AWS GovCloud (US)
User Guide

AWS Identity and Access Management (IAM)

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • IAM users that you create in the AWS GovCloud (US) Region are specific to the AWS GovCloud (US) Region and do not exist in other AWS regions.

  • Due to the separate authentication stack, the hardware MFA tokens used with standard AWS regions are not compatible with AWS GovCloud (US) accounts. AWS GovCloud (US) only supports MFA devices listed under the “Compatibility with AWS GovCloud (US)” row on the Multi-Factor Authentication page.

  • You can't create a role to delegate access between an AWS GovCloud (US) account and an AWS account.

  • IAM roles can be used to protect ITAR data, but you cannot enter ITAR-regulated data into the roles and role names, and you cannot assign a non-US person to a role that can access ITAR data.

  • If you create policies, use the correct AWS GovCloud (US) ARN prefix. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US).

  • Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region.

  • When you use a SAML provider in the AWS GovCloud (US) Region, use the following URL for the XML document that contains relying party information and certificates: For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide.

  • SSH public keys are used only in conjunction with AWS CodeCommit, which is currently not available in the AWS GovCloud (US) Region.

  • The AWS GovCloud (US) Region does not report the last time, last service, or last region in which an access key was used. The IAM console does not display the Last Used column and you can't use the aws iam get-access-key-last-used command.

  • The credential report will not include data for when an access key was last used and which service was most recently accessed with an access key.

  • You can attach or replace an IAM role on your existing Amazon EC2 instances in the AWS GovCloud (US) Region. To enable IAM roles for your existing EC2 instances, follow the example described in this AWS Security Blog post.

For more information about IAM, see the IAM documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • IAM passwords are protected as ITAR-regulated data.

  • Secret access keys are protected as ITAR-regulated data.

  • Virtual MFA seeds are protected as ITAR-regulated data.

  • IAM metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.

  • Do not enter ITAR-regulated data in the following fields:

    • Authentication codes, which are clear text memcached

    • User names

    • Group names

    • Password policies

    • Policy names

    • Roles and role names

    • Policy documents

On this page: