Evaluating ITAR workloads in US commercial AWS Regions
Public Sector Blog
This article explains how a defense and aerospace customer determined that U.S. commercial AWS Regions can support ITAR-controlled export workloads when properly configured with encryption.
- ITAR permits unclassified technical data outside U.S. if end-to-end encrypted with FIPS 140-2 compliant cryptography
- Customer limited deployments to U.S. commercial AWS Regions with features storing data outside U.S. disabled
- Data must remain encrypted at rest and in transit; decryption occurs only during processing
- AWS KMS uses FIPS 140-3 Security Level 3 HSMs; operators cannot access plaintext key material
- Physical layer: inter-Region traffic automatically encrypted with AES-256
- Network layer: AWS PrivateLink and Nitro System provide transparent AES-256 GCM encryption
- Application layer: TLS 1.2/1.3 with AES-256 or AES-128 ciphers required
- EC2, Lambda, and EKS feature zero operator access design preventing data disclosure
Organizations should consult legal and compliance teams before deploying ITAR workloads on AWS commercial Regions.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Jan 22
2025
2025
Enhance the resilience of critical workloads by architecting with multiple AWS Regions
Jul 2
2024
2024
Improve HPC workloads on AWS for environmental sustainability
Nov 26
2025
2025
Data-driven Amazon EKS cost optimization: A practical guide to workload analysis
Oct 21
2025
2025
A scientific approach to workload-aware computing on AWS
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.