Bridging AWS Islands

Transcript

1. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. D E V 3 0 1 Jakub Gaj Bringing AWS islands he/him Cloud Solution Architect Danske Bank, Copenhagen

2. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. • Digital sovereignty • Guardrails before workloads • Partition-aware Infra as Code • Cross-partition solution • Data migration patterns • Takeaways & resources Agenda

3. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. N E W M E S S A G E F R O M : CTO Mon, 8:45 Morning! I was just thinking about... Uh-oh, sounds dangerous. What's up, chief? So, I read about this new shiny AWS partition. What if we move some of our stuff there? Another migration? We've just finished one! We could start with invoicing for EU customers. Let me figure out if it's even feasible. That would be great, thanks!

4. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Digital sovereignty

5. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Residency != Sovereignty Data residency is a question of geography: WHERE do you store your data. Data sovereignty is a question of control: WHO can access, operate, and disclose it.

6. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Region != Partition Every region inside a partition shares the same trust boundary. Every partition is a separate root of trust: IAM, service endpoints, ARN namespace.

7. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Standard arn:aws North America South America Europe Middle East Africa Asia Pacific Australia and New Zealand 4x United States 2x Canada Mexico Brazil Chile Sweden Germany Ireland United Kingdom Italy France Spain Switzerland Bahrain Saudi Arabia Israel UAE South Africa 2x India 2x Japan Thailand [...] 2x Australia New Zealand

8. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Standard AWS China arn:aws-cn arn:aws-us-gov AWS GovCloud (US) Stockholm Frankfurt London IAM Usage [...] Beijing (cn-north-1) Ningxia (cn-northwest-1) Gov East (us-gov-east-1) Gov West (us-gov-west-1) AWS European Sovereign Cloud arn:aws-eusc Brandenburg (eusc-de-east-1) IAM Usage IAM Usage IAM Usage arn:aws

9. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails before workloads

10. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Landing Zone on EUSC Multi-account framework ✅ AWS Organizations ✅ AWS Control Tower ✅ AWS IAM Identity Center ✅ AWS CloudFormation ✅ AWS Service Catalog ✅ AWS CloudTrail ✅ AWS Config ✅ AWS Trusted Advisor ✅ AWS Backup ✅ AWS Security Hub CSPM ✅ Amazon GuardDuty ✅ Amazon Route 53 Service parity Management Log Archive Audit Members Control Tower (LZ, Controls) Organizations (OU, SCP) CloudFormation (StackSets) IAM Identity Center (SSO) Security Hub Guard Duty Account Baseline IAM Resources CloudTrail Logs Config Logs Service Catalog (Account Factory)

11. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Service parity builder.aws.com/build/capabilities

12. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Partition-aware Infra as Code

13. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lift & Resynthesize Partition-aware IaC frameworks !Ref AWS::Partition !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:vpc/vpc-0123456789abcdef0' cdk.Aws.PARTITION; cdk.Stack.of(this).partition; cdk.Stack.of(this).formatArn({ partition: 'aws-eusc', region: 'eusc-de-east-1’, }); data "aws_partition" "current" {} data.aws_partition.current.partition AWS CloudFormation, AWS SAM, Serverless (YAML) AWS CDK v2 (TypeScript) Terraform, OpenTofu (HCL) aws.getPartition({}).partition; Pulumi (TypeScript)

14. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lift & Resynthesize Cross-partition deployment with CDK Stages The pattern: same codebase (CDK), two AWS partitions, two deployments aws aws-eusc eu-west-2 eusc-de-east-1 Stack(s) CloudFormation Stack(s) CloudFormation App Stage #1 Stage #2 Stack(s) Stack(s) L2 Constructs (Resources) L2 Constructs (Resources) Assembly #1 Assembly #2

15. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-partition solution

16. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Connecting partitions Options for cross-partition authentication ❌ IAM users + X.509 signing Legacy request signing only, no temporary credentials, not a viable pattern ✅ IAM Roles Anywhere + X.509 certs Short-lived credentials, external/private CA, self-signed, AWS-recommended approach ❌ Assuming IAM roles with STS Separate STS instance per partition, AssumeRole cross-partition not supported ⚠ IAM users + static credentials Works, long-lived keys is not the best practice, audit exceptions required (SCP)

17. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. IAM Roles Anywhere AWS Account AWS EUSC Account London (eu-west-1) Berlin (eusc-de-east-1) Secrets Manager Lambda Function Credentials Helper X.509 Certificate Custom Event Bus IAM Role IAM Roles Anywhere STS Custom Event

18. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Cross-Partition Backend AWS Account AWS EUSC Account London (eu-west-1) Berlin (eusc-de-east-1) Save Documents Save Customers Global Documents Stream Save Documents Global Customers EU Customers EU Documents Invoicing Bus Events Fn Streams Fn Rule Rule Rule Invoicing Bus

19. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. State Machines Save Documents Save Customers

20. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data migration patterns

21. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Managed services DataSync for S3 + EFS DMS for databases AMS for applications Pull / Push Elastic Container Registry Secrets Manager SSM Parameter Store Export / Import DynamoDB PITR to S3 ImportTable from S3 Streaming DynamoDB streams Kinesis Data Streams S3 Event Notifications Migrating stateful resources between partitions Every pattern requires partition-aware credentials and endpoints

22. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Service parity builder.aws.com/build/capabilities

23. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways

24. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Landing Zone Service Parity Mind the Endpoints Build guardrails first, then bring workloads: Organizations, Control Tower, IAM Identity Center (SSO). Check service availability before you commit to an architecture: parity gaps will surprise you. Same services, different API endpoints. Configure explicitly: *.amazonaws.eu Default endpoints will fail you. #1 #2 #3

25. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Resources AWS Capabilities: https://builder.aws.com/build/capabilities/explore Demo CDK codebase: https://github.com/ServerlessNinja/aws-cross-partition-app AWS Builder Center: https://builder.aws.com/community/@jakgaj IAM RA docs: https://docs.aws.eu/rolesanywhere/latest/userguide

26. © 2026, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please complete the session survey © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! GitHub AWS Builder ID Ask Me Anything