Aws Govcloud (Us) : User Guide

AWS GovCloud (US)
User Guide
AWS GovCloud (US) User Guide
AWS GovCloud (US): User Guide

Copyright © 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner
that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not
owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by
Amazon.
Table of Contents
Welcome ..................................................................................................................................... 1
What is AWS GovCloud (US)? ......................................................................................................... 2
Differences with Standard AWS Accounts .................................................................................. 3
Billing and Payment ............................................................................................................... 4
Supported Services ............................................................................................................... 5
Getting Started ............................................................................................................................. 7
Signing Up ........................................................................................................................... 7
On-boarding (Direct Customers) .............................................................................................. 8
Configuring Your Account ................................................................................................ 9
Verifying AWS CloudTrail Is Enabled ................................................................................. 9
On-boarding (Resellers or Reseller Customers) ........................................................................ 11
Enabling Virtual MFA ............................................................................................................ 14
Setting Up a Virtual MFA Device for Your AWS GovCloud (US) IAM Users ............................. 14
Importing Virtual Machines .................................................................................................... 15
ITAR Best Practices ..................................................................................................... 15
Signing Up for Customer Support ........................................................................................... 16
Setting Up AWS GovCloud (US) ..................................................................................................... 17
CloudFront with Your Resources ............................................................................................. 17
Credentials ................................................................................................................. 18
Tips for Setting Up CloudFront ....................................................................................... 18
AWS WAF .................................................................................................................. 18
Amazon Route 53 with Your Resources ................................................................................... 19
Amazon Route 53 Zone Apex Support with a Load Balancer ....................................................... 19
Step 1: Sign Up for AWS GovCloud (US) ......................................................................... 20
Step 2: Create Your Resources in the AWS GovCloud (US) Region ...................................... 20
Step 3: Create a CloudFront Custom Origin Web Distribution ............................................... 22
Step 4: Configure a New Amazon Route 53 Alias Resource Record Set ................................ 24
Step 5: Test that Your Website is Accessible ...................................................................... 24
Amazon SES ...................................................................................................................... 24
Using AWS GovCloud (US) ........................................................................................................... 26
Amazon Resource Names ..................................................................................................... 26
ARN Format ............................................................................................................... 27
Example ARNs ............................................................................................................ 27
Paths in ARNs ............................................................................................................. 30
Endpoints ........................................................................................................................... 31
Maintaining ITAR Compliance ................................................................................................ 33
Accessing the AWS GovCloud (US) Region ............................................................................. 34
Controlling Access ............................................................................................................... 34
Command Line and API Access ............................................................................................. 34
Resource Limits .................................................................................................................. 35
Penetration Testing .............................................................................................................. 35
Service Health Dashboard ..................................................................................................... 36
Services in the AWS GovCloud (US) Region .................................................................................... 37
Auto Scaling ....................................................................................................................... 38
ITAR Boundary ............................................................................................................ 38
AWS CloudFormation ........................................................................................................... 38
ITAR Boundary ............................................................................................................ 38
AWS CloudHSM .................................................................................................................. 39
ITAR Boundary ............................................................................................................ 39
AWS CloudTrail ................................................................................................................... 39
Services Supported within CloudTrail .............................................................................. 40
ITAR Boundary ............................................................................................................ 41
Amazon CloudWatch ............................................................................................................ 42
ITAR Boundary ............................................................................................................ 42
AWS Direct Connect ............................................................................................................ 42
iii
ITAR Boundary ............................................................................................................ 43

