TalksAWS re:Invent 2025 - Building Sovereign Cloud Environments (COP409)

AWS re:Invent 2025 - Building Sovereign Cloud Environments (COP409)

Building Sovereign Cloud Environments

Overview

  • Presentation by Bo Leoner (Principal Engineer) and Randy Domingo (Senior Software Delivery Manager) at AWS re:Invent 2025
  • Discussed the concept of "digital sovereignty" and how AWS is addressing the need for customers to have more control and choice over their cloud environments, especially in highly regulated industries.
  • Introduced the AWS Landing Zone Accelerator (LZA) - an open-source solution built on AWS CDK to help customers rapidly deploy secure, compliant, and extensible cloud environments.

Digital Sovereignty

  • Customers are facing increasing regulatory and compliance requirements, especially in regions like Europe, that are evolving rapidly.
  • They need control and visibility over their digital assets and the ability to apply prescriptive security controls to safeguard data.
  • AWS is committed to the "digital sovereignty pledge" - continuing to innovate and expand its service offerings to give customers more choices and flexibility in how they secure and manage their cloud environments.
  • Challenges include managing security, compliance, and governance across global, multi-region deployments, as well as emerging threats like generative AI.

The AWS Landing Zone Accelerator (LZA)

  • LZA is an open-source solution built on AWS CDK to help customers rapidly deploy secure, compliant, and extensible cloud environments.
  • Key design goals:
    • Extensibility: Modular design allows customers to customize and extend the solution
    • Visibility: Provides centralized visibility and control over security posture
    • Modularity: Leverages YAML configuration files for easy customization
  • Integrates closely with AWS Control Tower, but can also be used independently in regions where Control Tower is not available.
  • Provides prescriptive guidance and security workbooks mapped to common compliance frameworks (e.g. NIST 853, C5, NIS 853).
  • Supports various networking patterns and security profiles to accommodate diverse customer requirements.

Technical Deep Dive

  • LZA is an open-source TypeScript project that utilizes the AWS CDK.
  • Consists of four main modules:
    1. Accelerator project: Top-level CDK application and stack definitions
    2. Config package: Shared configuration library
    3. Constructs library: Custom constructs for LZA-specific resources
    4. Modules library: Reusable modules that encapsulate API calls and service integrations
  • Deployment pipeline handles the orchestration and dependencies between different stacks (e.g., organization setup, security resources, networking).
  • Example: Setting up AWS Security Hub across the environment
    • Requires enabling Organizations, delegating admin to a security account, and configuring all workload accounts.
    • LZA automates this process, handling the dependencies and orchestration.
    • Provides a YAML configuration to define the desired Security Hub setup, including frameworks, metrics, and alarms.
    • The CDK code then translates this configuration into the necessary CloudFormation resources.

Business Impact and Use Cases

  • LZA has been widely adopted by customers in highly regulated industries, such as government, defense, and finance, across various regions (e.g., US, Europe, Asia-Pacific).
  • Helps customers rapidly deploy secure, compliant, and extensible cloud environments, reducing the time and effort required compared to manual setup.
  • Provides a prescriptive, well-architected approach to security and governance, aligned with industry standards and regulatory frameworks.
  • Enables customers to maintain control and visibility over their cloud environments, while still leveraging the full breadth of AWS services and capabilities.
  • Supports customers' digital sovereignty requirements by offering flexibility, customization, and the ability to operate in specialized cloud partitions (e.g., GovCloud).

Resources

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.