AWS GovCloud (US) User Guide
AWS GovCloud (US) User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:

  • You created your AWS GovCloud (US) account using your standard AWS account root user credentials. To sign in as that root user, you must use the standard AWS endpoint. When you created your account, AWS provided you with the credentials for your GovCloud administrator IAM user or your AWS GovCloud (US) account root user. To sign in with these credentials, use the AWS GovCloud (US) endpoint. Keep in mind that you cannot access the AWS GovCloud (US) console using your root user credentials.

  • IAM users that you create in AWS GovCloud (US) are specific to AWS GovCloud (US) and do not exist in other standard AWS Regions.

  • AWS GovCloud (US) supports MFA devices listed in the Compatibility with AWS GovCloud (US) table row on the AWS Multi-Factor Authentication page. You can use these MFA devices with your AWS GovCloud (US) administrator IAM user or any IAM user in your account. You cannot enable an MFA device for your AWS GovCloud (US) account root user.

  • You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.

  • Customers with export-controlled data (e.g., ITAR-controlled technical data) in their environment may consider using IAM roles as part of their export control compliance program. It is the customer’s responsibility to properly architect its AWS GovCloud (US) account if there will be export controlled data in its environment in order to comply with export control laws.

  • If you create policies, use the correct AWS GovCloud (US) ARN prefix. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.

  • Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions.

  • When you use a SAML provider in AWS GovCloud (US) Regions, use the following URL for the XML document that contains relying party information and certificates: For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide.

  • SSH public keys are used only in conjunction with CodeCommit, which is currently not available in AWS GovCloud (US-East).

  • The credential report includes information about your AWS GovCloud (US) account root user. Root user access key activity can occur if someone uses your root user access keys. If a user in your AWS GovCloud (US) contacts AWS Support because they cannot sign in, AWS Support verifies their identity and notifies the AWS GovCloud (US) account owner. AWS Support then creates an AWS GovCloud (US) root user access key and secret key in your account. The AWS Support team delivers these credentials to the verified user, and works with them to reset their credentials. This user can then run AWS API operations or CLI commands using those access keys. If you see root user activity in your credential report that you do not recognize, you can do one of the following:

    • Use the AWS GovCloud (US) root user access keys to call AWS API operations or CLI commands and manage your root user access keys. You can then make any root user access keys inactive, or delete them entirely.

    • If you do not have access to any AWS GovCloud (US) root user access keys, you can contact AWS Support. After you prove your account ownership, AWS Support will deliver new AWS GovCloud (US) root user access keys to you. You can then delete any (or all) root user access keys as described above.

  • You can attach or replace an IAM role on your existing Amazon EC2 instances in AWS GovCloud (US). To enable IAM roles for your existing Amazon EC2 instances, follow the example described in this AWS Security Blog post.

  • You can now establish a private connection between your Amazon VPC and AWS STS in the AWS GovCloud (US-West) region. For more information, see the Using AWS STS Interface VPC Endpoints in the IAM User Guide.

For more information about IAM, see the IAM documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • IAM passwords are protected as ITAR-regulated data.

  • Secret access keys are protected as ITAR-regulated data.

  • Virtual MFA seeds are protected as ITAR-regulated data.

  • IAM metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.

  • Do not enter ITAR-regulated data in the following fields:

    • Authentication codes, which are clear text memcached

    • User names

    • Group names

    • Password policies

    • Policy names

    • Roles and role names

    • Policy documents

On this page: