Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance
If you store and process ITAR-regulated data in the AWS GovCloud (US) Region, you must conform to the following ITAR requirements, in addition to any other ITAR or export control restrictions that may be applicable to you:
You are an individual or entity that qualifies as a U.S. Person under the applicable regulations.
You have and will maintain a valid Directorate of Defense Trade Controls (DDTC) registration.
You have full export privileges under U.S. export control laws and regulations and are not a denied or debarred party or otherwise subject to sanctions.
If your export control privileges are revoked, suspended, or terminated, or you otherwise become subject to sanctions or are barred from maintaining export-controlled data, you will immediately remove ITAR and other export-controlled data from the AWS services.
You must maintain an effective compliance program to ensure compliance with applicable U.S. export control laws and regulations, including ITAR, if applicable.
Even if you don't process any ITAR-regulated data, the owner of the AWS GovCloud (US) account must be a U.S. person. AWS doesn't require IAM users or users of applications that run in the AWS GovCloud (US) Region to be U.S. persons. As part of the shared responsibility model, you are responsible for restricting access to your IAM users and to your application in accordance with regulations that apply to you.
ITAR Boundary for AWS GovCloud (US) Services
If you maintain ITAR-regulated data in the AWS GovCloud (US) Region, you must comply with the ITAR restrictions for each AWS services in the AWS GovCloud (US) Region. For more information about the ITAR boundaries for each service, see the service-specific information in Services in the AWS GovCloud (US) Region.