AWS European Sovereign Cloud

59 pointsposted 11 hours ago
by kristianpaul
(aws.eu)

60 Comments

boramalper

10 hours ago

Microsoft admitted that it 'cannot guarantee' data sovereignty [0] "on June 18 before a [French] Senate inquiry into public procurement and the role it plays in European digital sovereignty" as the CLOUD Act "gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil."

It'd be great if they could clarify in their FAQ [1] if and how the CLOUD Act affects them.

[0] https://www.theregister.com/2025/07/25/microsoft_admits_it_c...

[1] https://aws.eu/faq/

crazygringo

9 hours ago

It seems like the entire point is precisely to get around the CLOUD Act.

By setting it up with a European governance structure, Amazon can tell the US government "hey we told them give us the data, but they refused because that would send them to jail under EU law, and they're a legally separate entity so there's nothing we can do."

This is very intentionally not just a regular foreign subsidiary owned by the parent company.

ignoramous

9 hours ago

> as the CLOUD Act "gives the US government authority to obtain digital data

AWS maintains a similar stance, too [0]?

  The CLOUD Act clarified that if a service provider is compelled to produce data under one of the limited exceptions, such as a search warrant for content data, the data to be produced can include data stored in the U.S. or outside the U.S.
> Microsoft admitted that it 'cannot guarantee' data sovereignty

Hm. As for AWS, they say that if the customer sets up proper security boundaries [0], they'll ensure will keep their end of the bargain [2][3]:

  As part of the technical design, access to the AWS European Sovereign Cloud physical infrastructure and logical system is managed by Qualified AWS European Sovereign Cloud Staff and can only be granted to Qualified AWS European Sovereign Cloud Staff located in the EU. AWS European Sovereign Cloud-restricted data will not be accessible, including to AWS employees, from outside the EU.

  All computing on Amazon Elastic Compute Cloud (Amazon EC2) in the AWS European Sovereign Cloud will run on the Nitro System, which eliminates any mechanisms for AWS employees to access customer data on EC2. An independent third party (the UK-based NCC Group) completed a design review confirming the security controls of the Nitro System (“As a matter of design, NCC Group found no gaps in the Nitro System that would compromise these security claims”), and AWS updated its service terms to assure customers “there are no technical means or APIs available to AWS personnel to read, copy, extract, modify, or otherwise access” customer content on the EC2 Nitro System.

  Customers also have additional mechanisms to prevent access to their data using cryptography. AWS provides advanced encryption, key management services, and hardware security modules that customers can use to protect their content further. Customers have a range of options to encrypt data in transit and at rest, including options to bring their own keys and use external key stores. Encrypted content is rendered useless without the applicable decryption keys.

  The AWS European Sovereign Cloud will also benefit from AWS transparency protections over data movement. We commit in the AWS Service Terms that access to the EC2 Nitro System APIs is "always logged, and always requires authentication and authorization." The AWS European Sovereign Cloud also offers immutable, validated logs that make it impossible to modify, delete, or forge AWS CloudTrail log files without detection.
[0] https://aws.amazon.com/compliance/cloud-act/

[1] https://aws.amazon.com/compliance/shared-responsibility-mode...

[2] https://d1.awsstatic.com/onedam/marketing-channels/website/a...

[3] https://aws.eu/esca/

colechristensen

9 hours ago

It would seem like the problem is one of the business layout and technical layout.

Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws. But things would have to be quite separate.

KK7NIL

9 hours ago

> Organize your business and your tech correctly and you can have an owned foreign subsidiary that can comply with local laws.

I doubt it, a majority owned subsidiary is usually passed through for many legal purposes.

to11mtm

9 hours ago

Yep, to the extent that short (at best, cause they are potentially fallible) of a warrant canary getting snuffled it is very possible that a company could set up a subsidiary for appearances.

Or, just buy bits of control interest outright (CryptoAG?)

colechristensen

5 hours ago

If there's one thing I believe in, it's the ability of the rich to fabricate creative corporate structures to evade the laws of a particular jurisdiction, especially with the aid of a second jurisdiction with interest in that evasion.

Just make it complex enough to confuse juries beyond a prosecutors famously low appetite for losing and you'll be absolutely fine.

blibble

10 hours ago

> The AWS European Sovereign Cloud is the only fully-featured, independently operated sovereign cloud, backed by strong technical controls, sovereign assurances and legal protections.

independently OPERATED, not independently owned

therefore: still under the jurisdiction of the US regime

bee_rider

9 hours ago

Wait, how does this work? If it is owned by a US company but operated by people inside the EU, I would expect the actual laws in effect to be the EU ones. I mean, that’s who can actually send police to stomp around and physically take the hard drives if they really want to.

