In the documentation of the AWS Key Management Service (KMS) I found this interesting sentence:
Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports except for China (Beijing) and China (Ningxia).
There are a total of three AWS regions in China: The two mentioned above, plus one in Hong Kong.
Does somebody know the reason for this restriction? Is it for legal purposes?
Asymmetric encryption was only introduced to AWS KMS in 2019. Prior to that, only symmetric encryption was available regardless of which region you were using. Even when AWS made the official announcement for asymmetric keys on KMS, many regions did not get the functionality on day 1.
Also, the two regions in China are somewhat special, in that they're operated by local companies:
The service operator and provider for AWS China (Beijing) Region based out of Beijing and adjacent areas is Beijing Sinnet Technology Co., Ltd. (Sinnet). And the service operator and provider for AWS (Ningxia) Region based out of Ningxia is Ningxia Western Cloud Data Technology Co., Ltd. (NWCD).
While I'm not sure of the exact reason, it might be legal (might not!), but there's a lot of services within AWS that aren't fully available in all regions, and this is common even for 'core' AWS regions. It could simply be that feature hasn't been rolled out yet in China -- or it's just the technical complexity of rolling out the feature makes it difficult for companies other than AWS to onboard quickly.