AWS Identity and Access Management - AWS GovCloud (US)

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

How IAM Differs for AWS GovCloud (US)

  • You created your AWS GovCloud (US) account using your standard AWS account root user credentials. To sign in as that root user, you must use the standard AWS endpoint. When you created your account, AWS provided you with the credentials for your GovCloud administrator IAM user. Note: There is no root user in AWS GovCloud (US). To sign in with these credentials, use the AWS GovCloud (US) endpoint. Keep in mind that you cannot access the AWS GovCloud (US) console using your standard AWS account root user credentials.

  • IAM users that you create in AWS GovCloud (US) are specific to AWS GovCloud (US) and do not exist in other standard AWS Regions.

  • AWS GovCloud (US) supports MFA devices listed in the Compatibility with AWS GovCloud (US) table row on the AWS Multi-Factor Authentication page. You can use these MFA devices with your AWS GovCloud (US) administrator IAM user or any IAM user in your account.

  • You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.

  • Customers with export-controlled data (e.g. export-controlled technical data) in their environment may consider using IAM roles as part of their export control compliance program. It is the customer’s responsibility to properly architect its AWS GovCloud (US) account if there will be export controlled data in its environment in order to comply with export control laws.

  • When you create policies, use the AWS GovCloud (US) resource ARN prefix. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.

  • Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions.

  • When you use a SAML provider in AWS GovCloud (US) Regions, use the following URL for the XML document that contains relying party information and certificates: https://signin.amazonaws-us-gov.com/static/saml-metadata.xml. For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide.

  • SSH public keys are used only in conjunction with CodeCommit, which is currently not available in AWS GovCloud (US-East).

  • The credential report includes information about your AWS GovCloud (US) account root user. Root user access key activity can occur if someone uses your root user access keys. If a user in your AWS GovCloud (US) contacts AWS Support because they cannot sign in, AWS Support verifies their identity and notifies the AWS GovCloud (US) account owner. AWS Support then creates an AWS GovCloud (US) root user access key and secret key in your account. The AWS Support team delivers these credentials to the verified user, and works with them to reset their credentials. This user can then run AWS API operations or CLI commands using those access keys. If you see root user activity in your credential report that you do not recognize, you can do one of the following:

    • Use the AWS GovCloud (US) root user access keys to call AWS API operations or CLI commands and manage your root user access keys. You can then make any root user access keys inactive, or delete them entirely.

    • If you do not have access to any AWS GovCloud (US) root user access keys, you can contact AWS Support. After you prove your account ownership, AWS Support will deliver new AWS GovCloud (US) root user access keys to you. You can then delete any (or all) root user access keys as described above.

  • You can attach or replace an IAM role on your existing Amazon EC2 instances in AWS GovCloud (US). To enable IAM roles for your existing Amazon EC2 instances, follow the example described in this AWS Security Blog post.

  • You can establish a private connection between your Amazon VPC and AWS STS in the AWS GovCloud (US-West) region. For more information, see the Using AWS STS Interface VPC Endpoints in the IAM User Guide.

  • Information about when a role was last used is not available. For more information, see the View Role Access.

  • Policy generation is not supported in AWS GovCloud (US). To learn more, see Generate policies based on access activity in the IAM User Guide.

Documentation for AWS Identity and Access Management

AWS IAM documentation.

Export-Controlled Content

For AWS Services architected within the AWS GovCloud (US) Regions, the table below explains how certain components of data may leave the Regions in the normal course of the Service Offerings. The table can be used as a guide to help meet applicable customer compliance obligations.

Data in the following service attributes will not leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings Data in the following service attributes may leave the AWS GovCloud (US ) Regions in the normal course of the Service Offerings
  • IAM passwords are protected as export-controlled data.

  • Secret access keys are protected as export-controlled data.

  • Virtual MFA seeds are protected as export-controlled data.

  • IAM metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.

  • Do not enter export-controlled data in the following fields:

    • Authentication codes, which are clear-text memcached

    • User names

    • Group names

    • Password policies

    • Policy names

    • Roles and role names

    • Policy documents