The US can of course command the US owners to instruct their EU based employees to do something illegal in the EU, but if your boss tells you do do something illegal, you are still breaking the law if you do it…

eCa

10 hours ago

> still under the jurisdiction of the US regime

Exactly, this seem pointless for people serious about staying away from US owned data stores. I know first hand of EU based businesses that left AWS (and all other US owned services) before 2020 due to customer (B2B) demand which in turn was due to the Cloud Act[1], and for whom it today would be completely untenable to return.

[1] https://en.wikipedia.org/wiki/CLOUD_Act

embedding-shape

10 hours ago

Also "legal protections" provided by the US regime, for what that exactly entails anymore I'm not sure, probably depends on the situation.

colechristensen

9 hours ago

Congress as it is are cowards incapable of protecting the law, it is merely a regime based law until Congress can prove and rebuild trust that it has a backbone.

elchananHaas

10 hours ago

I worked on a team deploying a service to European Sovereign Cloud (ESC). Disclaimer - I am a low level SDE and all opinions are my own.

AWS has set up proper boundaries between ESC and global AWS. Since I'm based out of the US I can't see anything going on in ECS even in the service we develop. To fix an issue there we have to play telephone with an engineer in ESC where they give us a summary of the issue or debug it on their own. All data is really 100% staying within ESC.

My guess is that ESC will be less reliable than other regions, at least for about a year. The isolation really slows down debugging issues. Problems that would be fixed in a day or two can take a month. The engineers in ESC don't have the same level of knowledge about systems as the teams owning them. The teething issues will eventually resolve, but new features will be delayed within the region.

JacoboJacobi

9 hours ago

Still it sounds like it would be the optimal choice for a redundancy zone in some senses since its probably not going to have any accidental dependency on us-east-1.

donavanm

8 hours ago

If youre a current AMZN employee you may want to delete or heavily edit this post. Go check your employers “social media policy.” Historically commenting on operational or internal aspects without PR approval was prohibited.

jojobas

9 hours ago

Sure, but what really prevents

>To fix an issue there we have to play telephone with an engineer in ESC where they give us a all the data we need or get fired.

?

voidfunc

10 hours ago

Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...

All of these isolation sovereignty iniatives are window dressing to the bigger problem that the EU and other countries are massively dependent on proprietaey US-centric software stacks.

cperciva

10 hours ago

Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...

Not as much as you might think. The most important component -- Nitro -- basically runs out of Germany.

petcat

9 hours ago

The AWS EC2 virtualization team invented and maintains the Nitro system. And that team is overwhelmingly based in Seattle, WA USA.

cperciva

9 hours ago

You sure about that? Maybe it's just a coincidence but the low-level people I've talked to are almost never based in Seattle.

my123

8 hours ago

The Nitro Hypervisor team is (mostly) in Berlin :)

The Nitro _card_ teams are elsewhere

cperciva

6 hours ago

Fair enough. The comment was about software, and to me the Nitro hypervisor is software while the Nitro card is hardware and firmware. ;-)

mike_d

9 hours ago

You mean the same Germany that uses its domestic access to the bargain basement cloud providers like Hetzner and Contabo to de-anonymize Tor users for international law enforcement?

Or the Germany that bought Crypto AG along with the CIA to backdoor encryption hardware?

aforwardslash

10 hours ago

> Sovereign-by-design but still runs a software stack that is largely written and maintained by a US staff...

Id argue that very few software components are written (let alone maintained) by US staff. This is basically another major player (there are other sovereign clouds) reading the writing on the wall and doing what is necessary to avoid losing business or being irradiated from the market.

CloudFlare CEO, take notice. Look how the big boys do business and maybe learn a thing or two.

zmgsabst

7 hours ago

CloudFlare already does business that way — eg, enforcing local laws inside the country.

CloudFlare’s objection to Italy’s demands were that Italy demanded CloudFlare censor websites outside of Italy for everyone, globally. CloudFlare refused to do so and said they’d stop providing services to Italy.

Do you realize what you’re asking for in ClodFlare listening to Italy? The US will get total say over what content can be hosted anywhere in Europe (by CloudFlare), due to that precedent being set (and their greater ability to coerce ClodFlare).

