For years, AWS has marketed its cloud as a model of resilience, a world of independent regions where no single failure can bring the system down. But history tells a different story.
Every few years, when us-east-1 (Northern Virginia) sneezes, the rest of AWS catches a cold.
From the outages of 2011, 2015, 2017, 2020, 2021, 2023, and now again in 2025, one pattern repeats: AWS’s global control plane still lives in us-east-1, and the ripple effects reach everywhere.
The Problem: Centralized Control Planes
Most engineers assume “multi-region” means “independent.” For AWS, that’s not entirely true.
AWS marketing often implies strong fault isolation between regions, which many interpret as full independence.
Services like IAM, STS, Route 53, CloudFormation, CloudFront, and Organizations all have their control planes rooted in us-east-1.
AWS documentation even admits it:
“In the aws partition, the IAM service’s control plane is in the us-east-1 Region, with isolated data planes in each Region of the partition.” AWS Fault Isolation Boundaries Whitepaper
That means while your data plane (EC2, S3, DNS resolution) might keep running, the control plane (creating roles, updating DNS records, refreshing credentials, etc.) can still choke if us-east-1 is degraded.
If IAM or STS becomes unavailable, no new credentials or role assumptions can occur, though existing sessions usually continue until expiration. That’s not “fault isolation.” That’s a global single point of failure.
The Root Cause: Self-Imposed Consistency
AWS’s architecture choices are not accidental. They’ve chosen strong global consistency for key services like IAM and billing. Their control systems must always “know the truth” about your account, globally.
That’s a perfectly reasonable trade-off for billing accuracy and security, but it comes with a price: global coupling.
To truly decentralize IAM or STS, they’d need multiple independent control planes or adopt complex distributed consensus models such as Raft or CRDT-style replication. Both are expensive and complex.
So instead, AWS accepts a global dependency and calls it “regional independence.” The result is a platform that scales beautifully but at the cost of true autonomy between regions.
The Consequence: Shifting the Complexity to You
When AWS tells you to “architect for regional resilience,” what they really mean is:
Assume our control plane might go down, so make your system survive that.
They’ve offloaded the problem to customers. You can design so your data plane survives, but not your management plane. You can’t create new IAM roles, update Route 53, or modify ECS services during an outage, but you’re expected to handle that gracefully anyway.
That’s clever business design, but not honest marketing.
The Defense: “Not All Outages Are Equal”
AWS defenders will say:
The data plane still works, it’s only the control plane that breaks.
That’s true, and it’s exactly the problem. The control plane is where orchestration lives, where automation, scaling, and recovery are coordinated. When it’s fragile, the illusion of independence collapses.
It’s like saying, “your engine still runs, you just can’t shift gears.”
The Reality: It Works, Until It Doesn’t
AWS’s model works at global scale precisely because it centralizes. It hides distributed complexity behind APIs that feel local and independent.
But that same simplicity prevents true decentralization. They’ve optimized for control and cost, not autonomy.
And that’s fine as long as people understand it. But most don’t.
Most engineers think “multi-region” means “immune to us-east-1.”
The Takeaway
AWS is still the most advanced public cloud, but its architecture is not 100% what it claims.
Until the control planes of IAM, STS, Route 53, and other global services are truly region-agnostic, us-east-1 remains a single point of failure for the world’s largest cloud.
It’s not doomsaying, it’s just systems reality.
You can’t call something decentralized if every decision still goes through Northern Virginia.
Why It Still Matters
I don’t hate AWS. I just think it’s time to stop pretending this design is perfect.
Real decentralization means regional autonomy, the ability for a region to live, breathe, and recover without waiting on a control plane 1,000 miles away.
Until then, us-east-1 will keep being the heart that everything quietly depends on, and every few years, we’ll be reminded what happens when that heart skips a beat.