Remember the dream of the cloud? Infinite scale, instant agility, unparalleled innovation. It’s a dream that has revolutionized businesses globally. But in the relentless race for digital supremacy, a new, critical question has emerged from the shadows: who truly controls your data?

In an era of shifting global alliances, escalating cyber threats, and a tidal wave of new data regulations sweeping across nations – like India’s pivotal Digital Personal Data Protection (DPDP) Act of 2023 – true cloud freedom isn't about limitless access; it’s about unwavering control. This isn't just a technical upgrade; it's a strategic awakening, and its name is Sovereign Cloud.

At Ankercloud, we’re witnessing this paradigm shift firsthand. Businesses are no longer just asking "Where is my data stored?" They're demanding, "Who can touch my data? What laws govern it? And how can I be absolutely sure of my digital autonomy?" As your trusted partner in cloud solutions and services, we're here to tell you: Sovereign Cloud is the definitive answer, and it’s fast becoming the bedrock of future-proof enterprises.

Digital Borders: Unpacking Sovereign Cloud, Data Residency, and Digital Autonomy

To truly grasp this new frontier, let’s demystify the terms that define it:

• Data Residency: This is the foundational layer. It's the absolute guarantee that your data physically resides and is processed within the geographical boundaries of a specific country. For Indian enterprises, this means your sensitive customer records, intellectual property, and financial data stay firmly on Indian soil.
• Data Sovereignty: This concept elevates residency into the legal realm. It means your data is not only physically located in a specific country but is also exclusively subject to the laws and governance structures of that nation. No backdoor access, no extraterritorial legal claims from foreign powers. Your data dances to your nation’s tune.
• Digital Autonomy: This is the ultimate aspiration. It’s the profound ability for an organization – and by extension, a nation – to chart its own digital course, free from undue external influence. It’s about owning your technology stack, controlling operational workflows, safeguarding critical intellectual property, and ensuring that no foreign entity, however powerful, can dictate the terms of your digital existence.
• Sovereign Cloud: This isn’t just a server in a specific country. It’s a meticulously engineered cloud ecosystem where every layer – infrastructure, operations, administrative access, and legal frameworks – is purpose-built to ensure your data, applications, and operations are unconditionally subject to the laws and jurisdiction of a specific nation. It's your fortress in the cloud.

The Unstoppable Momentum: Why Sovereign Cloud is a 2025 Imperative

The drive towards Sovereign Cloud isn't a fleeting trend; it's an economic and geopolitical force reshaping the global digital landscape.

1. The Regulatory Hammer Falls: From Europe’s GDPR and upcoming AI Act to India’s landmark DPDP Act (2023), governments worldwide are legislating stringent data protection, cross-border transfer rules, and even data localization. The penalties for non-compliance are no longer just abstract; they're substantial and real.
2. Geopolitical Chessboard: In an increasingly complex global arena, the specter of foreign government data access requests (like those under the US CLOUD Act) looms large. Businesses cannot afford to have their critical data exposed to such vulnerabilities, risking competitive advantage or even national security.
3. Fortifying Critical Infrastructure: For vital sectors like energy, finance, defense, and healthcare, compromising data integrity or availability isn't an option. Sovereign Cloud offers the ironclad assurance needed to protect national assets.
4. Supply Chain Due Diligence: Who builds your cloud? Who manages it? The origin and operational control of cloud infrastructure and personnel are under unprecedented scrutiny. Sovereign Cloud provides transparency and control over your digital supply chain.
5. Earning and Keeping Trust: For many sectors, or those handling vast amounts of personal data, visibly committing to data sovereignty is a powerful statement of integrity. It builds and maintains invaluable public trust, a currency more precious than ever.

Where Trust Meets Technology: Top Sovereign Cloud Use Cases

Sovereign Cloud is becoming indispensable across a variety of sectors that simply cannot compromise on control:

• Government & Public Sector: Mandated by law in many countries for highly sensitive citizen data, national security information, and critical government applications.
• Financial Services: Banks, insurance companies, and fintech firms handling vast amounts of sensitive customer financial data and adhering to strict industry-specific regulations (e.g., RBI guidelines in India).
• Healthcare: Protecting patient health records (PHR/EHR) and complying with stringent privacy regulations (e.g., HIPAA in the US, similar acts globally).
• Defense & Aerospace: Critical for classified information, R&D, and operational data where national security is paramount.
• Telecommunications: Managing subscriber data and critical network infrastructure, often subject to national communication laws.
• Manufacturing & Industrial IoT: Protecting intellectual property, operational technology (OT) data, and ensuring supply chain resilience, especially for data generated at the edge.
• Research & Development: Safeguarding proprietary algorithms, research data, and intellectual property.

