Virtual service provider zones

What is claimed is: 1. A system, comprising: a first data storage service comprising a plurality of data storage devices and a first web service interface configured to receive web service requests transmitted to the first web service interface, the first data storage service being configured to process the web service requests transmitted to the first web service interface using the plurality of data storage devices; and a second data storage service, where first data storage service is implemented with computing resources in a first set of one or more facilities operated by a computing resource service provider and the second data storage service is implemented with computing resources in a second set of one or more facilities that is geographically distinct from the first set of one or more facilities and operated by the computing resource service provider and the first data storage service is configured in accordance with a first set of regulations associated with a first legal jurisdiction and the second data storage service is configured in accordance with a second set of regulations that is different from the first set of regulations and associated with a second legal jurisdiction, the second data storage service comprising a second web service interface, the second data storage service configured to operate as a proxy to the first data storage service by at least: receiving, at the second web service interface, a request from a requestor to store data, the request originating from a network not operated by the service provider; encrypting the data using a cryptographic key inaccessible to the first data storage service; transmitting the encrypted data to the first data storage service for persistent storage on behalf of the requestor; and maintaining access to the cryptographic key while preventing access to the cryptographic key by the first data storage service. 2. The system of claim 1 , wherein both the first web service interface and the second web service interface are each publicly addressable interfaces in a public communications network. 3. The system of claim 1 , wherein the second data storage service is configured to encrypt the data without requiring the requestor to specify that the data should be encrypted. 4. The system of claim 1 , wherein the second data storage service is further configured to: receive, to the second web service interface, a request to retrieve the data; obtain the encrypted data from the first data storage service; use the key to decrypt the encrypted data; and provide the decrypted data. 5. The system of claim 1 , wherein the first data storage service and second data storage service are implemented in different legal jurisdictions. 6. A system, comprising: one or more processors; and memory comprising computer executable instructions that, when executed by the one or more processors, cause the system to: operate, by a service provider, an application programming interface to which requests are submittable over a network, the request originating from a network not operated by the service provider; and for each first request of at least a plurality of requests submitted to the application programming interface, process the first request by at least: using a key to perform one or more cryptographic operations on data involved in processing the first request; and transmitting, across a network, a second request to a service utilizing separate computing resources than the application programming interface that causes the service to perform one or more operations on the data in encrypted form wherein the separate computing resources are located in a first location governed by different regulations than a second location where the application programming interface is located, the service lacking access to the key and being configured to be independently configured to process the first request. 7. The system of claim 6 , wherein: the system is operated as part of a first instance of a service type provided by the service provider; and the service is operated as part of a second instance of the service type provided by the service provider. 8. The system of claim 6 , wherein the application programming interface is a web service interface. 9. The system of claim 6 , wherein: at least some of the plurality of requests are transmitted by different entities; and each different entity corresponds to an account of the service. 10. The system of claim 6 , wherein: the executable instructions further cause the system to selectively determine whether to perform the one or more cryptographic operations when processing requests; and the plurality of requests are a subset of a set of requests processed by the system, the subset consisting of requests for which the system has selectively determined to perform the one or more cryptographic operations. 11. The system of claim 6 , wherein the executable instructions further cause the system to select the service from a plurality of services configured to process the first request. 12. The system of claim 6 , wherein: the second request to the service causes the service to perform one or more operations on unencrypted data and provide, to the system, a result of performing the one or more operations and the data in encrypted form; wherein using the key to perform the one or more cryptographic operations includes decrypting the data in encrypted form; and the executable instructions further cause the system to perform one or more operations on a collection of data comprising the unencrypted data and the decrypted data. 13. The system of claim 6 , wherein the service is operated by a first organizational entity that is different from the service provider that operates the system. 14. The system of claim 6 , wherein the memory further includes instructions that, when executed by the one or more processors cause the system to analyze the request to determine whether to restrict access by the first data storage service to a subset of the data in encrypted form. 15. A computer-implemented method, comprising: under the control of one or more computer systems configured with executable instructions, receiving, from a requestor at a network address of the one or more computer systems, an application programming interface request to perform one or more operations, where the network address originates from a network that is not operated by a service provider wherein the network is located in a first location governed by different regulations than a second location where the application programming interface is located; and processing the application programming interface request by at least: transmitting, over the network, a request to a service operated by the service provider that is configured to be independently configured to perform the one or more operations, the request being configured to causes the service to perform one or more service operations on encrypted data, the encrypted data being encrypted under a key that is inaccessible to the service; and using the key to perform one or more cryptographic operations in connection with the encrypted data. 16. The computer-implemented method of claim 15 , wherein: the one or more cryptographic operations include encryption of data to obtain the encrypted data; and the one or more service operations include persistent storage of the encrypted data. 17. The computer-implemented method of claim 15 , wherein the network address is a public Internet protocol address. 18. The computer-implemented metho