AWS GovCloud (US) User Guide
AWS GovCloud (US) User Guide

AWS Directory Service

AWS Directory Service provides multiple ways to set up and run Amazon Cloud Directory, Amazon Cognito, and Microsoft AD with other AWS services. Amazon Cloud Directory provides a highly scalable directory store for your application’s multihierarchical data. Amazon Cognito helps you create a directory store that authenticates your users either through your own user pools or through federated identity providers. AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD, enables your directory-aware workloads and AWS resources to use a managed Active Directory in the AWS Cloud.

How AWS Directory Service Differs for AWS GovCloud (US)

The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:

  • Only AWS Managed Microsoft AD and AD Connector directory types are supported by AWS Directory Service.

  • The following directory types are not supported:

    • Simple AD

    • Amazon Cloud Directory

  • The following AWS apps and services are not currently supported by AWS Directory Service:

    • RDS for SQL Server

    • Amazon WorkDocs

    • Amazon WorkMail

    • Amazon QuickSight

    • Amazon Chime

    • Amazon Connect

    • AWS Management Console

    • AWS Single Sign-On

  • Only signature version 4 signing is supported.

  • You can use the AWS Command Line Interface (AWS CLI) to interact with AWS Directory Service and other AWS services through the command line. For more information, see AWS CLI documentation.


    If you are using the Amazon Linux AMI, the AWS CLI is already installed and configured.

  • To connect to AWS Directory Service by using the command line or APIs, use the following endpoints:





For more information about AWS Directory Service, see the AWS Directory Service documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • AWS Directory Service passwords are protected as ITAR-regulated data.

  • All data stored and processed in AWS Directory Service directories can contain ITAR-regulated data.

AWS Directory Service metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your AWS Directory Service directory except passwords.

Do not enter ITAR-regulated data in the following console fields:

  • Directory aliases

  • Directory description

  • Directory DNS name

  • Netbios name

  • Manual snapshot name

  • Resource tags

  • Description of schema extensions