Menu
AWS GovCloud (US)
User Guide

AWS Identity and Access Management

The following list details the differences for using AWS Identity and Access Management (IAM) in the AWS GovCloud (US) compared to other AWS regions:

  • You created your AWS GovCloud (US) account using your standard AWS account root user credentials. To sign in as that root user, you must use the standard AWS endpoint. When you created your account, AWS provided you with the credentials for your GovCloud administrator IAM user or your AWS GovCloud (US) account root user. To sign in with these credentials, use the AWS GovCloud (US) endpoint. Keep in mind that you cannot access the AWS GovCloud (US) console using your root user credentials.

  • IAM users that you create in the AWS GovCloud (US) Region are specific to the AWS GovCloud (US) Region and do not exist in other AWS regions.

  • AWS GovCloud (US) supports only MFA devices listed in the Compatibility with AWS GovCloud (US) table row on the Compatibility with AWS GovCloud (US). You can use these MFA devices with your GovCloud administrator IAM user or any IAM user in your account. You cannot enable an MFA device for your GovCloud account root user.

  • You can't create a role to delegate access between an AWS GovCloud (US) account and an AWS account.

  • IAM roles can be used to protect ITAR data, but you cannot enter ITAR-regulated data into the roles and role names, and you cannot assign a non-US person to a role that can access ITAR data.

  • If you create policies, use the correct AWS GovCloud (US) ARN prefix. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US).

  • Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region.

  • When you use a SAML provider in the AWS GovCloud (US) Region, use the following URL for the XML document that contains relying party information and certificates: https://signin.amazonaws-us-gov.com/static/saml-metadata.xml. For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide.

  • SSH public keys are used only in conjunction with AWS CodeCommit, which is currently not available in the AWS GovCloud (US) Region.

  • The credential report includes some information about your AWS GovCloud (US) account root user. Root user access key activity can occur if someone uses your root user access keys. Also, if a user in your AWS GovCloud (US) contacts AWS Support because they can't sign in, Support legally verifies their identity and notifies the AWS GovCloud (US) account owner. Support then creates an AWS GovCloud (US) root user access key and secret key in your account. The Support team delivers these credentials to the verified user, and works with them to reset their credentials. This user can then run unlimited AWS API operations or CLI commands using those access keys, if they choose. If you see root user activity in your credential report that you don't recognize, you can do one of the following:

    • Use the GovCloud root user access keys to call AWS API operations or CLI commands and manage your root user access keys. You can then make any root user access keys inactive, or delete them entirely.

    • If you don't have access to any GovCloud root user access keys, you can contact AWS Support. After you legally prove your account ownership, AWS Support will deliver new AWS GovCloud (US) root user access keys to you. You can then delete any (or all) root user access keys as described above.

  • You can attach or replace an IAM role on your existing Amazon EC2 instances in the AWS GovCloud (US) Region. To enable IAM roles for your existing EC2 instances, follow the example described in this AWS Security Blog post.

For more information about IAM, see the IAM documentation.