Menu
AWS GovCloud (US)
User Guide

AWS GovCloud (US) Region Compared to Standard AWS Regions

AWS GovCloud (US) is a gated community for workloads with direct or indirect ties to U.S. government functions or services. As a result, AWS GovCloud (US) offers the following features that are not available in the standard AWS regions:

  • The AWS GovCloud (US) Region uses FIPS 140-2 approved cryptographic modules for all AWS service API endpoints, unless otherwise indicated in the AWS GovCloud (US) Endpoints section.

  • The AWS GovCloud (US) Region maintains an ITAR-compliant infrastructure and is appropriate for all types of Controlled Unclassified Information (CUI) and unclassified data. For more details, see Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance.

  • The AWS GovCloud (US) Region is physically isolated and has logical network isolation from all other regions.

  • For administrative purposes, AWS restricts all physical and logical access to the AWS GovCloud (US) Region and all potential access to restricted customer data. AWS allows only vetted U.S. citizens with distinct access controls separate from other AWS regions to administer the AWS GovCloud (US) Region. Any customer data fields that are defined as outside of the ITAR boundary (such as S3 bucket names) are explicitly documented in the service-specific section as not permitted to contain ITAR-regulated data.

  • The AWS GovCloud (US) Region authentication is completely isolated from Amazon.com.

The AWS GovCloud (US) Region also has high-level differences compared to the standard AWS regions. These differences are important when you evaluate and use the AWS GovCloud (US) Region. The following list outlines the differences:

Sign up

During the signup process, each customer is vetted to ensure they are a U.S. entity (such as a government body, contracting company, or educational organization) and cannot be prohibited or restricted by the U.S. government from exporting or providing services.

Endpoints

The AWS GovCloud (US) Region uses endpoints that are specific to the AWS GovCloud (US) Region and that are accessible only to AWS GovCloud (US) customers. For a list of these endpoints, see AWS GovCloud (US) Endpoints.

Credentials

You can access the AWS GovCloud (US) Region only with AWS GovCloud (US) credentials (AWS GovCloud (US) account access key and AWS GovCloud (US) IAM user credentials). You cannot access the AWS GovCloud (US) Region with standard AWS credentials. Likewise, you cannot access standard AWS regions using AWS GovCloud (US) credentials. Access credentials for the AWS GovCloud (US) Region are isolated from the standard AWS regions.

AWS Management Console for the AWS GovCloud (US) Region

You sign in to the AWS GovCloud (US) console by using an IAM user name and password. This requirement is different from the standard AWS Management Console, where you can sign in by using your account credentials (email address and password). You cannot use your AWS GovCloud (US) account access keys to sign in to the AWS GovCloud (US) console. For more information about creating an IAM user, see Getting Started with AWS GovCloud (US).

Billing, account activity, and usage reports

An AWS GovCloud (US) account is always associated to a single standard AWS account for billing and payment purposes. All AWS GovCloud (US) billing is billed or invoiced to the associated standard AWS account. You can view the AWS GovCloud (US) account activity and usage reports through the associated AWS standard account only.

Services

The AWS GovCloud (US) Region currently supports only the services that are listed in Supported Services. As additional services are deployed to the AWS GovCloud (US) Region, this list will be updated.

Services in the AWS GovCloud (US) Region might have different capabilities compared to services in standard AWS regions. For example, in AWS GovCloud (US), you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). For detailed information about each service in the AWS GovCloud (US) Region, see Using AWS GovCloud (US).

For all AWS GovCloud (US) accounts created after December 15, 2014, AWS CloudTrail will be automatically enabled with logging turned on. Amazon SNS notifications, however, must be set up independently. If you prefer not to have CloudTrail enabled, you can use the CloudTrail console in the AWS Management Console for the AWS GovCloud (US) Region to disable it or turn off logging.

Multi-factor authentication

Due to the separate authentication stack, the hardware MFA tokens used with standard AWS accounts are not compatible with AWS GovCloud (US) accounts. AWS GovCloud (US) only supports MFA devices listed on the Multi-Factor Authentication page.