AWS Identity and Access Management in AWS GovCloud (US)
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
How IAM differs for AWS GovCloud (US)
-
You must have an existing standard AWS account to create an AWS GovCloud (US) account. See AWS GovCloud (US) Sign Up to learn more. If you have AWS GovCloud (US) sign up issues, contact AWS Customer Support
. -
When your AWS GovCloud (US) account is created, you are provided initial access to the AWS Management Console for AWS GovCloud (US)
by an Administrator
IAM user or anOrganizationAccountAccessRole
IAM role, depending on the method used.You cannot access the AWS Management Console for AWS GovCloud (US) using the associated standard AWS account root user credentials.
-
The AWS GovCloud (US) account root user is created at the same time the AWS GovCloud (US) account is created, but access to this user is not provided by default to AWS GovCloud (US) customers.
-
Sign in to the AWS Management Console for AWS GovCloud (US) as the AWS GovCloud (US) account root user is not supported.
-
AWS GovCloud (US) account root user access keys can be provided at the request of associated standard AWS account root user by contacting AWS Customer Support. See Requesting root access keys for an AWS GovCloud (US) account to get started.
-
Tasks that require the root user in AWS GovCloud (US) are limited. See Tasks in AWS GovCloud (US) Regions that require root user access keys.
-
Since there is no access to the root user, there is no ability to centrally manage such credentials in AWS Organizations. However, you can perform privileged tasks for member accounts in your organization. To learn more about performing some root user tasks using short-term credentials, see Perform a privileged task on an AWS Organizations member account.
-
Solution Providers reselling in AWS GovCloud (US) may receive AWS GovCloud (US) account root user access keys to be used for initial access to their account from an AWS business representative.
-
For more information, see AWS GovCloud (US) account root user .
-
-
Access issues for IAM users that are administrators in your AWS GovCloud (US) can be resolved by another administrator in the account.
If all administrators have forgotten or lost access to the AWS GovCloud (US) account, request AWS GovCloud (US) account root user access keys to Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US). See Requesting root access keys for an AWS GovCloud (US) account to get started.
-
There is one IAM control plane for all AWS GovCloud (US) Regions, which is located in the AWS GovCloud (US-West) Region. Each AWS Region has a completely independent instance of the IAM data plane. For more information, see Resilience in AWS Identity and Access Management.
-
In the AWS GovCloud (US) Regions, there is no AWS STS global endpoint. AWS provides Regional AWS STS endpoints.
-
When using the IAM or AWS STS service in AWS GovCloud (US), you must use AWS GovCloud (US) IAM/AWS STS endpoints. Use SSL (HTTPS) when you make calls to the IAM or AWS STS service in AWS GovCloud (US) Regions.
-
IAM users that you create in AWS GovCloud (US) are specific to AWS GovCloud (US) and do not exist in other standard AWS Regions.
-
AWS GovCloud (US) supports MFA devices listed in the Multi-Factor Authentication (MFA) in AWS GovCloud (US)
page. -
You can use these MFA devices with your AWS GovCloud (US) administrator user or any IAM user in your account.
-
You cannot use these MFA devices with your AWS GovCloud (US) account root user.
-
-
You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.
-
Customers with export-controlled data (e.g. export-controlled technical data) in their environment may consider using IAM roles as part of their export control compliance program. It is the customer’s responsibility to properly architect its AWS GovCloud (US) account if there will be export controlled data in its environment in order to comply with export control laws.
-
When you create policies, use the AWS GovCloud (US) resource ARN prefix. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.
-
When you use a SAML provider in AWS GovCloud (US) Regions, use the following URL for the XML document that contains relying party information and certificates:
https://signin.amazonaws-us-gov.com/static/saml-metadata.xml
. For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide. -
In the AWS GovCloud (US) Regions, there is no AWS STS global endpoint. AWS provides Regional AWS STS endpoints.
-
In the AWS GovCloud (US-West) Region, the AWS STS endpoint only supports request Signature Version 4 (SigV4) by default and can be updated to support both SigV4 and Signature Version 4A (SigV4A). Session tokens supporting the SigV4A algorithm are larger than those supporting SigV4 and match the size of tokens issued by the AWS STS endpoint in the AWS GovCloud (US-East) Region, which already supports SigV4A. Changing this setting might affect existing systems where you temporarily store tokens. For more information, see Managing AWS STS in an AWS Region.
-
Documentation that mentions Valid only in AWS Regions enabled by default refers to Support only SigV4-based signatures on AWS requests for the AWS STS endpoint in the AWS GovCloud (US-West) Region.
-
Documentation that mentions All AWS Regions refers to Both the SigV4 and SigV4A algorithms for the AWS STS endpoint in the AWS GovCloud (US-West) Region.
-
-
IAM Access Analyzer unused access findings and policy generation are not supported in AWS GovCloud (US). To learn more, see IAM Access Analyzer in the IAM User Guide.
-
IAM Roles Anywhere is now supported in AWS GovCloud (US). To learn more, see Providing access for non AWS workloads in the IAM User Guide.
-
When configuring SAML Applications for single sign on in AWS GovCloud (US), the SAML Audience and ACS links will be different than those used in the standard Regions.
-
Application ACS URL: https://signin.amazonaws-us-gov.com/saml
-
Application SAML audience:
urn:amazon:webservices:govcloud
-
Documentation for AWS Identity and Access Management
Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
-
IAM metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.
-
Do not enter export-controlled data in the following fields:
-
Authentication codes, which are clear-text memcached
-
User names
-
Group names
-
Password policies
-
Policy names
-
Roles and role names
-
Policy documents
-