DynamoDB ......................................................................................................................... 43
ITAR Boundary ............................................................................................................ 43
Amazon EBS ...................................................................................................................... 44
ITAR Boundary ............................................................................................................ 44
Amazon EC2 ...................................................................................................................... 45
Determining if Your Account Has a Default Amazon VPC .................................................... 46
ITAR Boundary ............................................................................................................ 47
Elastic Load Balancing ......................................................................................................... 47
ITAR Boundary ............................................................................................................ 48
ElastiCache ........................................................................................................................ 48
ITAR Boundary ............................................................................................................ 49
Amazon EMR ...................................................................................................................... 50
ITAR Boundary ............................................................................................................ 50
Amazon Glacier ................................................................................................................... 50
ITAR Boundary ............................................................................................................ 51
AWS Identity and Access Management ................................................................................... 51
ITAR Boundary ............................................................................................................ 51
AWS Import/Export .............................................................................................................. 52
ITAR Boundary ............................................................................................................ 52
AWS KMS .......................................................................................................................... 53
ITAR Boundary ............................................................................................................ 53
Amazon Redshift ................................................................................................................. 54
ITAR Boundary ............................................................................................................ 54
Amazon RDS ...................................................................................................................... 56
ITAR Boundary ............................................................................................................ 56
Amazon S3 ......................................................................................................................... 57
ITAR Boundary ............................................................................................................ 58
Amazon SNS ...................................................................................................................... 58
ITAR Boundary ............................................................................................................ 58
Amazon SQS ...................................................................................................................... 59
ITAR Boundary ............................................................................................................ 59
Amazon SWF ...................................................................................................................... 60
ITAR Boundary ............................................................................................................ 60
Amazon VPC ...................................................................................................................... 61
ITAR Boundary ............................................................................................................ 61
AWS Management Console ................................................................................................... 62
ITAR Boundary ............................................................................................................ 62
AWS Trusted Advisor ............................................................................................................ 63
ITAR Boundary ............................................................................................................ 65
Troubleshooting ........................................................................................................................... 66
Client.UnsupportedOperation: Instances can only be launched within Amazon VPC in this region ...... 66
Related Resources ...................................................................................................................... 67
New to AWS ....................................................................................................................... 67
Experienced with AWS ......................................................................................................... 68
Document History ........................................................................................................................ 69
AWS Glossary ............................................................................................................................. 74
iv
Welcome
The AWS GovCloud (US) User Guide provides details on setting up your AWS GovCloud (US) account,
identifies the differences between the AWS GovCloud (US) Region and other AWS regions, and defines
usage guidelines for processing ITAR-regulated data within the AWS GovCloud (US) Region. This guide
assumes that you are familiar with Amazon Web Services (AWS).
For more information about AWS GovCloud (US), see What is AWS GovCloud (US)? (p. 2).
For a list of AWS or AWS GovCloud (US) related resources, see Related Resources (p. 67).
1
What is AWS GovCloud (US)?
AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and
customers to move sensitive workloads into the cloud by addressing their specific regulatory and
compliance requirements. The AWS GovCloud (US) Region adheres to U.S. International Traffic in Arms
Regulations (ITAR) requirements.
You can run workloads that contain all categories of Controlled Unclassified Information (CUI) data and
government-oriented, publicly available data in the AWS GovCloud (US) Region. The AWS GovCloud
(US) Region supports the management of regulated data by offering the following features:
• Restricting physical and logical administrative access to U.S. persons only.

• Providing FIPS 140-2 validated endpoints. (For details on each service, see the AWS GovCloud (US)
Endpoints (p. 31) section.)
Depending on your requirements, you can also run unclassified workloads in the AWS GovCloud (US)
Region and use the unique capabilities of this region.
Note
AWS manages physical and logical access controls for the AWS boundary. However, the overall
security of your workloads is a shared responsibility, where you are responsible for controlling
user access to content in your AWS GovCloud (US) account.
The AWS GovCloud (US) User Guide provides details on setting up your AWS GovCloud (US) account,
identifies the differences between the AWS GovCloud (US) Region and other AWS regions, and defines
usage guidelines for processing ITAR-regulated data within the AWS GovCloud (US) Region. This guide
assumes that you are familiar with Amazon Web Services (AWS).
Additional resources:
• For pricing information, see AWS GovCloud (US) Region Pricing.

• For information about the differences between the AWS GovCloud (US) Region and other AWS regions,
see AWS GovCloud (US) Region Compared to Standard AWS Regions (p. 3).
• For more information about ITAR compliance, see Maintaining U.S. International Traffic in Arms
Regulations (ITAR) Compliance (p. 33).
• For a list of AWS or AWS GovCloud (US)–related resources, see Related Resources (p. 67).
2
Differences with Standard AWS Accounts
AWS GovCloud (US) Region Compared to

Standard AWS Regions
AWS GovCloud (US) is a gated community for workloads with direct or indirect ties to U.S. government
functions or services. As a result, AWS GovCloud (US) offers the following features that are not available
in the standard AWS regions:
• The AWS GovCloud (US) Region uses FIPS 140-2 approved cryptographic modules for all AWS service
API endpoints, unless otherwise indicated in the AWS GovCloud (US) Endpoints (p. 31) section.
• The AWS GovCloud (US) Region maintains an ITAR-compliant infrastructure and is appropriate for all
types of Controlled Unclassified Information (CUI) and unclassified data. For more details, see
Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance (p. 33).
• The AWS GovCloud (US) Region is physically isolated and has logical network isolation from all other
regions.
• For administrative purposes, AWS restricts all physical and logical access to the AWS GovCloud (US)
Region and all potential access to restricted customer data. AWS allows only vetted U.S. persons with
distinct access controls separate from other AWS regions to administer the AWS GovCloud (US)
Region. Any customer data fields that are defined as outside of the ITAR boundary (such as S3 bucket
names) are explicitly documented in the service-specific section as not permitted to contain
ITAR-regulated data.
• The AWS GovCloud (US) Region authentication is completely isolated from Amazon.com.
The AWS GovCloud (US) Region also has high-level differences compared to the standard AWS regions.
These differences are important when you evaluate and use the AWS GovCloud (US) Region. The
following list outlines the differences:
Sign up
During the signup process, each customer is vetted to ensure they are a U.S. entity (such as a
government body, contracting company, or educational organization) and cannot be prohibited or
restricted by the U.S. government from exporting or providing services.
Endpoints
The AWS GovCloud (US) Region uses endpoints that are specific to the AWS GovCloud (US) Region
and that are accessible only to AWS GovCloud (US) customers. For a list of these endpoints, see
AWS GovCloud (US) Endpoints (p. 31).
Credentials
You can access the AWS GovCloud (US) Region only with AWS GovCloud (US) credentials (AWS
GovCloud (US) account access key and AWS GovCloud (US) IAM user credentials). You cannot
access the AWS GovCloud (US) Region with standard AWS credentials; likewise, you cannot access
standard AWS regions using AWS GovCloud (US) credentials. Access credentials for the AWS
GovCloud (US) Region are isolated from the standard AWS regions.
AWS Management Console for the AWS GovCloud (US) Region
You sign in to the AWS GovCloud (US) console by using an IAM user name and password. This
requirement is different from the standard AWS Management Console, where you can sign in by
using your account credentials (email address and password). You cannot use your AWS GovCloud
(US) account access keys to sign in to the AWS GovCloud (US) console. For more information about
creating an IAM user, see Getting Started with AWS GovCloud (US) (p. 7).
Billing, account activity, and usage reports
An AWS GovCloud (US) account is always associated to a single standard AWS account for billing
and payment purposes. All AWS GovCloud (US) billing is billed or invoiced to the associated standard
AWS account.You can view the AWS GovCloud (US) account activity and usage reports only through
the associated AWS standard account.
3
Billing and Payment
Services
The AWS GovCloud (US) Region currently supports only the services that are listed in Supported
Services (p. 5). As additional services are deployed to the AWS GovCloud (US) Region, the list of
supported services will be updated.
Services in the AWS GovCloud (US) Region might have different capabilities compared to services
in standard AWS regions. For example, in AWS GovCloud (US), you must launch all Amazon EC2
instances in an Amazon Virtual Private Cloud (Amazon VPC). For detailed information about each
service in the AWS GovCloud (US) Region, see Using AWS GovCloud (US) (p. 26).
For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail will be automatically
enabled with logging turned on. Amazon SNS notifications though will need to be set up independently.
If you prefer not to have CloudTrail enabled, you can disable it or turn off logging via the CloudTrail
console in the AWS Management Console for the AWS GovCloud (US) Region.
Multi-factor authentication
Hard token multi-factor authentication (MFA) devices are not available in the AWS GovCloud (US)
Region. You can still use virtual MFA. For more information, see Enabling Virtual Multi-Factor
Authentication (MFA) (p. 14).
AWS GovCloud (US) Billing and Payment

