Affected sites included:
The outage was primarily limited to CloudFront VPC Origin configurations, but because many major sites use the common "secure-by-default" architecture of CloudFront with internal Application Load Balancers (ALBs) behind VPC Origins, the blast radius was substantial. Some systems experienced a "partial outage" pattern where static assets (served from S3) remained accessible while dynamic API calls (routed through VPC Origins) returned 504 errors .
This incident is the latest in a string of high-profile AWS failures that have fueled growing concern about over-concentration of internet infrastructure on a small number of hyperscale cloud providers.
Why this keeps happening: The internet has consolidated around AWS, Azure, and Google Cloud for compute, storage, networking, DNS, authentication, CDN, and security. AWS alone commands roughly 30% of the global cloud services market, while Azure and Google hold 20% and 13% respectively . Researchers at Iowa State University note that four core internet services — DNS, authentication, email, and security infrastructure — are now concentrated in a small number of global platforms, meaning a single provider failure cascades instantly across industries
. A July 2026 analysis of cloud concentration risk points out that "a service can run in three Availability Zones and still fail because it depends on one regional control plane or one network intermediary"
.
The July 2026 CloudFront outage is a textbook example of this phenomenon: it was not a broad infrastructure collapse but a single feature's control-plane capacity limit that took down dozens of unrelated services across finance, AI, gaming, and government — precisely because they all shared the same underlying AWS path for private origin delivery. As one analysis put it, "Two AWS outages in three months just validated what most CTOs were afraid to admit: single-cloud dependency is an existential risk" .