AWS GovCloud (US)
User Guide

Amazon VPC

The following list details the differences for using Amazon Virtual Private Cloud (Amazon VPC) in the AWS GovCloud (US) Region compared to other AWS regions:

  • The Amazon Virtual Private Cloud VPN endpoints in AWS GovCloud (US) operate using FIPS 140-2 validated cryptographic modules. For more information about FIPS 140-2, see "Cryptographic Module Validation Program" on the NIST Computer Security Resource Center website.

  • You must launch Amazon EC2 instances, Amazon RDS instances, or Amazon EMR instances in an Amazon VPC. In some cases, your account might have a default VPC. For more information, see Determining if Your Account Has a Default Amazon VPC.

  • Amazon VPC Flow Logs can be delivered to Amazon CloudWatch Logs only. They cannot be directly delivered to Amazon Simple Storage Service (S3) in the AWS GovCloud (US) Region.

  • Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other regions, you can use HTTP or HTTPS.

  • Inter-region Amazon VPC peering connections are not supported.

For more information, see the Amazon Virtual Private Cloud documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • All data entered, stored, and processed in Amazon VPC can contain ITAR-regulated data.

  • You can transmit ITAR-regulated data in clear text across the network within your Amazon VPC.

  • You can transmit ITAR-regulated data in clear text across your Amazon VPC VPN tunnels, assuming the destination endpoint is ITAR compliant.

  • Amazon VPC metadata is not permitted to contain ITAR-regulated data. This metadata includes all of the configuration data that you enter when setting up and maintaining your VPCs.

  • If you are using VPC Flow Logs, the following field is not permitted to contain ITAR-regulated data:

    • Destination log group name

On this page: