AWS Identity and Access Management - AWS GovCloud (US)

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

How IAM Differs for AWS GovCloud (US)

  • You must have an existing standard AWS account to create an AWS GovCloud (US) account. See AWS GovCloud (US) Sign Up to learn more. If you have AWS GovCloud (US) sign up issues, contact AWS Customer Support.

  • When your AWS GovCloud (US) account is created, you are provided initial access to the AWS Management Console for AWS GovCloud (US) by an Administrator IAM user or an OrganizationAccountAccessRole IAM role, depending on the method used.

    You cannot access the AWS Management Console for AWS GovCloud (US) using the associated standard AWS account root user credentials.

  • The AWS GovCloud (US) account root user is created at the same time the AWS GovCloud (US) account is created, but access to this user is not provided by default to AWS GovCloud (US) customers.

  • Access issues for IAM users that are administrators in your AWS GovCloud (US) can be resolved by another administrator in the account.

    If all administrators have forgotten or lost access to the AWS GovCloud (US) account, request AWS GovCloud (US) account root user access keys to Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US). See Requesting root access keys for an AWS GovCloud (US) account to get started.

  • There is one IAM control plane for all AWS GovCloud (US) Regions, which is located in the AWS GovCloud (US-West) Region. Each AWS Region has a completely independent instance of the IAM data plane. For more information, see Resilience in AWS Identity and Access Management.

  • When using the IAM or AWS STS service in AWS GovCloud (US), you must use AWS GovCloud (US) IAM/AWS STS endpoints. Use SSL (HTTPS) when you make calls to the IAM or AWS STS service in AWS GovCloud (US) Regions.

  • IAM users that you create in AWS GovCloud (US) are specific to AWS GovCloud (US) and do not exist in other standard AWS Regions.

  • AWS GovCloud (US) supports MFA devices listed in the Multi-Factor Authentication (MFA) in AWS GovCloud (US) page.

    • You can use these MFA devices with your AWS GovCloud (US) administrator user or any IAM user in your account.

    • You cannot use these MFA devices with your AWS GovCloud (US) account root user.

  • You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.

  • Customers with export-controlled data (e.g. export-controlled technical data) in their environment may consider using IAM roles as part of their export control compliance program. It is the customer’s responsibility to properly architect its AWS GovCloud (US) account if there will be export controlled data in its environment in order to comply with export control laws.

  • When you create policies, use the AWS GovCloud (US) resource ARN prefix. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.

  • When you use a SAML provider in AWS GovCloud (US) Regions, use the following URL for the XML document that contains relying party information and certificates: https://signin.amazonaws-us-gov.com/static/saml-metadata.xml. For more information, see Configuring a Relying Party and Adding Claims in IAM User Guide.

  • IAM Access Analyzer unused access findings and policy generation are not supported in AWS GovCloud (US). To learn more, see IAM Access Analyzer in the IAM User Guide.

  • IAM Roles Anywhere is now supported in AWS GovCloud (US). To learn more, see Providing access for non AWS workloads in the IAM User Guide.

  • When configuring SAML Applications for single sign on in AWS GovCloud (US), the SAML Audience and ACS links will be different than those used in the standard Regions.

Documentation for AWS Identity and Access Management

AWS IAM documentation.

Export-Controlled Content

For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.

  • IAM metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.

  • Do not enter export-controlled data in the following fields:

    • Authentication codes, which are clear-text memcached

    • User names

    • Group names

    • Password policies

    • Policy names

    • Roles and role names

    • Policy documents