All AWS GovCloud (US) activity, usage, and payments are managed through a standard AWS account.
When you sign up for AWS GovCloud (US), your AWS GovCloud (US) account is associated with your
standard AWS account. You can associate only one AWS GovCloud (US) account to one standard AWS
account. If you require multiple AWS GovCloud (US) accounts, you must create a standard AWS account
for each AWS GovCloud (US) account.
To view account activity and usage reports for the AWS GovCloud (US) account, you must sign in to the
standard AWS account (using credentials from that account). You cannot view usage and activity from
the AWS Management Console for the AWS GovCloud (US) Region.
If you use AWS services in other regions with the standard AWS account, your account activity and usage
reports are combined. If you want to separate billing and usage between the two accounts, create a new
standard AWS account that you use only to associate with your AWS GovCloud (US) account.
The following diagram outlines the relationship between AWS GovCloud (US) and standard AWS accounts:
4
Supported Services
AWS GovCloud (US) account relationship to standard AWS account
Supported Services
The AWS GovCloud (US) Region currently supports AWS services in the following list. For more information
about requesting a service that is not currently supported, contact your AWS GovCloud (US) Region
business representative.
For a complete list of all regions and their supported services, see Products and Services by Region.
Compute
• Amazon Elastic Compute Cloud (Amazon EC2) (p. 45)
• Auto Scaling (p. 38)
• Elastic Load Balancing (p. 47)
Storage & Content Delivery
• Amazon Simple Storage Service (Amazon S3) (p. 57)
• Amazon Elastic Block Store (Amazon EBS) (p. 44)
• Amazon Glacier (p. 50)
• AWS Import/Export (p. 52)
Database
• Amazon Relational Database Service (Amazon RDS) (p. 56)
• Amazon DynamoDB (p. 43)
• Amazon ElastiCache (p. 48)
• Amazon Redshift (p. 54)
Networking
• Amazon Virtual Private Cloud (Amazon VPC) (p. 61)
• AWS Direct Connect (p. 42)
Management Tools
• Amazon CloudWatch (p. 42)
5
Supported Services
• AWS CloudFormation (p. 38)

• AWS CloudTrail (p. 39)
• AWS Management Console for the AWS GovCloud (US) Region (p. 62)
Security & Identity
• AWS Identity and Access Management (IAM) (p. 51)
• AWS CloudHSM (p. 39)
• AWS Key Management Service (AWS KMS) (p. 53)
Analytics
• Amazon Elastic MapReduce (Amazon EMR) (p. 50)
Application Services
• Amazon Simple Notification Service (Amazon SNS) (p. 58)
• Amazon Simple Queue Service (Amazon SQS) (p. 59)
• Amazon Simple Workflow Service (Amazon SWF) (p. 60)
Support
• Signing Up for AWS GovCloud (US) Customer Support (p. 16)
• Service Health Dashboard
• AWS Trusted Advisor (p. 63)
6
Signing Up
Getting Started with AWS

GovCloud (US)
To sign up for AWS GovCloud (US) and to access the AWS Management Console for the AWS GovCloud
(US) Region, you follow procedures that are different from those for other AWS regions.
The following topics describe how to sign up and get set up with AWS GovCloud (US).
Topics
• Signing Up for AWS GovCloud (US) (p. 7)
• On-boarding to AWS GovCloud (US) (Direct Customers) (p. 8)
• On-boarding to AWS GovCloud (US) (Resellers or Reseller Customers) (p. 11)
• Enabling Virtual Multi-Factor Authentication (MFA) (p. 14)
• Importing Virtual Machines into the AWS GovCloud (US) Region (p. 15)
• Signing Up for AWS GovCloud (US) Customer Support (p. 16)
Signing Up for AWS GovCloud (US)

AWS GovCloud (US) follows specific U.S. regulatory requirements. You can only obtain AWS GovCloud
(US) accounts if you are an individual or entity that qualifies as a U.S. Person under applicable regulations.
In addition to the AWS Customer Agreement, you must also sign an AWS GovCloud (US) Region
Addendum.
In order to enable access to the AWS GovCloud (US) Region, you must first have a standard AWS account
for billing and customer support purposes.
Note
It is a best practice to create a new AWS account that you will use only for AWS GovCloud (US)
access. This allows you to do the following:
• Transfer the AWS GovCloud (US) account to another party.

• Ensure the root user of the standard AWS account, which is the parent account of the AWS
GovCloud (US) account, is a U.S. Person.
• Fully close the AWS GovCloud (US) account without affecting your other AWS workloads.
7
On-boarding (Direct Customers)
To sign up for AWS GovCloud (US)
1. Determine if you are a direct customer, reseller, or reseller customer.
You are a direct customer if your organization is paying or will pay your bills directly to AWS, and
you are not reselling AWS services to an end user. You can sign up for an AWS GovCloud (US)
account from your standard AWS account.
You are a reseller if your organization is reselling AWS services.
You are a reseller customer if you are paying a third party for AWS services.
2. If you are a direct customer or a reseller, create a standard AWS account by clicking Sign Up on
the AWS homepage, as shown in the following figure:
If you are a reseller customer, contact your reseller to open standard account and request AWS
GovCloud (US) access.
3. If you are a direct customer:
1. Sign in to the standard AWS Management Console as root user for your AWS account.
2. Navigate to the Account Settings page.
3. Choose the Sign up for AWS GovCloud (US) button and then follow the instructions that appear.
If you do not see a Sign up for AWS GovCloud (US) button, your account does not meet the
criteria for self-enrollment. To request enrollment, follow the reseller steps in the next section.
If you are a reseller:
1. Go to the AWS GovCloud (US) Contact Us page.

2. Complete the form to start the sign-up process.
On-boarding to AWS GovCloud (US) (Direct

Customers)
If you are a direct customer, there are few things you should do to make it easier to sign in and use the
AWS GovCloud (US) console. We automatically enable AWS CloudTrail for AWS GovCloud (US) accounts,
but you should also verify that CloudTrail is enabled to store logs.
8
Configuring Your Account
Configuring Your Account

The steps in this section describe how to sign in and create an account alias and access keys.
To sign in to the AWS GovCloud (US) console
1. Open the AWS GovCloud (US) console.

2. Sign in using your account number and administrator credentials. You will need to specify your
account number.
Note
If you did not save your AWS GovCloud (US) sign-in link, which includes your account
number, you can retrieve your account number by signing in to the standard AWS
Management Console with your root credentials, opening the Accounts page, and choosing
the Sign up for AWS GovCloud (US) button. You will be directed to a page that indicates
you already have access and displays your account number.
To create an account alias
Creating an account alias is optional but strongly recommended. If you do not create an account alias,
be sure to save your AWS GovCloud (US) sign-in link because your AWS GovCloud (US) account number
is different from your AWS account number.
1. Sign in to the AWS GovCloud (US) console and open the IAM console at https://
console.amazonaws-us-gov.com/iam.
2. Next to the IAM users sign-in link, choose Customize.
3. Type an alias for your account.
IAM users can now use either the account alias or account number when signing in to the AWS
GovCloud (US) console.
To create and download access keys
The password for your AWS GovCloud (US) administrator IAM user cannot be reset by the root user of
your AWS account. Creating access keys for your AWS GovCloud (US) administrator user is helpful
because they can be used to reset your administrator password from the command line.
1. Sign in to the AWS GovCloud (US) console and open the IAM console at https://
console.amazonaws-us-gov.com/iam.
2. In the navigation pane, choose Users, select the IAM user account for which you would like to
generate access keys.
3. On the Security Credentials tab and choose Create Access Key.
4. To download the access key, choose Download Credentials and save them locally.
Verifying AWS CloudTrail Is Enabled

As part of the automated AWS GovCloud (US) activation process, the CloudTrail service should be
enabled for each account and an Amazon S3 bucket should be created to store CloudTrail logs. In the
event of any interruptions in the automation process, you can manually enable CloudTrail.
To verify the S3 bucket was created for CloudTrail log storage
1. Sign in to the AWS GovCloud (US) console and open the Amazon S3 console at https://
console.amazonaws-us-gov.com/s3.
9
Verifying AWS CloudTrail Is Enabled
2. If a bucket already exists, skip to the next procedure to ensure CloudTrail is enabled.
3. Choose Create Bucket.
4. Type a name for your bucket.
Bucket names must be unique. S3 buckets created during the automated process follow the naming
convention "cloudtrail-xxxxxxxxxxxx" where xxxxxxxxxxxx is replaced by the AWS GovCloud
(US) account number. If you want to use a different bucket name, you can delete this bucket, create
a new bucket, and then follow the steps in the next section to enable CloudTrail.
To verify CloudTrail is enabled
1. Sign in to the AWS GovCloud (US) console and open the CloudTrail console at https://
console.amazonaws-us-gov.com/cloudtrail.
2. Choose Get Started Now.
3. On the Turn on CloudTrail page next to Create a new S3 bucket, choose No.
4. From the S3 bucket drop-down list, choose the S3 bucket you created in the previous procedure.
5. Choose Turn On.
This will set a bucket policy that allows the CloudTrail service to store logs in the S3 bucket. If the
automated process created an S3 bucket and enabled CloudTrail, the following policy was applied:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::608710470296:root"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws-us-gov:s3:::s3_bucket_name"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::608710470296:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws-us-gov:s3:::s3_bucket_name/AWSLogs/ac
count_id/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
10
On-boarding (Resellers or Reseller Customers)
On-boarding to AWS GovCloud (US) (Resellers

or Reseller Customers)
If you are a reseller or a resller customer, you must create an IAM user to sign in to the AWS Management
Console for the AWS GovCloud (US) Region.
Note
You cannot use the credentials that you received from your AWS GovCloud (US) Region business
representative to access the console.
To create your first administrative IAM user
1. Download and run the AWS GovCloud (US) console onboard tool.
2. Enter your access key ID and secret access key, and then click Next.
3. Enter a password for the administrator, and then click Next.
11
4. Optional: If you want to create an account alias, enter a name (all lowercase) for your account, and
then click Next.
An account alias provides an easy-to-remember link for signing in to the console. For more information
about account aliases, see Your AWS Account ID and Its Alias in IAM User Guide.
5. Review your information, and then click Complete.
12
You can click Back to edit any information.

