Amazon Web Services (AWS) has spent much of today (Monday 20th October) recovering from a widespread outage that disrupted thousands of websites and popular apps, including Snapchat, Zoom, Duolingo, and Reddit, and left businesses across the globe scrambling to restore operations.
The incident, which lasted for around three hours, marked one of the most significant Internet disruptions since the CrowdStrike software malfunction of 2024, which paralysed IT systems in hospitals, banks, and airports worldwide. It once again underscored how dependent the modern economy has become on a handful of Cloud providers that underpin vast swathes of global digital infrastructure.
AWS reported that by 6:00am ET (10:00am GMT), it was seeing “significant signs of recovery” in several of its impacted services, adding: “Most requests should now be succeeding. We continue to work through a backlog of queued requests.”
AWS, the world’s largest provider of on-demand computing power and Cloud storage, supports a wide range of industries – from banking and retail to government operations and artificial intelligence platforms. When its servers falter, the effects cascade across the web, affecting millions of end users and disrupting everything from online payments to logistics tracking systems.
Systemic risks from Cloud concentration
Tim Wright, Tech Partner at law firm Fladgate, noted that the outage illustrated the growing systemic risk from over-reliance on a small number of hyperscale Cloud providers.
He explained: “Today’s widespread AWS outage underscored the growing systemic risk from heavy national and sectoral reliance on a small number of hyperscale Cloud providers. The disruption, which apparently originated in AWS’s US East 1 region, cascaded across global networks – affecting UK institutions from HMRC to major banks such as Barclays and Lloyds, along with financial, retail and AI-driven platforms that depend on AWS-hosted services.
“Today’s incident highlights the tension between Cloud convenience and concentration risk. For regulated entities, especially in financial services, the UK’s Critical Third Parties (CTP) regime – now in force under the Financial Services and Markets Act 2024 and applied through the PRA and FCA’s operational resilience framework – will inevitably come into sharper focus. Supervisors may require stress testing and post-incident audits to ensure that firms maintain visibility and contractual leverage over their Cloud dependencies.
“As AI adoption deepens, and vast model training and data governance systems increasingly run on a handful of platforms like AWS, today’s event is a reminder that resiliency is not purely a technical parameter but a regulatory and contractual one. Firms must reassess their agreements with specific focus on cloud exit, redundancy, and incident notification contractual clauses through that lens.”
The comments reflect growing concern among policymakers and regulators about the risks of digital concentration – where a small number of Cloud and AI providers, such as AWS, Microsoft Azure, and Google Cloud, host critical operations for governments and enterprises worldwide.
A technical fault with broad implications
According to Aras Nazarovas, Senior Security Researcher at Cybernews, the AWS disruption stemmed from an internal Domain Name System (DNS) failure in its US-East-1 region – an issue that has historically been a common source of large-scale Cloud outages.
He explained: “Today’s outages for multiple services was the result of internal DNS failures at Amazon Web Services in their US-EAST-1 region of AWS Cloud. Similar failures have been common causes for major outages in the past, and usually stem from incorrect, updated configurations, or due to poor monitoring of expiration timelines for configurations, certificates, etc.
“From initial reporting there are no indications of any security breach, however failing to keep information or resources available for clients can be classified as a cyber incident, even if there was no malicious outsider or malicious intent.
“Similar outages occur almost every year, and they can be a reminder of how extensive software supply chains have become, showing how a simple issue on a handful of Amazon data centres caused thousands of issues to their clients.”
Nazarovas added that affected clients experienced roughly four hours of downtime, and that while the impact varied depending on the industry, such failures could have serious consequences for organisations in critical infrastructure sectors.
He advised that businesses should have a clearly defined disaster recovery plan in place: “In the event of such disruptions users should immediately seek alternative solutions for communication – different apps, phone calls, SMS, or radio – to coordinate next steps towards recovering from such a disruption. It is a good practice to have a ‘Disaster Recovery Plan’ where alternative communication channels and other critical steps have been planned in advance.”
Lessons for resilience
The outage highlighted how a single technical fault can ripple through the global digital ecosystem, halting access to online banking, logistics platforms, e-commerce sites, and social media applications. For many businesses, the event was a stark reminder that Cloud dependence must be balanced with strategies for redundancy, contingency, and transparency.
While AWS has since restored most of its services, the incident is likely to prompt renewed scrutiny of operational resilience frameworks and encourage organisations to diversify their Cloud strategies – not just for performance, but for continuity in an increasingly interconnected digital world.
