AWS re:Invent 2025 - Digital sovereignty and data residency w/ AWS Hybrid and Edge services (HMC310)

AWS re:Invent 2025 - Digital Sovereignty and Data Residency with AWS Hybrid and Edge Services

Digital Sovereignty and Regulatory Challenges

• Digital sovereignty represents an organization's ability to maintain complete control over their digital footprint, data operations, and technology stack.
• Key aspects include:
  • Data sovereignty: Geographic control of data storage and processing, compliance with local data protection laws and regulations.
  • Operator access restrictions: Granular control over who can access data and systems, role-based access control, audit trails, and encryption.
  • Operational sovereignty: Resilient and redundant systems, disaster recovery solutions to avoid single points of failure.
  • Independence and transparency: Visibility into technology stack dependencies, ability to maintain and modify systems independently.
• Regulatory challenges include:
  • Evolving data residency and cross-border data transfer restrictions (e.g. GDPR).
  • Industry-specific regulations in regulated sectors like telecom, healthcare, and finance.
  • Balancing robust security/access controls with usability.
  • Maintaining consistent management and operations across distributed IT environments.
  • Ensuring business continuity while preserving sovereignty.

AWS Hybrid and Edge Services

• AWS offers a continuum of services to bring the cloud to where customers need it:
  • AWS Regions: Foundational cloud infrastructure.
  • AWS Local Zones: AWS-operated infrastructure in large metro areas, extending regional services.
  • Dedicated Local Zones: Dedicated cloud infrastructure in customer-specified locations, with multi-tenancy support.
  • AWS Outposts: Extension of AWS cloud services on-premises, in customer data centers or colocation facilities.
  • AWS IoT and EKS/ECS Anywhere: Edge computing services for remote and disconnected environments.
• AWS recognized as a leader in distributed hybrid infrastructure by Gartner.

AWS Nitro System: Foundational Security and Performance

• Nitro system reimagines cloud infrastructure delivery with unprecedented security, performance, and innovation.
• Hardware layer offloads virtualization functions to dedicated custom chips, enabling near bare-metal performance.
• Security features:
  • End-to-end encryption of all communication channels.
  • Secure boot process with cryptographic validation of security keys.
  • Ability to continuously patch security at runtime without disrupting workloads.
  • No remote access - AWS has no operator access to customer environments.
• Independent security validation by NCC Group confirms no operator access to Nitro.

Customer Example: Jadwa and Payments Solutions in the Middle East

• Jadwa, a payments solutions provider in Saudi Arabia, leverages AWS Outposts to meet strict data residency requirements.
  • 75% market share of POSOS business in Saudi Arabia, expanding to Egypt and UAE.
  • Serves over 150,000 merchants and 700,000 payment terminals.
• Challenges include Saudi Arabia's strict financial regulations around data leaving the country.
• Jadwa built a common stack across AWS Regions, Outposts in Saudi Arabia and Egypt to comply with local regulations.
• Phased approach: Moved backend systems first, then scaling to cloud-native architectures.

Implementing Digital Sovereignty with AWS Control Tower

• AWS Control Tower: Fully managed service to govern and establish multi-account AWS environments.
• Implements a "data perimeter" through a combination of:
  • VPC endpoint policies
  • Resource control policies (RCPs)
  • Service control policies (SCPs)
• Control Tower provides a catalog of over 1,000 pre-built governance controls, including:
  • Preventative controls that block non-compliant actions
  • Detective controls that identify non-compliant actions after the fact
  • Proactive controls that validate compliance during resource deployment
• Example SCP to prevent data copies from Outpost to parent AWS Region.

Building and Running Applications on AWS Outposts

• Key services available on AWS Outposts:
  • Compute: Amazon EC2 instances, same as in AWS Regions.
  • Storage: Amazon EBS volumes, Amazon S3 on Outposts for local object storage.
  • Analytics: Amazon EMR for big data processing on Outposts.
• S3 on Outposts:
  • Separate IAM namespace from regional S3, enabling modular policy management.
  • Encryption enabled by default, VPC-based access control.
  • Supports local replication for data redundancy and resilience.
• Operational visibility and governance:
  • CloudTrail logging and Amazon CloudWatch metrics for all Outpost services.
  • AWS CloudFormation support for infrastructure-as-code deployment.
  • Unified AWS Management Console experience for on-premises and cloud assets.

Key Takeaways

• AWS provides a continuum of hybrid and edge services to meet customers' digital sovereignty requirements.
• The AWS Nitro system is the foundational security and performance layer enabling these hybrid solutions.
• Customers like Jadwa are leveraging AWS Outposts to build compliant, cloud-powered solutions in regulated markets.
• AWS Control Tower enables automated, scalable governance of hybrid environments through data perimeter controls.
• Outposts deliver the same AWS services, APIs, and operational experience as the cloud, allowing customers to innovate at the edge without sacrificing sovereignty.