AWS GovCloud (US)
User Guide

Onboarding to AWS GovCloud (US) (Direct Customers)

If you are a direct customer, there are few things you should do to make it easier to sign in and use the AWS GovCloud (US) console. We automatically enable AWS CloudTrail for AWS GovCloud (US) accounts, but you should also verify that CloudTrail is enabled to store logs.

Configuring Your Account

The steps in this section describe how to sign in and create an account alias and access keys.

To sign in to the AWS GovCloud (US) console

  1. Open the AWS GovCloud (US) console.

  2. Sign in using your account number and administrator credentials. For your user name, type Administrator. You will need to specify your account number.


    If you did not save your AWS GovCloud (US) sign-in link, which includes your account number, you can retrieve your account number by signing in to the standard AWS Management Console with your root credentials, opening the Accounts page, and choosing the Sign up for AWS GovCloud (US) button. You will be directed to a page that indicates you already have access and displays your account number.

To create an account alias

Creating an account alias is optional, but strongly recommended. If you do not create an account alias, be sure to save your AWS GovCloud (US) sign-in link because your AWS GovCloud (US) account number is different from your AWS account number.

  1. Sign in to the AWS GovCloud (US) console and open the IAM console at

  2. Next to the IAM users sign-in link, choose Customize.

  3. Type an alias for your account.

    IAM users can now use either the account alias or account number when signing in to the AWS GovCloud (US) console.

To create and download access keys

The password for your AWS GovCloud (US) administrator IAM user cannot be reset by the root user of your AWS account. Creating access keys for your AWS GovCloud (US) administrator user is helpful because they can be used to reset your administrator password from the command line.

  1. Sign in to the AWS GovCloud (US) console and open the IAM console at

  2. In the navigation pane, choose Users, and select the IAM user account for which you would like to generate access keys.

  3. On the Security Credentials tab, choose Create Access Key.

  4. To download the access key, choose Download Credentials and save them locally.

Verifying AWS CloudTrail Is Enabled

As part of the automated AWS GovCloud (US) activation process, the CloudTrail service should be enabled for each account and an Amazon S3 bucket should be created to store CloudTrail logs. In the event of any interruptions in the automation process, you can manually enable CloudTrail.

To verify the S3 bucket was created for CloudTrail log storage

  1. Sign in to the AWS GovCloud (US) console and open the Amazon S3 console at

  2. If a bucket already exists, skip to the next procedure to ensure CloudTrail is enabled.

  3. Choose Create Bucket.

  4. Type a name for your bucket.

    Bucket names must be unique. S3 buckets created during the automated process follow the naming convention "cloudtrail-xxxxxxxxxxxx" where xxxxxxxxxxxx is replaced by the AWS GovCloud (US) account number. If you want to use a different bucket name, you can delete this bucket, create a new bucket, and then follow the steps in the next section to enable CloudTrail.

To verify CloudTrail is enabled

  1. Sign in to the AWS GovCloud (US) console and open the CloudTrail console at

  2. Choose Get Started Now.

  3. On the Turn on CloudTrail page next to Create a new S3 bucket, choose No.

  4. From the S3 bucket drop-down list, choose the S3 bucket you created in the previous procedure.

  5. Choose Turn On.

    This will set a bucket policy that allows the CloudTrail service to store logs in the S3 bucket. If the automated process created an S3 bucket and enabled CloudTrail, the following policy was applied:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws-us-gov:iam::608710470296:root" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws-us-gov:s3:::s3_bucket_name" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws-us-gov:iam::608710470296:root" }, "Action": "s3:PutObject", "Resource": "arn:aws-us-gov:s3:::s3_bucket_name/AWSLogs/account_id/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }