Demystifying sovereignty with AWS: A deliciously layered approach.
- Sponge base: AWS security foundations
- Cream: Secure enclaves for sensitive data
- Custard: European Sovereign Cloud
- Marzipan: AWS Outposts
- Decorations: Hybrid with local providers
- More options: Extra security and sovereignty options
- A flexible model with AWS sovereignty solutions
- Get the Digital Sovereignty Roadmap
As a Swede, I like explaining complex topics with something familiar. And in Sweden, that often means a prinsesstårta (princess cake).
When I talk to customers in regulated industries about AWS sovereignty, I often use the princess cake as a metaphor. Sovereignty isn't one-size-fits-all. Just like a cake, you choose the layers you need based on your risk profile, regulatory requirements and business priorities. Each layer adds more control, protection and peace of mind.
Sponge base: AWS security foundations
Every good princess cake starts with a solid sponge base. In AWS, that base is the security foundation.
AWS is built with security in mind. It starts with the Nitro system, which provides a physical and logical boundary that ensures no one can access your workloads. On top, you can control and restrict your (meta)data’s location and encrypt data at rest, in transit and in use; you remain in control of who can access what.
AWS services like Organisations, Service Control Policies (SCP), Identity and Access Management (IAM), Key Management Service (KMS), Config, CloudTrail and CloudWatch give you the tools you need for access control, auditing and monitoring.
For many organisations, this base layer is enough when combined with a well-designed landing zone and the right guardrails.
Cream: Secure enclaves for sensitive data
The next layer is the cream – rich, protective and used when a workload needs something extra.
For highly sensitive data, AWS Nitro Enclaves can help create isolated compute environments inside your instances. These enclaves have no persistent storage, no direct admin access and no network connectivity unless you explicitly allow it. That makes them well suited for workloads where reducing attack surface is critical. You can also ensure decryption keys are only available to trusted enclaves, which adds another strong layer of protection.
Custard: European Sovereign Cloud
If your organisation has strict European regulatory requirements, the next layer is the custard: AWS European Sovereign Cloud (ESC).
ESC is designed for customers who need stronger guarantees around data residency, operational control and regional compliance. It gives you another option when workloads must stay within a European regulatory framework. In practice, that means you can choose environments that align with your sovereignty and compliance requirements – while still benefiting from AWS services and capabilities.
Marzipan: AWS Outposts
Sometimes the requirement goes even further – and data can’t leave your own site. This is where AWS Outposts comes in. Outposts brings AWS infrastructure and services into your own data centre or colocation facility. You get the same AWS experience, but the hardware sits locally – which can help with latency, control and compliance.
This is especially useful when you want cloud-like operations but needs the physical infrastructure to remain at hand.
Decorations: Hybrid with local providers
Then we come to the decorations on top: hybrid with local providers. If you need sovereignty but don't want to run your own facilities, you can combine AWS with trusted local hosting or telecom partners. This gives you flexibility while still meeting local operational or regulatory requirements.
For some customers, this is the most practical model because you get AWS for scale and innovation, and a local partner for the parts that must stay close to home.
More options: Extra security and sovereignty options
And if the cake still isn’t complete, there’s another useful layer: AWS Marketplace.
AWS Marketplace gives you access to a large ecosystem of third-party software and security solutions that can support various sovereignty, compliance and governance needs. This includes tools for network security, identity management, endpoint protection, data protection, monitoring and more.
For customers in regulated industries, this is often where the architecture becomes even more practical. Instead of building everything from scratch, you can quickly find vetted solutions that extend your AWS environment and help you meet specific business or regulatory requirements.
A flexible model with AWS sovereignty solutions
The main point is that AWS sovereignty is layered. You don't need every layer for every workload. Some customers only need the foundation. Others need secure enclaves, EU-based controls, Outposts, hybrid infrastructure or Marketplace solutions to fill specific gaps.
That flexibility is what makes the model so powerful. You choose the level of control that fits the workload, the regulation and the business case.
Get the Digital Sovereignty Roadmap.
Get the practical frameworks you need for evaluating your risks, choosing the right approach and executing your strategy. It’s your toolkit to make informed sovereignty decisions confidently.