The Anatomy of Control: What Defines a True Sovereign Cloud

A truly sovereign cloud environment isn't just about putting a server in a specific country. It's a holistic commitment to control:

1. Unbreakable Jurisdictional Control: Every byte, every process, every application lives and breathes under the legal authority of the designated nation.
2. Operational Independence, Local Hands: The people managing, maintaining, and supporting your cloud environment must reside in the local jurisdiction, subjected to its laws. No "follow-the-sun" support models that cross sensitive borders.
3. Glass Box Transparency & Compliance: Clear, auditable proof of adherence to local laws and regulations. Robust processes for rejecting, challenging, or disclosing any external data access requests.
4. Fort Knox Data Segregation & Encryption: Your data is not just stored; it’s encrypted with state-of-the-art methods, and critically, the cryptographic keys are managed exclusively under local control.
5. Scrutinized Supply Chain: Full visibility and control over the origin of hardware, software, and services. Knowing the nationality of every vendor and sub-processor.
6. Resilience Within Borders: Disaster recovery and business continuity plans are designed to ensure data resilience and availability without compromising residency or sovereignty requirements.

Navigating the Sovereignty Labyrinth: Challenges We Help You Conquer

Embracing digital sovereignty is a powerful move, but it's not without its complexities. Ankercloud helps you navigate:

• Cost vs. Control: While dedicated sovereign environments can seem pricier than global hyperscalers, we help you optimize costs by right-sizing solutions and focusing on critical workloads that genuinely require sovereignty.
• Integration Puzzles: Seamlessly integrating a sovereign cloud with your existing hybrid or multi-cloud landscape demands expert architectural design to prevent data silos or operational friction.
• Avoiding Vendor Lock-in: We prioritize solutions with open standards and strong data portability, ensuring you maintain flexibility even within a dedicated sovereign environment.
• The Regulatory Tightrope: Data sovereignty laws are dynamic. Our compliance experts provide continuous monitoring and strategic guidance to ensure you always stay ahead of evolving regulations.
• Talent Scarcity: Building and managing truly sovereign clouds requires niche expertise. Ankercloud brings that specialized talent to your doorstep, filling skill gaps and accelerating your journey.

Ankercloud: Your Architects of Digital Sovereignty

At Ankercloud, we don't just provide cloud services; we architect your digital future with an unwavering commitment to your control and compliance. For businesses across India and around the world seeking to fortify their data defenses and secure their digital autonomy, we are your trusted partner.

Here’s how Ankercloud empowers your journey to true digital sovereignty:

• Strategic Blueprinting: We begin with a deep dive into your unique data landscape, regulatory obligations, and risk appetite. Our experts then craft a bespoke cloud strategy that perfectly balances sovereignty needs with your performance and budget goals.
• Precision Data Localization: Leveraging our deep understanding of regulatory landscapes and partnerships with cloud providers offering local regions (like AWS regions in India), we engineer solutions that guarantee your data’s absolute residency, strictly compliant with local acts like the DPDP Act.
• Ironclad Compliance & Security: We don't just promise compliance; we embed it.
  
  • Rigorous Security Assessments: Proactive evaluations covering everything from physical security to advanced threat modeling, penetration testing, and continuous vulnerability management.
  • Regulatory Acceleration: We simplify the daunting task of achieving certifications like ISO 27001, SOC 2, HIPAA, GDPR, and custom regional frameworks, providing a clear roadmap to auditable compliance.
  • Uncompromised Encryption: Implementing cutting-edge encryption for data at rest and in transit, with advanced key management solutions that keep the keys to your kingdom firmly in your hands.
• Operational Autonomy & Transparency: We help you implement granular access controls, robust Identity and Access Management (IAM), and transparent operational procedures, ensuring your cloud environment is managed by authorized personnel within the required jurisdiction.
• Seamless Hybrid & Multi-Cloud Harmony: For enterprises navigating complex IT landscapes, we design and implement integrated solutions that extend data sovereignty and compliance seamlessly across your hybrid and multi-cloud environments.
• Resilience Engineered for Sovereignty: Our disaster recovery and business continuity plans are meticulously designed to ensure your data is always available and protected, without ever compromising its residency or sovereignty requirements.
• Continuous Governance & Advisory: The digital landscape is always moving. Ankercloud offers ongoing monitoring, auditing, and expert advisory to ensure your sovereign cloud strategy remains robust, compliant, and ahead of the curve.