Your comment is contradictory: you phrased it as respecting sovereignty, but your actual demand is that CloudFlare allow the US to enforce edicts on the EU.

Havoc

10 hours ago

It's better than nothing but I'd say it's naive to believe this will hold if US gov genuinely leans on AWS US HQ.

bflesch

10 hours ago

If push comes to shove, these services can and will be weaponized against EU interests. They are bugged and backdoored to the brim. If we see a risk in chinese-made electrical buses which can potentially be remotely shut down by an integrated sim card, then using AWS should be a no go in the current political climate - no matter how much lipstick they put on that pig.

Last week, after receiving a fine in Italy, the Cloudflare CEO demonstrated that US tech leadership are extremely emotionally volatile and can lash out in all directions, threatening unrelated parties with shutdown of service. This is in line with Peter "anti christ" Thiel and Elon "nazi salute" Musk going off the rails. Maybe it is a drug-induced psychosis from their annual gathering in the desert where US tech workers consume illegal substances, I don't know.

What if someone scratches Bezos' yacht by accident and then he threatens to shut down the DC? Or he might get upset about a CO2 surcharge when refueling his private jet? Can we really take these risks?

zmgsabst

7 hours ago

Italy’s demand was completely unreasonable and CloudFlare threatened to end business in Italy, including informing impacted partners.

People talking about EU sovereignty and US hegemony then crying Italy isn’t allowed to dictate terms globally are showing they’re not people with principles — they’re just losers who would be every bit as hegemonic as the US, they just lack the power to be and are publicly crying about it.

janfoeh

9 hours ago

We cannot, no. A break break, as clean and hard as can be under the circumstances is required.

There will be gnashing of the teeth, doomsaying galore, a few actual minor catastrophes... but we will be okay.

Not just okay, but we will be better off for it. The Internet will be better off for it, because the inescapable side effect will be at least a bit of re-decentralization.

Any European equivalent replacing what is lost will be better. Not because we have better coders or are even better people, mind you - far from it. It will be better because we will have the gift of hindsight; any replacement for web-based productivity services, search engines or social media springing up will be the product of a society and legislative system which has caught up at least in some sense to technological progress and which has been there, done that. The actual web two point oh.

So let's pull out as many plugs as we can. It'll hurt for a bit, but not only is it without alternative - it'll be fresh, it'll be fun and it'll be good in the end.

Let's get to work.

margorczynski

10 hours ago

If I'm not mistaken the US (e.g. intelligence agencies) can still require them to provide client data and respect US sanctions?

AWS should be ditched altogether and something Europe based chosen even if it requires investment.

bflesch

10 hours ago

Yes, 100%. They are fully compromised and an extension of US dominance. They can and will be weaponized against us.

Same with Apple iCloud - one day Europeans will wake up and see that all their pictures have been deleted.

ignoramous

9 hours ago

> one day Europeans will wake up and see that all their pictures have been deleted

Possible this happens due to bugs in iCloud's GDPR implementation.

bflesch

9 hours ago

I think it's more likely to happen if Tim Apple is refused entry into Berghain.

electronsoup

11 hours ago

How effective would this setup be if the parent company in the US is ordered to order the EU subsidiary to do something not in the interests of the EU?

crazygringo

10 hours ago

If it breaks the law in the EU, then the European employees staffing the data center refuse, because they don't want to go to jail or pay fines.

That's the entire point of setting it up like this.

Think of it like fast-food franchises. They have to sell the same food and use the same branding and charge the same prices. But if McDonald's tells you to start selling cocaine on the side, you tell them nope, that's not in the contract and I don't feel like going to prison.

nikeee

10 hours ago

What if the software is developed and potentially backdoored in the US and deployed by the EU team in the sovereign region? Or did they rewrite the entire AWS stack?

trebligdivad

10 hours ago

If the EU employees can look around the code, it would then get quite interesting if they were to point out a backdoor. which they would of course raise with an EU based CERT. In a way that protects US customers as well having a set that can't be stopped from doing that.

jojobas

9 hours ago

Assuming EU employees get to see the sources, let alone own their building process.

trebligdivad

9 hours ago

True, and there's probably a lot of it; still I think they already have some EU devs, but I guess only on some things.

crazygringo

10 hours ago

I don't think there are any protections against that. On the other hand, you'd have to ask yourself how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad? I can't give an answer on that one, you'll have to form your own opinion.

