Cloud Infrastructure Built for Saudi Data Sovereignty

Production-grade cloud infrastructure on AWS Middle East (Riyadh) — designed with Terraform, built for Saudi NCA data residency requirements, SDAIA data governance, and PDPL compliance. AWS Bahrain for disaster recovery.

Duration: 4-12 weeks Team: 1 Cloud Infrastructure Lead + 1 IaC Engineer

The Challenge

You might be experiencing...

PDPL requires personal data of Saudi residents to remain in the Kingdom — your current multi-region AWS setup has data flowing through eu-west and us-east regions with no residency controls.

NCA Essential Cybersecurity Controls (ECC) mandate specific cloud security controls — encrypted storage, audit logging, network segmentation — but your infrastructure was built before NCA requirements existed.

Your cloud infrastructure was built manually in the AWS console — no Terraform, no IaC, no reproducibility. Every environment is a snowflake and nobody knows the full state.

Saudization (Nitaqat) requirements make hiring cloud infrastructure engineers directly difficult and expensive — you need capability now, not in 8-12 weeks when an Iqama is processed.

Cloud infrastructure Saudi Arabia organisations need is defined by one word: sovereignty. The Saudi Personal Data Protection Law (PDPL), NCA Essential Cybersecurity Controls (ECC), and SDAIA data governance requirements create a regulatory environment where cloud infrastructure design is inseparable from compliance design.

AWS Middle East (Riyadh): The Default Choice

AWS launched its Middle East (Riyadh) region in 2022 with three availability zones. For Saudi workloads handling personal data, this region is effectively mandatory — PDPL data residency requirements mean personal data of Saudi residents must be processed and stored in-Kingdom. Terraform Saudi Arabia infrastructure teams use is the tool that makes this repeatable, auditable, and version-controlled.

At devopssaudi.com, we design and implement cloud infrastructure on AWS Riyadh as the primary region, with AWS Bahrain (me-south-1) as the disaster recovery target. For organisations with specific requirements, we also support Azure UAE North and multi-cloud architectures.

NCA ECC Compliance as Code

The NCA Essential Cybersecurity Controls specify mandatory security requirements for Saudi organisations — encryption at rest, audit logging, network segmentation, access control, and threat detection. Most organisations treat these as a compliance checklist. We treat them as Terraform code.

Every IaC consulting Riyadh engagement we deliver includes NCA ECC controls implemented as infrastructure modules: KMS encryption for all storage (S3, EBS, RDS), CloudTrail logging for all API calls, VPC design with proper network segmentation, IAM policies following least-privilege principles, and GuardDuty for continuous threat detection.

PDPL Data Residency Architecture

PDPL compliance starts with data classification. Not all data needs to stay in Saudi Arabia — but personal data of Saudi residents does. We design infrastructure with this distinction built in: personal data workloads run exclusively in AWS Riyadh with no cross-region replication to non-Saudi regions, while non-personal data workloads can leverage global AWS regions for cost optimisation and latency.

This classification-driven approach avoids the common mistake of either over-constraining all workloads to a single region (costly and high-latency) or ignoring residency requirements entirely (non-compliant).

SDAIA Data Governance Overlay

For organisations working with AI and data-intensive workloads, SDAIA’s National Data Management Office adds additional governance requirements. We integrate SDAIA data governance into the infrastructure layer — data cataloguing, lineage tracking, and access controls that satisfy both PDPL and SDAIA requirements.

Book a free 30-minute cloud infrastructure consultation — we’ll review your current setup against NCA ECC controls and identify the gaps. Contact us.

Our Approach

Engagement Phases

Weeks 1-2

Cloud Audit & Design

Audit existing cloud infrastructure against NCA ECC controls and PDPL data residency requirements. Map data flows to identify residency violations. Design target architecture on AWS Middle East (Riyadh) with Bahrain DR.

Weeks 3-6

IaC Foundation

Implement Terraform or Pulumi modules for core infrastructure: VPC design, security groups, IAM policies, encrypted storage (S3, EBS, RDS), CloudTrail audit logging, and GuardDuty threat detection. All NCA ECC-aligned.

Weeks 7-10

Environment Provisioning

Build development, staging, and production environments using the IaC modules. Implement environment parity, secrets management (Vault or AWS Secrets Manager), and automated environment teardown for cost control.

Weeks 11-12

DR & Handover

Configure disaster recovery to AWS Bahrain. Test failover procedures. Produce infrastructure runbooks, architecture diagrams, and IaC documentation. Train team on Terraform workflows.

What You Get

Deliverables

Cloud architecture document with NCA ECC compliance mapping

Terraform/Pulumi modules for core infrastructure

VPC design with NCA-compliant network segmentation

Encrypted storage configuration (at-rest and in-transit)

CloudTrail audit logging and GuardDuty integration

Multi-environment provisioning (dev, staging, production)

DR configuration (AWS Riyadh primary + Bahrain secondary)

Expected Outcomes

Before & After

Metric	Before	After
Infrastructure Provisioning	Days to weeks: manual console clicking, undocumented steps	< 30 minutes: Terraform apply with full audit trail
NCA Compliance	Unknown compliance state — no mapping to ECC controls	Documented compliance with automated drift detection
Disaster Recovery	No DR plan — single region, single point of failure	Automated failover to AWS Bahrain with tested RTO/RPO

Technology

Tools We Use

Terraform / Pulumi AWS Middle East (Riyadh) AWS CloudTrail HashiCorp Vault AWS GuardDuty

Common Questions

Frequently Asked Questions

Why AWS Middle East (Riyadh) instead of other cloud providers?

AWS opened its Middle East (Riyadh) region in 2022 with three availability zones, making it the primary choice for Saudi workloads requiring data residency. PDPL and NCA data residency requirements mean personal data of Saudi residents must remain in-Kingdom — AWS Riyadh satisfies this requirement. Azure UAE North (Dubai) is an alternative for specific workloads, and we support multi-cloud architectures where required.

What does PDPL data residency actually require?

The Saudi Personal Data Protection Law (PDPL, effective September 2023) requires that personal data of Saudi residents be processed and stored within the Kingdom unless specific conditions are met for cross-border transfer. In practice, this means your primary data stores, backups, and processing infrastructure for personal data should be in AWS Riyadh or equivalent Saudi-hosted infrastructure. We design infrastructure with data classification built in — separating personal data workloads (Saudi-resident) from non-personal data workloads that can run in any region.

How do you handle NCA ECC cloud controls?

NCA Essential Cybersecurity Controls (ECC) specify requirements across 5 domains including cybersecurity governance, defence, resilience, and cloud computing. We map each ECC control to specific Terraform configurations — encryption at rest (KMS), audit logging (CloudTrail), network segmentation (VPC design), access control (IAM policies), and threat detection (GuardDuty). The result is infrastructure where NCA compliance is code, not a spreadsheet.

Get Started for Free

Schedule a free consultation. 30-minute call, actionable results in days.

Talk to an Expert