By Pierre Brun-Murol, Cloud & Application Security Global Product Director – Eviden
By Serge Moro, Sr. Partner Solutions Architect – AWS


Many European public sector and regulated industry customers face incredible complexity with a moving geopolitical and regulatory landscape, raising sovereignty challenges.

They have concerns related to the extraterritorial application of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and want to fully control data critical to their business. They also have concerns on their ability to easily comply with the new European regulations like European Cyber Resilience Act (EU-CRA), European Common Criteria for Cybersecurity (EUCC), and General Data Protection Regulations (GDPR), especially since the Schrems II ruling.

Customers want to adopt cloud technologies but must meet increasing regulatory requirements over data location, European operational autonomy, and resilience. In this post, we will delve into how Eviden’s data sovereignty solution can be leveraged to migrate and run digital assets on Amazon Web Services (AWS) while meeting the sovereignty requirements.

AWS has from day one allowed customers to control the location and movement of their data and provides “Sovereignty of the Cloud” as defined by the AWS Digital Sovereignty Pledge. Through this, AWS commits to investing in an ambitious roadmap of capabilities focused on data residency, granular access restriction, encryption, and cloud resilience. This resulted in the announcement of a new independent sovereign cloud in Europe by AWS.

Eviden is an AWS Premier Tier Services Partner with many AWS Competencies including Security and Level 1 Managed Security Services Provider (MSSP) Consulting. It offers a comprehensive approach to data sovereignty with advisory services, controls implementation, and run services to answer customer challenges and protect customer data throughout their AWS journey. Eviden is also part of the Authority To Operate partner program.

Eviden’s Risk-Based Assessment Advisory Services

Eviden’s digital sovereignty assessment methodology will help you:

  • Find the right balance between data sovereignty risks and business needs. This includes assessing the risks specific to your industry and technological setup and investments required to mitigate those risks, while maximizing the benefits of the AWS cloud for your business needs.
  • Define your own framework tailored to your unique sovereignty requirements. This includes relevant cloud architecture and appropriate operating model, as well as processes to govern and maintain your sovereignty posture.


Figure 1 – Eviden risk-based assessment methodology.

Once your sovereignty framework is defined, Eviden can help you implement it end-to-end with:

  • Operations compliance: Delivery aligned with your sovereignty framework on all dimensions (regulation, teams’ location, background checks, office security, access controls).
  • Enforcement and monitoring of technical compliance: Eviden proposes several automated security controls enforcements, ranging from data encryption with External Key Storage for AWS (XKS) by Eviden, and advanced threat detection with AIsaac Cyber Mesh. Eviden maintains ongoing compliance with your sovereignty framework by diligently monitoring the controls implemented and promptly remedying any deviations
  • Organizational compliance: Eviden helps you set up the processes and policies you need internally to be compliant with your specific sovereignty framework.


Figure 2 – Eviden end-to-end sovereignty services.

Eviden services are delivered in accordance to the AWS Migration Acceleration Program (MAP) and will encompass your entire cloud migration journey from initial assessment to the run phase. This can be delivered leveraging Eviden’s dedicated EU-compliant Cloud SecOps center in Romania.

Eviden Controls to Strengthen Sovereignty and Privacy Posture

During the digital sovereignty assessment, Eviden will help you define the right controls you need. First, ensure your cloud environment complies with your data location requirement. AWS provides several options to host your data: in an AWS region, AWS Dedicated Local Zones, on AWS Outpost server(s) installed on your premises, or in the recently announced European Sovereign Cloud.

Once the right location is identified, AWS Control Tower sovereignty controls will help you meet your sovereignty goals.

Eviden Digital Cloud Services (DCS) guides you through the options and enforcement to ensure compliance. DCS allows deploying pre-packaged solutions based on AWS best practices that are the basis for enforcing your security cloud security posture, including your data location requirements. Refer to this Eviden DCS blog post for details on the solution.

Eviden also advises you on leveraging the AWS Resilience Hub to meet your cyber resilience needs supporting your digital sovereignty goals.

One area that requires specific attention is data encryption. A key component of data protection, Eviden’s digital sovereignty assessment helps you find a solution that best meets your specific requirements.

