Amazon Unveils New ‘Secret Region’ Cloud for Spies

AWS couldn’t be worse at keeping secrets than the US government, right?
November 21, 2017, 12:00pm

It’d be hard to overstate how much power Amazon has over the web circa 2017 via its Amazon Web Services shadow empire. According to a recent McAfee report, 80 percent of IT budgets are now dedicated to cloud infrastructure (“infrastructure as a service,” or IaaS, in the jargon), while 93 percent of businesses use the cloud in some form. And, of that cloud infrastructure, Amazon now controls just under half, obliterating competitors like Microsoft and Google.


If Amazon has its way, the next industry to join the party is secrecy. On Monday, the giant announced the unveiling of a new AWS “region.” (Most AWS services are segregated according to geographic region, with the idea being that users are better served by data centers that are actually close to them, at least in terms of latency.) Where is the new region? It’s a secret!

Or, rather, it’s not really a geographical region in the same sense as, say, good old us-east-1 (Virginia). The new region is the AWS Secret Region. It’s meant for classified data and services and is part of an existing US government contract. If some entity within the government has existing “appropriate Secret-level network access” it can use the Secret Region to put all of its secret stuff. Amazon couldn’t be worse that the US government at keeping secrets, right?

“Today we mark an important milestone as we launch the AWS Secret Region,” offered Teresa Carlson, Vice President, Amazon Web Services Worldwide Public Sector, in a statement. “AWS now provides the U.S. Intelligence Community a commercial cloud capability across all classification levels: Unclassified, Sensitive, Secret, and Top Secret. The U.S. Intelligence Community can now execute their missions with a common set of tools, a constant flow of the latest technology and the flexibility to rapidly scale with the mission.”

AWS here is basically expanding an existing secure region that it had developed with the CIA. That service has the key property of being air gapped from the rest of the internet. It’s the same cloud idea of a big pool of shared computing resources, but it’s really only shared among other spies (in the same way that a normal AWS region limits who users are actually sharing with). So, a hacker would basically have to be sitting at a CIA machine in order to gain access to the secret region.