location of your data • Verifiable control over data access • The ability to encrypt everything everywhere • Resilience in the cloud • Transparency and assurance • Navigating change as a team 2
rights reserved. Amazon Confidential and Trademark. Digital Sovereignty themes Data residency Operator access restriction Resiliency, survivability, and independence Data sovereignty Digital sovereignty Operational sovereignty
rights reserved. Amazon Confidential and Trademark. AWS Digital Sovereignty Pledge: Control without compromise 5 https://aws.amazon.com/blogs/security/aws-digital-sovereignty-pledge-control-without-compromise/
rights reserved. Amazon Confidential and Trademark. Delivering on our Digital Sovereignty Pledge 6 Nov 2021 Aug 2023 Oct 2023 Nov 2022 May 2023 April 2023 Infrastructure Service or a feature Data residency controls in AWS Control Tower AWS Digital Sovereignty Pledge AWS KMS External Key Store launch AWS Nitro System achieves independent third-party validation New AWS Service Terms include commitments on Nitro AWS Dedicated Local Zones launch Announcement of AWS European Sovereign Cloud AWS Services adhere to CISPE Code of Conduct NEW! AWS Control Tower - Releasing 65+ controls NEW!
rights reserved. Amazon Confidential and Trademark. 7 AWS European Sovereign Cloud • Will provide the same security, availability, and performance as existing AWS Regions • To give customers additional choice to meet varying data residency, operational autonomy, and resiliency requirements • Will be powered by AWS Nitro System to ensure confidentiality and integrity of customer data
rights reserved. Amazon Confidential and Trademark. Control without compromise The full power of AWS without compromise 8 European operational autonomy & resilience Independent infrastructure operated by AWS employees, EU resident & located in the EU Further choice for data residency in the EU Customer content & customer-created metadata stay in the EU Sovereign-by-design Strongest sovereignty controls, broadest and deepest portfolio of services Industry leading infrastructure Same security, availability and performance as existing AWS Regions
Announced # Availability Zone A S I A P A C I F I C A U S T R A L I A & N E W Z E A L A N D S A M E R I C A São Paulo 3 E U R O P E Frankfurt Ireland London Milan Paris Spain 3 3 3 3 3 3 Stockholm Zurich AWS European Sovereign Cloud 3 3 A F R I C A Cape Town 3 M I D D L E E A S T Bahrain Tel Aviv UAE 3 3 3 Canada Central GovCloud US-East GovCloud US-West Northern California Northern Virginia Ohio 3 3 3 3 6 3 Oregon Canada West 4 *Beijing *Ningxia Hong Kong Hyderabad Jakarta Mumbai 3 3 3 3 3 3 Osaka Seoul Singapore Tokyo Malaysia Thailand 3 4 3 4 Melbourne Sydney Auckland 3 3 AWS Global Infrastructure Regions & AZs
I A P A C I F I C A U S T R A L I A & N E W Z E A L A N D S A M E R I C A Buenos Aires Lima Santiago Bogotà Rio de Janeiro E U R O P E Copenhagen Hamburg Helsinki Warsaw Amsterdam Athens Brussels Lisbon Munich Oslo Prague Vienna A F R I C A Lagos Johannesburg Nairobi M I D D L E E A S T Muscat Available Local Zone Announced Local Zone Atlanta Boston Chicago Dallas Denver Houston Kansas City Las Vegas Los Angeles (2) Miami Minneapolis New York City Philadelphia Phoenix Portland Querétaro Seattle Toronto Vancouver Bangkok Delhi Kolkata Manila Taipei Bengaluru Chennai Hanoi Auckland Perth Brisbane AWS Global Infrastructure Local Zones
rights reserved. Amazon Confidential and Trademark. AWS Control Tower G U A R D R A I L S T O M E E T D A T A R E S I D E N C Y R E Q U I R E M E N T S Preventive Controls • Service control policies • Ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations Detective Controls • Powered by AWS Security Hub • Detects non-compliance and security risks in existing resources in line with AWS Foundational Security best practices AWS Control Tower Proactive Controls • Policies are automatically enforced on all CloudFormation deployments 12
rights reserved. Amazon Confidential and Trademark. 13 AWS Sovereignty Pledge: We will expand data residency controls for operational data, such as identity and billing information.
