AWS outage highlights risks from overreliance on cloud giants

A major outage at Amazon Web Services has caused widespread disruption to hundreds of websites, applications and digital platforms in the UK and globally, with users experiencing difficulties accessing services such as Amazon, Snapchat, Fortnite, and several banking and government platforms.

Amazon has stated it has located and fixed the underlying issue, but noted that full recovery across all impacted systems would require additional time. The outage has highlighted the increasing dependency of modern life and critical infrastructure on large cloud service providers.

Impact spreads

HMRC, multiple national banks, and various public services in the UK were among those affected, leaving both private individuals and business users unable to access vital online tools and transactions. The interruptions also reached gov.uk digital services and gaming platforms, underlining how a fault in a single data centre could have far-reaching consequences.

Service monitoring indicated the root of the problem lay in the AWS US-East region, which is widely used as a central hub for several global platforms. The incident's effects radiated well beyond its primary location because some core functions, such as authentication, are centralised in this region.

Dependency on a few providers

Mona Schroedel, Specialist Data Protection Lawyer at Freeths, drew attention to a growing issue: rapid digital adoption has increased exposure to risks associated with technical failures. She outlined a shifting landscape where, unlike in the past, modern cashless and connected lifestyles leave individuals more vulnerable to outages.

"This is of course not the first major outage we have experienced in recent memory. Only a little over a year ago a Microsoft outage caused airports and banks to grind to a halt. Modern life especially after the pandemic has become dependent on virtual connectivity and systems. It isn't that long ago that most people carried cash and would have been perfectly able to bridge a banking issue without complications. However, nowadays cashless payments are the norm and most of us don't habitually carry cash anymore."

Schroedel added that legal frameworks and practical reviews have struggled to keep pace with technological advances, stating that backup systems and better regulation for essential services are necessary to protect end users.

Vulnerabilities and resilience

Rob Demain, Chief Executive of e2e-assure, noted that relying on a small number of cloud providers makes global infrastructure vulnerable to single points of failure, presenting persistent risks for organisations and public bodies.

"Today's widespread internet disruption appears to be linked to an error in the US-East AWS region, which is impacting not only services hosted there, but also other services that depend on that region. Key AWS functions such as authentication are centralised in this region, meaning outages can have a global ripple effect. This incident underlines our growing dependency on a small number of global cloud providers and how cloud is not always as resilient as we expect it to be. When key services rely on the availability of individual regions, any single-point failure can have far-reaching consequences."

Demain said that while the incident appeared to stem from a technical issue, potentially a configuration error, routing fault, or DNS problem, the investigation was ongoing. He advised that there was no current Evidence of a cyberattack, but did not entirely rule out the possibility. Demain highlighted the necessity for organisations to develop resilience strategies to maintain operations during outages, drawing attention to recent guidance from the National Cyber Security Centre that equates cyber resilience with business resilience. He referenced a 50% rise in significant cyberattacks reported by the NCSC over the past year, reinforcing the importance of preparation for both technical faults and malicious activity.

Calls for sovereign options

The incident has reignited debate about digital sovereignty and the concentration of control over critical infrastructure. Mark Boost, Chief Executive of UK cloud provider Civo, criticised the extent to which UK institutions depend on infrastructure controlled by overseas companies. He noted that outsourcing so many key services to data centres outside national borders increased fragility and reduced the UK's ability to respond independently to outages.

"We should be asking the obvious question: why are so many critical UK institutions, from HMRC to major banks, dependent on a data centre on the east coast of the US? Sovereignty means having control when incidents like this happen - but too much of ours is currently outsourced to foreign cloud providers. The AWS outage is yet another reminder that when you put all your eggs in one basket, you're gambling with critical infrastructure. When a single point of failure can take down HMRC, it becomes clear that our reliance on a handful of US tech giants has left core public services dangerously exposed."

Boost called for governments and regulators to promote greater competition, fund sovereign alternatives, and establish resilience as a basic procurement criterion for public services. He pointed to current discussions in Brussels as an opportunity to push for change and reduce Europe's reliance on a concentrated pool of technology suppliers.

As service restoration continues, attention has focused on how both public and private sectors will address these issues of resilience, sovereignty, and contingency planning in the longer term.