jasonbutz.info

Demystifying AWS Partitions

AWS, Cloud, Security

Amazon Web Services (AWS) is a widely adopted cloud computing platform offering diverse services to businesses and individuals. Behind the scenes, AWS leverages a robust isolation strategy to ensure its services’ security, availability, and performance. One crucial aspect of this strategy is the implementation of partitions, which separate and protect resources. In this blog post, we’ll explore the five different AWS partitions.

What is a partition?

You are likely used to thinking of regions as the main divisions with AWS. Each AWS region is an autonomous entity with its own isolated set of resources. A region consists of multiple availability zones (AZs), physically distinct data centers within a geographic area.

An AWS Partition is a collection of regions. Each partition is distinct, with isolated resources and a different purpose. Most of us are used to operating in the Standard AWS Partition. There are two others you may have heard of and two you probably didn’t know about!

Standard AWS Partition

The standard AWS partition has 27 regions and numerous edge locations, local zones, and regional edge caches. This is where most new services and features roll out first.

If you need any clarification about whether you’re using the standard partition, look at your ARNs. The value after arn: is your partition. If it says aws, you’re in the standard partition.

AWS China Partition

The China partition operates in mainland China and consists of two regions: Beijing and Ningxia. Each region has three availability zones. The AWS edge locations in mainland China are part of the partition as well.

To comply with local regulations, the regions are operated by local telecommunications companies. Each region has a different operator but is still interconnected like any AWS region. These regions are entirely separate from the standard AWS region.

The Amazon Web Services China website provides access to additional information and the AWS documentation for the partition. There is also the Amazon Web Services China Guide whitepaper that provides information.

If you look at your ARNs and see aws-cn, you’re using the China partition.

AWS GovCloud (US) Partition

A separate partition has been built for the US government and highly-regulated workloads, called the GovCloud. You might think, “This must be where all the top-secret stuff is!” You’d be wrong. This partition allows Controlled Unclassified Information (CUI) , not secret or top-secret information. Besides CUI information, the GovCloud partition is appropriate for unclassified data with strict compliance requirements, like medical information covered by HIPPA or a wide range of other US government requirements.

AWS GovCloud has two regions, us-gov-west-1 and us-gov-east-1. Each region has three AZs. Every AWS GovCloud account has a 1:1 relationship with a standard AWS account. The standard account handles billing and support but is otherwise isolated from the GovCloud account. This leads to unique challenges when configuring an AWS Landing Zone model. AWS has entire prescriptive guidance documents focused on that subject.

US citizenship is required for AWS support personnel accessing AWS GovCloud, and the personnel must be located on US soil. To register for a GovCloud account, you must:

  • Be a US citizen or an active green card holder
  • Represent a US business entity that is based on US soil
  • Able to handle International Traffic and Arms Regulation (ITAR) export-controlled data

You can learn more about AWS GovCloud (US) in AWS’s user guide .

Secret and Top Secret Partitions

Public information is limited about these partitions, as the names imply. AWS’s website has a product page and a few blog articles . Beyond that, I couldn’t find much. Before sharing this information, I checked that the blog articles were accessible in potentially restricted counties. Thank goodness for VPNs.

Currently, there are two Top Secret regions and one Secret region. Based on what I can find, these are two separate AWS Partitions. These partitions are air-gapped from the public internet and only accessible over a private network. The AWS personnel supporting these regions must have US security clearances. If you want more information than that, you’ll need a job with the US Government or AWS.

More Partitions to Come?

With some searching, you can sometimes get an idea of what’s to come in the future. AWS’s SDKs are intended to be used with all AWS partitions, supporting all the partitions and regions. By examining the Python SDK (boto) code , we can infer that two more partitions may be in progress.