By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to overcome dependency on us-east-1 region to ensure compliance

0

Hi, On behalf of a partner asking:

How do AWS SaaS ISVs/Solutions manage region sovereignty demand from customers? It seems like us-east-1 is a hard dependency. Currently, we need to always create resources for cost reporting, and visibility in us-east-1 region of customer’s account because of following limitations-

  1. CUR can only be created in us-east-1 region
  2. Global resources like IAM Role only publish events from us-east-1 so we need to create CloudTrail/CloudWatch rule there only
  3. For getting AWS Organizations related detail also, we need to use ‘us-east-1’ region
  4. BillingConductor related resources also can be created/accessed from us-east-1

Because of this, we always need access to us-east-1 region of customer’s account even if they don’t have their infra hosted in that region which creates concerns regarding GDPR compliance also.

Could you please give your insight if this is going to be as is in near future or are we expecting any update on this

Topics
Management & Governance
Tags
Digital Sovereignty
Language
English
AWS
Scott_K
asked a year ago267 views
1 Answer
1
Accepted Answer

To manage region sovereignty demands while dealing with AWS services that have dependencies on the us-east-1 region, SaaS ISVs can adopt a hybrid approach. This involves centralizing certain management activities and resource creation in the us-east-1 region while ensuring compliance with regional data sovereignty requirements in other regions. Implement strict access controls, encryption, and data handling policies to protect data and maintain compliance. Regularly monitor AWS updates for changes in service dependencies and adjust strategies accordingly. For GDPR concerns, ensure data processing and storage comply with regional regulations, even if management activities occur in us-east-1.

profile picture
EXPERT
Osvaldo Marte
answered a year ago
  • Scott_K
    a year ago

    Thanks. I should have been clearer in my question. This partner was asking with respect to how its platform should deal with features it offers that depend on global services with control planes only in one region such as us-east-1. As they mentioned GDPR, I surmised part of their question may have been based on not having a full understanding of how most AWS services have regional data planes vs control plane in fewer or one region. I focused my response to them on clarifying how control vs data planes for the services they noted are handled, and referred them our AWS Fault Isolation Boundaries whitepaper (https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/appendix-a---partitional-service-guidance.html) and suggested they look at how they handle degrading their features when control plane CRUDL capabilities are impacted during a incident. Also suggested some potential workarounds such as having their customer use EventBridge cross-region routing to copy IAM events from us-east-1 to another region

  • Osvaldo Marte EXPERT
    a year ago

    Thanks for sharing your explanation. It sounds like you provided a clear response on managing features dependent on global services in us-east-1. If there are any follow-up questions, feel free to reach out. Well done!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content