[gobdovan]

Have you considered checking the actual AWS contract and the limited liability they explicitly stipulate in contracts and even linked docs from marketing materials?

If you read the fine print, you'll notice something funny. You are largely responsible for data loss, SLA claims require you to present concrete evidence, and the remediation you accepted is usually credits for future spend on specifically the same product you lost your data on.

And AWS fine print is actually quite reasonable compared with, say, GCP, where the SLA seems mostly useful so the enterprise acquisition team can say "they have SLA, I can't get fired for choosing them since I did my due diligence!", while GCP can say "you already accepted the proposed remedy when signing the contract, sue us and we'll just point you to it. Thanks for your trust.". [0]

[0] https://docs.cloud.google.com/storage/docs/storage-classes

^ Standard multi-region or dual-region storage has a 99.95% availability SLA, regional Standard has 99.9%, and regional Nearline, Coldline, or Archive can be as low as 99.0%. The credits are 10%, 25%, or 50% of the monthly bill for the affected service tier, with 50% as the aggregate monthly cap, applied to future use. Google also says the customer must request the credit within 30 days or forfeit it.

[fabian2k]

They didn't mention anything about SLAs. This is about all the time, effort, paperwork and risk it takes to add yet another vendor. Having fewer vendors does actually reduce risk, as long as your chosen vendors are reasonably good. Though the bigger reason is certainly avoiding the additional bureaucracy, which is partly self-inflicted in larger companies but also not without merit.

[gobdovan]

Yeah, I understood the original point. And I'm tired of it.

I'm just tired of the 'everyone follows their immediate incentives while the system stays incoherent' as the de facto reality. I think shedding some light over the actual mechanics would maybe make someone consider 'perhaps we shouldn't allow our acquisition team just turn off their brain and choose the default to cover their bottoms; maybe vendors are worth more decision investment via actual thinking instead of performatively ending up on the default choice after a little ritualistic game of "eeny, meeny, miny, AWS"'.

I think it's worth pointing out that Jeff Bezos would fight this tooth and nail from happening in his companies. He popularised 'process as proxy'. Yet AWS as sold to external enterprises is the exact proxy Bezos warned against internally. Do what Bezos does, and even what Bezos preaches, just don't do by default what Bezos sells.

[johndhi]

Which vendor would you rather use in this context, with your sensitive customer data? -vendor A's list of sub-processors is a mile long and includes providers of questionable repute; -vendor B's list is short and includes AWS and GCP

[hectormalot]

We have a vendor with almost no subprocessors because they run their own hardware in a colo.

It is refreshing actually. They can accurately answer questions on how everything works and there is no subsubsubprocessors to worry about.

[gobdovan]

I think he's arguing about OpenAI vendoring specifically, where OpenAI has a lot of subprocessors, but AWS doesn't and there's not really a 3rd camp to choose from, yet. But even there you can't just choose AWS as I tried to illustrate in uncle comment.

[hectormalot]

Ah my mistake, I thought he was making a broader point that other providers always have deep subprocessor stacks.

[eventualcomp]

Praise be the accountability sink. https://news.ycombinator.com/item?id=41891694

[alchemism]

The politics of multimillion dollar contracts for public clouds go far, far, far beyond the preferences of an acquisition team, or what the engineers may think.

[gobdovan]

This is too vague to respond to meaningfully.

[spwa4]

> This is about all the time, effort, paperwork and risk it takes to add yet another vendor.

This is stupid. This protects you from having a risk to have to do small things (very small things), and updates, by increasing the risk you have to redo everything all at once. It's eliminating a tiny effort by massively increasing systemic risk.

It would, by the way, be a very good business and SRE exercise to actually trip those small risks from time to time and fix it.

Otherwise: ask Iranians what happened to their AWS accounts when Trump decided to sanction them. Ask ICC judges what happened to their email and visa cards. Everything just stopped and died. Is that what you want for your company?

[ok123456]

They're motivated not by the actual loss, but the checkmark of having attestation for a compliance framework.

So the fact that Microsoft let remote hands-on-keyboards in the PRC fix problems on GCC-High Azure nodes used by DoD contractors doesn't matter, since they're too big to censure in any meaningful way without impacting tens of thousands of businesses that rely on them to get a letter that satisfies a compliance assessor.

Actually knowing what you're doing, or being able to critically assess the risks of using a specific provider, doesn't matter.

[citrin_ru]

Nobody ever got fired for buying I̵B̵M̵ AWS. Most corporations already use AWS, used to its legal terms and accepted the risk. Any new provider will be scrutinised by legal more than an existing one.

[regularfry]

Models on Bedrock can have different and additional terms and conditions, there's even variety within the same provider for some of them. The Anthropic ones certainly have their own EULA. It's a bit frustrating because ideally it should be a known legal status, but in fact it still needs legal review if you're doing anything interesting.

[saidnooneever]

this..it doesnt really matter whats on the contract they all sell same things. in enterprise things just should not get u sacked :p then it workks perfectly.

[calgoo]

Our corporate lawyers have all reviewed these things. And like others mentioned, the SLAs are not the concern, its related to data security and someone to blame if things go boom.

[kylemaxwell]

I mean, I'm not really senior management, just an EM trying to get through life under the rules somebody else made.

Also, this isn't about SLA at all.