rights reserved. Amazon Confidential and Trademark. Dedicated AWS infrastructure for public sector and regulated industries Compute, storage, database, and other services in customer- specified location Elasticity, scalability, PAYG + added security and governance AWS Dedicated Local Zones
rights reserved. Amazon Confidential and Trademark. AWS Control Tower – new controls A W S C O N T R O L T O W E R A D D S 6 5 N E W C O N T R O L S T O H E L P C U S T O M E R S M E E T D I G I T A L S O V E R E I G N T Y R E Q U I R E M E N T S 15 Encryption • Require an EC2 instance to use an AWS Nitro instance type that supports encryption in-transit between instances. • Require an Amazon RDS database instance has encryption at rest configured to use an AWS KMS key that you specify for supported engine types. Operator Access • Require that an Amazon EC2 dedicated host uses an AWS Nitro instance type. • Require that an Amazon EBS snapshot cannot be publicly restorable. Data Residency • Deny access to AWS based on the requested AWS Region for an organizational unit Resilience • Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones.
rights reserved. Amazon Confidential and Trademark. AWS Identity and Access Management (IAM) IAM Access Analyzer AWS CloudTrail Amazon CloudWatch Tools and services to help monitor access
rights reserved. Amazon Confidential and Trademark. Confidential Computing with AWS Nitro System AWS Regions, AWS European Sovereign Cloud, and AWS Dedicated Local Zones are all powered by AWS Nitro System. • The Nitro System is the foundation for AWS • All EC2 instance types released since 2018 are powered by the Nitro System • There is no operator access mechanism in the Nitro System design • All Nitro operations are done via secure, authenticated, authorized, logged (& audited) administrative APIs Nitro-based EC2 server
rights reserved. Amazon Confidential and Trademark. 19 AWS Sovereignty Pledge: We commit to continue to build additional access restrictions that limit all access to customer data unless requested by the customer or a partner they trust.
rights reserved. Amazon Confidential and Trademark. Third-party validation of AWS Nitro System https://research.nccgroup.com/2023/05/03/public-report-aws-nitro-system-api-security-claims/ “As a matter of design, NCC Group found no gaps in the Nitro System that would compromise these security claims.” 20
rights reserved. Amazon Confidential and Trademark. The power of AWS KMS and AWS CloudHSM SOC 1 – Control 4.5: AWS KMS keys used for cryptographic operations in AWS KMS are logically secure so that no single AWS employee can gain access to the key material Ability to encrypt all your data, whether in transit, at rest, or in memory All services support encryption with customer-managed keys that are inaccessible to AWS AWS CloudHSM AWS Key Management Service (AWS KMS)
rights reserved. Amazon Confidential and Trademark. 23 AWS Sovereignty Pledge: We commit to continue to innovate and invest in additional controls for sovereignty and encryption features so that our customers can encrypt everything everywhere with encryption keys managed inside or outside the AWS Cloud.
rights reserved. Amazon Confidential and Trademark. More options to control the key: AWS KMS External Key Store (XKS) • Full removal of root of trust from AWS KMS: The top of your key hierarchy can live outside of AWS • Transparent to AWS services and client apps • Flexibility on which keys you choose to store in external key manager • Customer owns the key in meaningful ways • Serves as a “stop switch”: Turn off XKS and AWS data becomes unreadable
rights reserved. Amazon Confidential and Trademark. Vendor support for AWS KMS XKS This is not a complete list. To view all AWS Partners for this category, visit AWS Partner Solutions Finder. This list of partners is current as of May 17, 2023. Working with AWS Partners
rights reserved. Amazon Confidential and Trademark. AWS Region design AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs. A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. R E G I O N A V A I L A B I L I T Y Z O N E ( A Z ) Data centers 1 2 N 1 2 N 1 2 N
rights reserved. Amazon Confidential and Trademark. Availability Zones design for resiliency 28 Distance ensures high availability Low latency ensures real-time data replication 1 2 N 1 2 N 1 2 N R E G I O N A V A I L A B I L I T Y Z O N E ( A Z ) I S O L A T E D P A R T I T I O N Fully isolated with one or more datacenters D I S T A N C E Physically separated by a meaningful distance – all within 60 miles (100km) of each other I N T E R C O N N E C T I O N Datacenters connected via fully redundant and isolated metro fiber P O W E R Highly available, fault tolerant, and scalable 100K+ servers at scale
rights reserved. Amazon Confidential and Trademark. REGIONS METRO AREAS & TELCO NETWORKS ON PREMISES REMOTE & LIMITED CONNECTIVITY LOCATIONS SMART DEVICES AWS brings the Cloud to wherever customers need it AWS Global Infrastructure Amazon CloudFront AWS Local Zones AWS Dedicated Local Zones AWS Wavelength AWS Telco Network Builder AWS Outposts Amazon ECS EKS Anywhere AWS Private 5G Integrated Private Wireless on AWS AWS Snow Family AWS IoT Same infrastructure, services, APIs, and tools for a consistent experience 29
rights reserved. Amazon Confidential and Trademark. 30 AWS Sovereignty Pledge: We commit to continue to enhance our range of sovereign and resilient options, allowing customers to sustain operations through disruption or disconnection.
