Menu
AWS GovCloud (US)
User Guide

AWS Key Management Service (AWS KMS)

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • At this time, the service endpoint does not support FIPS 140-2.

For more information about AWS KMS, see the AWS Key Management Service Developer Guide.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • All data encrypted with an AWS KMS key contains ITAR-regulated data

  • AWS KMS metadata is not permitted to contain ITAR-regulated data. Do not enter ITAR-regulated data in the following fields:

    • Alias

    • Descriptions

    • Key policy documents, including key administrators and key users

  • The Encryption Context is outside the ITAR boundary.

  • AWS KMS generated metadata will not contain ITAR-regulated data:

    • Key ID

    • Key ARN

On this page: