account factory and enable governance features such as guardrails, centralized logging, and monitoring in supported AWS Regions. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.