Those solutions are typically:

  • Built-in AWS encryption and key management.
  • External key management with either bring-your-own-key or hold-your-own-key mechanisms.
  • External encryption and key management with either bring-your-own-encryption, gateway or client-side encryption mechanisms.

AWS has extensive guidance on its built-in offers, and Eviden provides the ability to use the XKS key store in lieu of AWS Key Management Service (AWS KMS). You can find more details in this announcement post from the AWS KMS team.

The third option—external encryption and key management—is an approach that lets you control and manage of your encryption outside of AWS. It doesn’t natively integrate with AWS services and therefore you should consider this level of encryption only when mandated by your sovereignty framework.

XKS by Eviden protects your sensitive and critical data by allowing you to maintain control of your encryption keys. Integrated with AWS KMS external key store, additional keys generated in your dedicated Trustway Proteccio vHSM are used to further encrypt your data using envelope encryption. Your key never leaves your dedicated Trustway vHSM.

This solution allows you to encrypt data with your own external keys for the vast majority of AWS services that support AWS KMS customer managed keys. There is no change required to your existing AWS services’ configuration parameters or code.

Deeper Look into Eviden XKS Solution

XKS by Eviden is an end-to-end service: Eviden deploys, manages, and operates all required software, hardware, and networking required to provide you this service. Eviden provides support and 24/7 operations, with a service-level agreement (SLA) of 99.9% for XKS by Eviden. The service is available in all current AWS European regions (Frankfurt, Ireland, London, Milan, Paris, Spain, Stockholm, and Zurich).

As an initial step, Eviden will deploy the Eviden frontend for you. The first step for you is to declare your external key store for AWS KMS.

Eviden XKS architecture

Figure 3 – Eviden XKS service overview.

To start using the service, you need to create keys in the external key store (2). The Eviden xKMgr component will request your dedicated virtual HSM Trustway Proteccio HSM to generate a new key (2.1). An identifier for this key is returned and used to declare the key in AWS KMS.

Finally, you associate the AWS KMS key mapped to your external key to your AWS services. Whenever server-side encryption is required by your AWS service (3), AWS KMS will securely forward API calls to the HSM through the XKS proxy (3.1). The Data Encryption Key is decrypted and sent back to AWS KMS, while the key Encryption Key material never leaves the HSM (3.2).

When the Data Encryption key is retrieved, it’s protected by an internal AWS KMS key, and transits thru a secure link. The communication between AWS KMS and the external key store is managed by a dedicated XKS proxy.

Your AWS environment communicates with XKS by Eviden frontend through AWS PrivateLink to ensure confidentiality. Eviden will authenticate the AWS KMS virtual private cloud (VPC) in your account to ensure only this VPC can access and use your own instance of the XKS proxy and vHSM external key store.

The communication between the XKS proxy and the vHSM is secured with a transport layer security (TLS) connection and provided over AWS Direct Connect to meet latency required by AWS KMS. This provides you with an easy and secure way to raise your level of control on sensitive data. Your external keys never leave your vHSMs, which are highly certified (CC EAL4+, ANSSI reinforced qualification, NATO Secret, EU Restricted).

In addition to data protection, monitoring threats is a security best practice that also applies for sovereignty risks. AIsaac Cyber Mesh is a next-generation managed detection and remediation (MDR) solution, reinforced by Amazon Security Lake and powered by generative AI. You can define which sovereignty issues to monitor, the detection rules, and the data/log collection policy in order to provide 24/7 detection and response capabilities for the scenarios identified by the Digital Sovereignty assessment.


In this post, we provided an overview on how AWS and Eviden help customers meet data sovereignty needs. We shrared how Eviden risk-based assessment advisory services help define the right sovereignty framework based on customers’ unique requirements. Based on this assessment, Eviden data sovereignty services help customers implement and run their sovereignty framework.

To support this effort, Eviden provides controls to strengthen customers’ data sovereignty and privacy posture with Eviden’s Digital Cloud Services and External Key Storage offerings, both available on AWS Marketplace. To learn more, reach out to the team at Eviden.


Eviden – AWS Partner Spotlight

Eviden is an AWS Premier Tier Services Partner and MSP with many AWS Competencies including Security and Level 1 Managed Security Services Provider (MSSP) Consulting.

Contact Eviden | Partner Overview | AWS Marketplace