Digital Sovereignty at AWS

You have always controlled the location of your workloads on AWS. You have the choice to deploy your customer data into any of our Regions around the world. You can also use AWS Dedicated Local Zones, where we work with you to configure your own Local Zones with the services and capabilities you need to meet your regulatory requirements.

With AWS, you control your data by using powerful AWS services and tools to determine where your data is stored, how it is secured, and who has access to it. For example, AWS Control Tower provides preventative, detective and proactive controls to help you meet your data residency requirements and purpose-built controls aggregated in a digital sovereignty category grouping.

We have designed and delivered first-of-a-kind innovation to restrict access to customer data. The AWS Nitro System, which is the foundation of AWS computing services, uses specialized hardware and software to protect data from outside access during processing on Amazon EC2. By providing a strong physical and logical security boundary, Nitro is designed to enforce restrictions so that nobody, including anyone in AWS, can access customer workloads on EC2 without your authorization. The security design of the Nitro System has also been independently validated by the NCC Group in a public report.

We give you features and controls to encrypt data, whether in transit, at rest, or in memory. All AWS services already support encryption, with most also supporting encryption with customer managed keys that are inaccessible to AWS operators. We commit to continue to innovate and invest in additional controls and encryption features for our customers to encrypt everything everywhere with encryption keys managed inside or outside the AWS cloud. If you have a regulatory need to store and use your encryption keys outside the AWS Cloud, you can use AWS Key Management Service (AWS KMS) External Key Store. 

Control over workloads and high availability are essential in the case of events like supply chain disruption, network interruption, and natural disaster. At AWS, we’ve instilled resilience into our infrastructure, service design and deployment, operational model, and mechanisms to build more resilient cloud architectures. Each AWS Region is comprised of three or more Availability Zones (AZs), which are fully isolated infrastructure partitions. To achieve high availability, you can partition applications across multiple AZs in the same AWS Region.

AWS also makes it easier for you to design, build, and run highly available applications in the cloud. Our continuous resilience services, AWS Resilience Hub, AWS Fault Injection Service, AWS Backup, and AWS Elastic Disaster Recovery, can help you analyze, test, and quickly recover your applications to improve your resilience posture. For customers that are running workloads on-premises or in intermittently connected or remote use cases, we offer services, such as AWS Outposts and AWS Snow Family, that provide specific capabilities for compute and storage on premises, and in remote or disconnected locations.