rights reserved. Amazon Confidential and Trademark. Earning trust through contractual commitments 33 Why Sign The Climate Pledge? Service Level Agreements Acceptable Use Policy Supplementary Addendum to AWS DPA AWS challenges law enforcement requests that are overbroad, or where we have any appropriate grounds to do so. Service Terms* AWS Customer Agreement http://aws.amazon.com/agreement AWS Data Processing Addendum (DPA) * Service Terms were updated 3 May 2023 to include a statement on Nitro controls to prevent operator access
rights reserved. Amazon Confidential and Trademark. Earn trust through transparency AWS published bi-annual Information Request Report (IRR) describing the types and number of information requests AWS receives from law enforcement. Request resulted in the disclosure to the U.S. government of enterprise content or government content data located outside the United States since we started to collect this datapoint in July 2020. 0
rights reserved. Amazon Confidential and Trademark. O U R T R U S T E D A W S P A R T N E R S P L A Y A P R O M I N E N T R O L E I N B R I N G I N G S O L U T I O N S T O C U S T O M E R S Build sovereign solutions Help existing customers migrate to the cloud, including from existing AWS Regions Provide capabilities to manage sovereignty on AWS Grow Grow your business with net-new customers and ISVs Consult Navigating change as a team
rights reserved. Amazon Confidential and Trademark. 40 Learn more: AWS Digital Sovereignty Pledge: Control without compromise (blog post) The Security Design of the AWS Nitro System (white paper) Announcing AWS KMS External Key Store (XKS) (blog post) AWS Control Tower data residency guardrails (announcement page) Data Protection & Privacy at AWS (landing page) Delivering on the AWS Digital Sovereignty Pledge: Control without compromise (blog post) AWS Cloud services adhere to CISPE code (blog post) AWS Digital Sovereignty Pledge: Announcing a new, independent sovereign cloud in Europe (blog post) AWS Digital Sovereignty Pledge: Announcing new dedicated infrastructure options (blog post)
rights reserved. Amazon Confidential and Trademark. AWS European Sovereign Cloud: European operational autonomy 41 A W S E U R O P E A N S O V E R E I G N C L O U D E X I S T I N G A W S R E G I O N S AWS Region (Germany) Europe (Paris) AWS Region Europe (Frankfurt) AWS Region Europe (Ireland) Region ... IAM ... Usage IAM Usage • Will launch its first AWS Region in Germany available to all European customers • Physically separate and independent from existing AWS Regions • Multiple Availability Zones architecture – powered by AWS Nitro System • Separate in-Region billing and usage metering systems Announced
rights reserved. Amazon Confidential and Trademark. AWS European Sovereign Cloud: Further choice for data residency in the EU 42 Such as: • Roles & permissions • Resource labels • Configurations Customer-created metadata stays in the EU Customer content stays within the AWS Region the customer selects • Such as data that customer uploads to an S3 bucket, an RDS database etc. ENHANCED DATA RESIDENCY WITH THE AWS EUROPEAN SOVEREIGN CLOUD ALREADY AVAILABLE IN ALL AWS EXISTING REGIONS