仅欧洲替代方案 AWS.
Amazon Web Services is the original public cloud — and the original Schrems II problem. The same EU regions that make AWS technically usable for European workloads do not change the parent jurisdiction: AWS Inc. is a Delaware corporation, AWS EMEA SARL is a Luxembourg subsidiary fully controlled by it, and the CLOUD Act applies to both. For audited workloads, regulated industries and any business that has had a customer ask "is your provider US-subpoenable?", the honest answer on AWS is yes. Below is the engineering-grade map for getting off it.
"欧盟区域"不等于主权。四个问题决定一切。
数据驻留告诉你数据在哪里。主权告诉你哪个法律体系可以强制访问。四个答案都必须成立——否则该技术栈就不主权。
数据物理存储在哪里?
不是"在云中"——而是哪个数据中心、在哪个国家、受哪个司法管辖区管辖。
您的数据路径中还有谁?
每一个接触数据的供应商:CDN、邮件中继、错误追踪、分析管道。
哪些法律可以强制披露?
美国总部的供应商受 FISA 702 和 CLOUD Act 管辖——即使数据存放在法兰克福。
谁实际持有加密密钥?
如果云供应商同时持有数据和密钥,无论 DPA 如何,他们都能读取数据。
在司法管辖权和密钥托管上失败。
欧盟数据、美国母公司、默认路径中的美国次级处理者、供应商管理的密钥。
四项全部通过。
托管在欧盟、由欧盟总部基础设施提供。默认路径中零美国次级处理者。客户持有或欧盟 KMS 密钥。在您的第 28 条 DPA 中按名称列出。
为什么团队正在退出 AWS
The drivers we hear in scoping calls are consistent: a procurement gate that now demands "no third-country data processor" (NIS2, DORA, public sector), a customer audit (typically B2B enterprise or healthcare) that flagged the AWS relationship, escalating egress and bandwidth costs that look worse every quarter, or a leadership-level concern after the 2024–2025 round of EU-US transfer mechanism uncertainty. The technical lift to leave AWS is rarely the blocker it appears to be. The real friction is choreography: zero-downtime database migrations, DNS cutover, observability continuity. That is where a managed-infrastructure partner saves months.
AWS 服务及其仅欧盟等效方案
迁移不是"换一个盒子"。下面的映射是我们为离开以下平台的客户运行的 AWS 基于 Schrems II — 完全欧盟司法管辖权,数据路径中没有美国母公司。
| AWS 服务 | 仅欧盟替代方案 | 工程说明 |
|---|---|---|
| EC2 (compute) | Hetzner Cloud, OVH Public Cloud, IONOS Compute, Scaleway Instances, Leaseweb VMs | Per-vCPU and per-GB pricing on EU providers is dramatically lower; bare-metal options exist on Hetzner and OVH for reserved workloads. |
| S3 (object storage) | OVH Object Storage, Wasabi EU, Bunny Storage, self-hosted Ceph or MinIO on EU compute | S3-compatible APIs are universal; most application code is a single endpoint change. No egress fees on most EU providers. |
| RDS / Aurora (managed DB) | OVH Managed Databases, Scaleway Managed PostgreSQL, Aiven (FI), or self-managed PostgreSQL/MySQL with replication on EU compute | Streaming replication enables zero-downtime cutover. Managed EU PostgreSQL pricing is typically 30–50% lower than equivalent RDS. |
| CloudFront (CDN) | Bunny.net, KeyCDN | Bunny.net offers comparable POP density in EU and Middle East; cheaper per-GB; no US-default edge. |
| Route 53 (DNS) | Hetzner DNS, Bunny DNS, deSEC (DE non-profit) | For zone-only management, Hetzner DNS is free with hosting; deSEC is privacy-first and DNSSEC-by-default. |
| Lambda (serverless) | Scaleway Serverless Functions, Cloudflare Workers (note: US parent), or self-hosted OpenFaaS / Knative on EU Kubernetes | For sovereign deployments, self-hosted Knative on EU compute is the cleanest. Most Lambda workloads fit a small Kubernetes cluster. |
| SES (email) | Self-hosted Postfix on EU infra, Mailpace (NL), Tuta business, Brevo (FR) | For transactional volume under 1M/month, a properly-configured Postfix relay is operationally simpler and cheaper than SES. |
| SQS / SNS | Self-hosted RabbitMQ, NATS, or Redis Streams on EU compute | Managed message brokers are rare in the EU sovereign space. Self-managed is the standard pattern; we operate it for clients. |
| EKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS Managed K8s, or self-managed K3s/Talos on Hetzner | Managed K8s on EU providers has feature parity for 95% of workloads. We typically run Talos Linux on Hetzner bare metal for high-trust workloads. |
| CloudWatch / X-Ray | Self-hosted Prometheus + Grafana + Loki + Tempo on EU compute, or Grafana Cloud EU region | The OpenTelemetry standard makes the migration trivial; the operational gain is consolidated dashboards and zero per-metric pricing. |
| IAM | Hashicorp Vault on EU infra, plus per-platform IAM equivalents | No 1:1 replacement; cross-platform identity is rebuilt with Vault, OIDC providers (Keycloak), and per-tool roles. |