The cloud promised freedom, and with the Sovereign Cloud, you can finally have it – true freedom that comes from absolute control. It's time to stop worrying about who might access your data and start focusing on what your data can do for you.

Don't just migrate to the cloud. Modernize with sovereignty. Partner with Ankercloud to build your secure, compliant, and truly autonomous digital future.

Contact us today to begin your journey to digital sovereignty.

Problem

DDoS attackers use the same IPs to send many HTTP requests once the AWS WAF rate limit rule removes the block. The default block lasts only for a definite time, so attacks repeat again. We need a solution that makes the block time for harmful IPs last indefinitely, keeping them blocked until the attack persists. 

Solution Workflow

1. CloudFormation: Use the predefined CFT template to set custom block time for harmful IPs. Adjust by how severe the attack is.
2. EventBridge & Lambda: Let EventBridge call a Lambda function every minute. The function checks AWS WAF’s rate rule for blocked IPs.
3. Store in S3: Save blocked IPs in an S3 bucket with timestamps for records.
4. Update WAF Custom IP Sets: Lambda revises WAF custom IP sets by keeping IPs within block time. It also drops IPs that passed the block period.
5. Regular Updates: Run the process every minute to keep only harmful IPs blocked and avoid an outdated, heavy block list.

Deploying the Solution

1. Download the CloudFormation Template:
   Download the customized AWS CloudFormation template (customized-block-period-template.yaml) from the solution’s GitHub repository.
2. Create a Stack in CloudFormation Console:
   Open the AWS CloudFormation console, then create a new stack with the downloaded template. Check the CloudFormation User Guide for detailed instructions for stack creation.

3. Specify Stack Details:
   On the Specify Stack Details page, type a unique stack name. Enter the required parameters, such as blocking duration and configuration settings listed in the prerequisites.

4. Provisioning Resources:
   
   

The template provisions several AWS resources, including:

• AWS WAF IP Sets, which store the blocked IPs.
• An Amazon EventBridge Rule that triggers the Lambda function at regular intervals.
• Amazon S3 Buckets to store the blocked IP addresses and their timestamps.
• AWS IAM Roles with permissions to allow Lambda functions to query AWS WAF and access other required resources.
• The AWS Lambda function itself, which performs the logic for tracking and updating the blocked IP addresses.

5. Deploy and Apply the WAF Rule:
   Deployment takes under 15 minutes. When the stack shows CREATE_COMPLETE, build a custom AWS WAF rule to apply custom IP sets and block the malicious IPs.

6. Reviewing IPs that are Blocked:

Go to the IP Sets section on the AWS WAF console. Choose the set named with the prefix "IPv4-IPset." You can check the list of IPs blocked by the rate limit rule in the set produced by the stack.

7. Whitelisting or Removing Specific IPs from the Blocked List

To remove an IP from the blocked list, merely deleting it from the IP set in the AWS WAF console does not work. This is because the IP set updates every minute with a JSON file stored in an S3 bucket (controlled by the CloudFormation template).

To remove an IP properly, delete it from the JSON file; then upload the revised file to the S3 bucket. You may use a Lambda script to automate this process. The script lets you choose the IP to remove; it completes each required step.

You can find the environment variable details and the Python code for the script here:

 https://rentry.co/ew84t8tu

Blocking Requests Originating from Referrer URLs

Problem Statement: 

Third-party websites might copy images or content from your site and use them on their platforms. These requests come via referrer URLs.

Solution:

To block such requests, follow these steps:

1. Identify the Referrer URL:

• Open the site suspected of scraping your content in a browser.
• Right-click on the page and select Inspect to open the developer tools.
• Navigate to the Network tab and reload the page.
• Look for requests made to your site. For example, if the site https://www.webpagetest.org/ is scraping your images, you might find requests to your domain in the list.
• Identify the image being used (e.g., twitter.svg), and click on the request.

2. Retrieve the Referrer URL:

• In the request details on the right panel, locate the Headers section.
• Scroll to find the Referer value. This will show the URL of the site making the request (e.g., https://www.webpagetest.org/).

3. Block the Referrer in AWS WAF:

• Open the AWS WAF console and create a new Custom Rule.
• Set the Inspect field to Single Header.
• Use Referer as the Header Field Name.
• Set Match Type to Exactly matches string.
• Enter the referrer URL (e.g., https://www.webpagetest.org/) in the String to Match field.
• Set the Action to Block. You can optionally configure a custom response code for blocked requests.

