AWS IoT Greengrass - AWS GovCloud (US)

AWS IoT Greengrass

This service is currently available in AWS GovCloud (US-West) only.

AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even when not connected to the Internet.

How AWS IoT Greengrass Differs for AWS GovCloud (US)

  • AWS IoT Greengrass Core software v1.9.2 is the minimum supported version.

  • The following minimum versions of the AWS IoT Greengrass Core SDK are supported.

    Language or platform Minimum version
    Python 3.7 1.4.0
    Java 8 1.3.1
    Node.js 8.10 1.4.0
    C, C++ 1.1.0
  • Secret resource types (which integrate with AWS Secrets Manager) are not supported.

  • Only the following connectors are available:

    • Modbus-RTU Protocol Adapter v2

    • Raspberry Pi GPIO v2

    • Serial Stream v2

  • For over-the-air (OTA) updates, the IAM role used to presign the Amazon S3 URL (that links to the Greengrass software update) must allow access in the appropriate AWS Region. The following example policy includes the minimum required permissions that must be attached to the role for AWS GovCloud (US-West) Region support.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsIotToAccessGreengrassOTAUpdateArtifacts", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws::s3:::us-gov-west-1-greengrass-updates/*" ] } ] }
  • AWS IoT Greengrass operations use three endpoints that have different support for FIPS 140-2.

    • The endpoint for Greengrass control plane operations provides FIPS access only.

    • The endpoint for Greengrass discovery operations does not yet support FIPS. This endpoint provides non-FIPS access only.

    • The endpoint for AWS IoT device operations does not yet support FIPS. This endpoint provides non-FIPS access only.

    For a list of AWS GovCloud (US) endpoints, see Service Endpoints. Only Amazon Trust Services (ATS) server authentication is supported, so you must use ATS-signed root CA certificates and ATS endpoints. For more information, see Server Authentication in the AWS IoT Developer Guide.

  • The default limit for the maximum number of transactions per second (TPS) on the AWS IoT Greengrass API is 10 TPS. For more information, see AWS IoT Greengrass Limits in the Amazon Web Services General Reference.

Documentation for AWS IoT Greengrass

AWS IoT Greengrass documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in the AWS GovCloud (US-West) Region. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in the AWS GovCloud (US-West) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • Message payloads

  • Device shadows (both keys and values)

  • Thing registry data (except thing names and thing attribute keys)

  • Message topics and topic filters

  • Customer-defined names and IDs of Greengrass resources:

    • Connectors

    • Cores

    • Devices

    • Functions

    • Groups

    • Loggers

    • Resources (local and machine learning)

    • Subscriptions