| WAF / Shield | Bunny.net WAF, ModSecurity / Coraza on EU edge, OVH Anti-DDoS | OVH includes large-scale anti-DDoS at no extra cost on most plans; Bunny WAF is rule-based and competitive. |
| KMS | Hashicorp Vault Transit on EU infra, GCP-style EU-KMS providers, or HSM-backed keys | For HYOK scenarios, on-premises HSM with cloud-side BYOK is the standard sovereign pattern. |
| Secrets Manager / SSM Parameter Store | Hashicorp Vault, Bitwarden Secrets Manager (US-headquartered — flag), Infisical (self-hosted) | Vault on EU infra is the production-grade answer. We deploy and operate it. |
我们如何迁移离开 AWS
典型的中端市场迁移分三个阶段进行。以下数字假设一个 6-10 人的工程团队和中等复杂的应用程序技术栈。
Audit & dependency map
Inventory every AWS service in use, every IAM role, every Lambda, every cross-service call. Tag personal data flows. Output: a remediation plan with risk-ranked findings and an effort estimate per service.
Soft dependencies & egress prep
Replace CloudFront, Route 53, SES and CloudWatch first — zero application code changes for most. Move S3 buckets behind S3-compatible EU storage with dual-write during cutover. Pre-stage replicas of RDS in EU.
Core compute & DB cutover
Blue-green compute migration with DNS-level traffic shift. Streaming-replication database cutover during a low-traffic window. EKS workloads moved to managed EU K8s or self-managed Talos. Decommission AWS account once verified.
5-year TCO modelling on workloads we have actually migrated: typically 30–55% cheaper on EU sovereign infrastructure for predictable workloads, neutral to slightly higher for highly bursty workloads that benefit from sub-second autoscaling. Egress savings alone are often the difference between a positive and negative ROI.
常见问题
Does using an AWS EU region (Frankfurt, Ireland, Stockholm) solve the Schrems II problem?
No. The data residency is in the EU but Amazon Web Services Inc. is the controller of the infrastructure under US law. The CLOUD Act allows US authorities to compel disclosure of data held by US-controlled entities anywhere in the world. The EDPB has explicitly flagged this as a Schrems II issue. AWS EMEA SARL is a Luxembourg subsidiary fully owned by AWS Inc.; that ownership chain is what the analysis turns on.
How long does an AWS exit take in practice?
For a mid-market application (10–50 EC2 instances, a couple of RDS databases, S3, CloudFront, SES) with a 6–10 person engineering team and competent operational support: 10–16 weeks elapsed time. With a managed-infrastructure partner driving the choreography (which is most of the actual work), 6–10 weeks.
What about AWS GovCloud or AWS Sovereign Cloud Europe?
AWS GovCloud is for US federal workloads and is not relevant to EU buyers. AWS European Sovereign Cloud (announced 2023, in build-out) is operated by EU-headquartered AWS staff in EU regions, but the parent legal entity remains Amazon Web Services Inc. Whether it is "sovereign enough" depends on your specific compliance regime; for many Schrems II analyses it is not sufficient because the parent jurisdiction is unchanged.
Will we lose features by leaving AWS?
Specific managed services (DynamoDB single-digit-ms, Aurora Serverless v2, Bedrock model access, SageMaker training on H100s) have no clean EU sovereign equivalents. For 90% of mid-market workloads — web applications, APIs, e-commerce, B2B SaaS, analytics on warehouses — the EU sovereign stack covers it. We tell you upfront if your workload sits in the 10% category.
Can we keep some AWS services and migrate the rest?
Yes — a hybrid is sometimes the right answer. The discipline is to keep AWS only for clearly non-personal workloads, and document the boundary in your DPA. We have run hybrids where AWS handles ML training (no personal data, batch-only) and the EU sovereign stack handles all customer-facing infrastructure.
What does a managed exit cost?
Project-based pricing, scoped after the audit. Typical mid-market AWS exit: €25–80k for the project, plus the ongoing managed-infrastructure retainer for the new EU stack. The first-year savings on AWS spend usually exceed the project cost.