Outcome

By enforcing this rule, you can block requests from specific referrer URLs stopping site mirroring and web scraping by third-party sites.

Introduction

Automating cloud infrastructure and deployments is a crucial aspect of DevOps. AWS Amplify provides a powerful framework for developing and deploying full-stack applications. However, initializing and managing an Amplify app manually can be time-consuming, especially when integrating it into a CI/CD pipeline like Jenkins.

This blog explores how we automated the Amplify app creation process in headless mode using shell scripting and Expect scripts, eliminating interactive prompts to streamline our pipeline.

Setting Up AWS and Amplify CLI

1. Configure AWS Credentials

Before initializing an Amplify app, configure AWS CLI with your Access Key and Secret Key:

aws configure

2. Install and Configure Amplify CLI

To install Amplify CLI and configure it:

npm install -g @aws-amplify/cli

amplify configure

This will prompt you to create an IAM user and set up authentication.

Automating Amplify App Creation

1. Initialize the Amplify App Using a Script

We created a shell script amplify-init.sh to automate the initialization process.

amplify-init.sh

#!/bin/bash

set -e

IFS='|'

AMPLIFY_NAME=amplifyapp

API_FOLDER_NAME=amplifyapp

BACKEND_ENV_NAME=staging

AWS_PROFILE=default

REGION=us-east-1

AWSCLOUDFORMATIONCONFIG="{\

\"configLevel\":\"project\",\

\"useProfile\":true,\

\"profileName\":\"${AWS_PROFILE}\",\

\"region\":\"${REGION}\"\

}"

AMPLIFY="{\

\"projectName\":\"${AMPLIFY_NAME}\",\

\"envName\":\"${BACKEND_ENV_NAME}\",\

\"defaultEditor\":\"Visual Studio Code\"\

}"

amplify init --amplify $AMPLIFY --providers $AWSCLOUDFORMATIONCONFIG --yes

Run the script:

./amplify-init.sh

2. Automating API and Storage Integration

Since Amplify prompts users for inputs, we used Expect scripts to automate API and storage creation.

add-api-response.exp

#!/usr/bin/expect

spawn ./add-api.sh

expect "? Please select from one of the below mentioned services:\r"

send -- "GraphQL\r"

expect eof

add-storage-response.exp

#!/usr/bin/expect

spawn ./add-storage.sh

expect "? Select from one of the below mentioned services:\r"

send -- "Content\r"

expect eof

These scripts eliminate manual input, making Amplify API and storage additions fully automated.

Automating Schema Updates

One of the biggest challenges was automating schema.graphql updates without manual intervention. The usual approach required engineers to manually upload the file, leading to potential errors.

To solve this, we automated the process with an Amplify Pull script.

amplify-pull.sh

#!/bin/bash

set -e

IFS='|'

AMPLIFY_NAME=amp3

API_FOLDER_NAME=amp3

BACKEND_ENV_NAME=prod

AWS_PROFILE=default

REGION=us-east-1

APP_ID=dzvchzih477u2

AWSCLOUDFORMATIONCONFIG="{\

\"configLevel\":\"project\",\

\"useProfile\":true,\

\"profileName\":\"${AWS_PROFILE}\",\

\"region\":\"${REGION}\"\

}"

AMPLIFY="{\

\"projectName\":\"${AMPLIFY_NAME}\",\

\"appId\":\"${APP_ID}\",\

\"envName\":\"${BACKEND_ENV_NAME}\",\

\"defaultEditor\":\"code\"\

}"

amplify pull --amplify $AMPLIFY --providers $AWSCLOUDFORMATIONCONFIG --yes

This script ensures that the latest schema changes are pulled and updated in the pipeline automatically.

Integrating with Jenkins

Since this automation was integrated with a Jenkins pipeline, we enabled "This project is parameterized" to allow file uploads directly into the workspace.

1. Upload the schema.graphql file via Jenkins UI.
2. The script pulls the latest changes and updates Amplify automatically.

This method eliminates manual intervention, ensuring consistency in schema updates across multiple environments.

Conclusion

By automating AWS Amplify workflows with shell scripting and Expect scripts, we achieved:  Fully automated Amplify app creation
  Eliminated manual schema updates
  Seamless integration with Jenkins pipelines
  Faster deployments with reduced errors

This approach significantly minimized manual effort, ensuring that updates were streamlined and efficient. If you're using Amplify for your projects, automation like this can save countless hours and improve developer productivity.

Have questions or feedback? Drop a comment below!