I imagine that if a back door were ever discovered, AWS's reputation would tank so hard that a lot of companies would probably never do business with it again.

blibble

10 hours ago

> how realistic it is that the US is forcing Amazon to secretly backdoor its own software for US spying abroad?

probably 100%?

recursivecaveat

7 hours ago

Over 100%, in that I'm sure multiple independent groups are working on it all the time. The spooks regularly place actual agents in foreign governments (the Germans found a big nest of them and nothing much happened in the end). There's no way it would be challenging for them to find an employee willing to cash a giant cheque in exchange for quietly granting their own government access.

pu_pe

18 minutes ago

This move had a chance to work a couple of years ago, when European companies were seeking CYA compliance in regards to GDPR. The tone has now clearly shifted to a decoupling from American tech. My prediction is that American cloud providers will lag behind truly European alternatives this year.

brunkerhart

3 hours ago

This discussion presumes the laws would be obeyed, but we see the laws being openly bended by nations wanting to.

For a small/medium business in EU ESC is an overkill. Their data has no strategic value. Just use whatever infrastructure you want.

For any large company working at global level, owning cutting edge technology ESC is not a protection.

US just stolen a president of foreign country, do you really believe they would hesitate to do this with anybody else if they want?

Kwpolska

9 hours ago

EC2 pricing: https://aws.eu/ec2/pricing/on-demand/

The prices for the only region in Germany are very similar to the prices in eu-west-1 (Frankfurt), except in € instead of $, so that’s basically a 16% markup by today's exchange rate. Also, AMD CPUs appear to be completely missing.

sega_sai

9 hours ago

I was actually surprised to see this: "As we make this change, we will continue to work as a blended team of EU residents and EU citizens, with all personnel working from EU locations, before gradually completing our transition to EU citizen operations for the AWS European Sovereign Cloud." This looks like a more serious attempt to make it independent of US meddling. It will not protect it fully, but still.

rich_sasha

5 hours ago

In other news, wolves have set up a vegan restaurant for sheep. The chefs have been specially instructed not to eat their guests, the grass is 100% organic. Mint sauce is kept well out of sight. The heavy duty locks on the doors will definitely not be used and the red stains are from beetroot. Definitely beetroot.

Seriously though, what is stopping Europeans to "just build their own"? EU could provide some form of financing - cheap loans, tax breaks, favourable regulation etc. I know AWS is a million things, not just VMs, but is building a small cloud provider and scaling from there really that hard? Maybe I'm being super naive - ELI5 please?

snihalani

10 hours ago

Why is this valuable?

x86cherry

10 hours ago

Critical infrastructure. The US has a history of forcing their way into many parts of it [1] and we know they use it for leverage whenever it's suitable. Furthermore, if you control the information flow of a system, then decision making based on that information becomes dependent on those who control it.

[1] https://www.radiofrance.fr/franceculture/guerre-economique-c...

mike_d

9 hours ago

I would love to see a US specific version of this as well. Something similar to GovCloud with the same security controls and employee vetting but accessible to commercial customers.

auxiliarymoose

9 hours ago

AWS GovCloud is accessible to commercial customers.

t0lo

9 hours ago

This is about as grifty and mckinseyian as the AI Data Centres in space hype.

6r17

10 hours ago

Yeah.... no thx. Hard voice against it and anything that comes from the US. There is tons of stuff that is genuinely cool, we got tons of stuff it would be barbaric to spit in the soup.

However I'm pretty sure at this point that even the GAFAM are tired of this situation and that they don't care if giants their size show up in Europe. I'm genuinely thinking that what is also happening with AI (eg : free knowledge drop) is some kind of mechanism to allow those new giants to emerge in other places than US.

Being the bright star that takes all the broken stuff on the head is not always the smartest move - at some point if you are blocking everything from showing up just because you exist, you are just slowly creating conflict against you - which i'm pretty sure the GAFAM are not interested in.

I'm pretty sure there is a lot of power dynamic shift happening just now, AI bubble is just a tool that permit it -- the amount of startups that are allowed to launch on the simplest product are crazy --

tldr : creating incumbents then beating them is a display of power ; not caring is a display of power, having too much money is a display of power, being blocked due to political and social movement is weakening the velocity of these entities - i'm pretty sure atp that creating new giants in Europe would help them more than to continue in what appears like a colonialist endeavor - which they probably don't like either (they just want to market and win)

Idk I might be extrapolating like a mad man

wewewedxfgdf

9 hours ago

"AWS" and "European Sovereign" - that's a contradiction in terms.

Just stop using clouds run your own computers.