Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How to overcome dependency on us-east-1 region to ensure compliance
Hi, On behalf of a partner asking:
How do AWS SaaS ISVs/Solutions manage region sovereignty demand from customers? It seems like us-east-1 is a hard dependency. Currently, we need to always create resources for cost reporting, and visibility in us-east-1 region of customer’s account because of following limitations-
- CUR can only be created in us-east-1 region
- Global resources like IAM Role only publish events from us-east-1 so we need to create CloudTrail/CloudWatch rule there only
- For getting AWS Organizations related detail also, we need to use ‘us-east-1’ region
- BillingConductor related resources also can be created/accessed from us-east-1
Because of this, we always need access to us-east-1 region of customer’s account even if they don’t have their infra hosted in that region which creates concerns regarding GDPR compliance also.
Could you please give your insight if this is going to be as is in near future or are we expecting any update on this
- 최신
- 최다 투표
- 가장 많은 댓글
To manage region sovereignty demands while dealing with AWS services that have dependencies on the us-east-1 region, SaaS ISVs can adopt a hybrid approach. This involves centralizing certain management activities and resource creation in the us-east-1 region while ensuring compliance with regional data sovereignty requirements in other regions. Implement strict access controls, encryption, and data handling policies to protect data and maintain compliance. Regularly monitor AWS updates for changes in service dependencies and adjust strategies accordingly. For GDPR concerns, ensure data processing and storage comply with regional regulations, even if management activities occur in us-east-1.
Thanks. I should have been clearer in my question. This partner was asking with respect to how its platform should deal with features it offers that depend on global services with control planes only in one region such as us-east-1. As they mentioned GDPR, I surmised part of their question may have been based on not having a full understanding of how most AWS services have regional data planes vs control plane in fewer or one region. I focused my response to them on clarifying how control vs data planes for the services they noted are handled, and referred them our AWS Fault Isolation Boundaries whitepaper (https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/appendix-a---partitional-service-guidance.html) and suggested they look at how they handle degrading their features when control plane CRUDL capabilities are impacted during a incident. Also suggested some potential workarounds such as having their customer use EventBridge cross-region routing to copy IAM events from us-east-1 to another region
Thanks for sharing your explanation. It sounds like you provided a clear response on managing features dependent on global services in
us-east-1. If there are any follow-up questions, feel free to reach out. Well done!