6. Review your new AWS GovCloud (US) credentials. Your original keys have been deactivated.
13
Enabling Virtual MFA
7. Click Download New Keys to download your new keys and save them in a secure location. If you
do not download them, you will not be able to retrieve them in the future.
8. To access the AWS GovCloud (US) console, click the link to your account's sign-in URL.
You now have your first IAM user administrator, which you can use to sign in to the AWS GovCloud (US)
console. The administrator has full access to manage your AWS GovCloud (US) resources. For example,
as the administrator, you can create additional IAM users by using the AWS GovCloud (US) console.
You can then manage users and their permissions by assigning them to groups. For more information
about users, groups, and policies, see IAM Users and Groups in IAM User Guide.
Enabling Virtual Multi-Factor Authentication

(MFA)
For increased security, we recommend that you protect your AWS resources by configuring AWS
multi-factor authentication (MFA). MFA adds extra security by requiring users to enter a unique
authentication code from their authentication device when accessing AWS websites or services. For MFA
to work in the AWS GovCloud (US), you must assign a virtual MFA device to each IAM user. Hardware
MFA devices are not available in the AWS GovCloud (US) Region.
Setting Up a Virtual MFA Device for Your AWS

GovCloud (US) IAM Users
This section shows how to set up and enable a new MFA device. For answers to commonly asked
questions about AWS MFA, go to the AWS Multi-Factor Authentication FAQs.
14
Importing Virtual Machines
The following high-level procedure describes how to set up and use an MFA device, and provides links
to related information.
1. Get an MFA device. The device must be a virtual MFA device. A virtual device can be a smartphone
or computer that has an MFA application installed on it. You can find information about where to
purchase the devices that AWS supports at http://aws.amazon.com/mfa/. The documentation topic
Using a Virtual MFA Device with AWS describes how to enable virtual MFA devices in all other regions.
Note
Each user must download their own virtual MFA device.
2. Enable virtual MFA for each of your AWS GovCloud (US) IAM users.
3. Each user must now use the virtual MFA device to when logging on or accessing AWS resources in
the AWS GovCloud (US) Region.
Tip
In some cases, you can set up a desktop computer to work with virtual MFA. For more information,
see the AWS Discussion Forums.
To enable virtual MFA for an AWS GovCloud (US) IAM user
1. Sign into the AWS GovCloud (US) console instead of the standard AWS console.
2. Follow the instructions at Enabling a Virtual Multi-factor Authentication (MFA) Device in the IAM User
Guide to enable a virtual MFA for your IAM user.
To sign in to the AWS GovCloud (US) Region using a virtual MFA device
1. Sign into the AWS GovCloud (US) console.

2. Enter your MFA credentials. When MFA is enabled for an IAM user, the console will automatically
prompt you for your MFA credentials.
For more information about how to sign in using MFA, see Using MFA Devices With Your IAM Sign-in
Page.
Importing Virtual Machines into the AWS

GovCloud (US) Region
With Amazon EC2 VM Import, you can import virtual machine images from your environment to Amazon
EC2 instances or as images. This capability is available at no charge beyond standard usage charges
for Amazon EC2 and Amazon S3. AWS GovCloud (US) supports all image types (RAW, VHD, VMDK,
and OVA) and operating systems specified in the Amazon EC2 VM Import documentation, with the
exception of Windows 10.
ITAR Best Practices

You should never enter ITAR-regulated data in CLI arguments or paths. As a best practice, ITAR-regulated
data should be encrypted and placed in partitions other than root and boot. If you have questions, contact
us.
The AWS Management Portal for vCenter, which enables you to manage your AWS resources using
VMware vCenter, is not compatible with the AWS GovCloud (US) Region.
15
Signing Up for Customer Support
Signing Up for AWS GovCloud (US) Customer

Support
AWS Support is available for the AWS GovCloud (US) Region. As an AWS GovCloud (US) customer,
you can access the AWS Support engineers 24 hours per day by phone, email, and chat. In cases where
export controls are a concern, AWS routes cases to ITAR-vetted and trained support engineers who
understand the sensitivity around export controls. AWS GovCloud (US) protected resources are accessible
only by ITAR-vetted and trained support engineers. However, non-vetted personnel can assist with basic
support cases that do not contain protected resources. For more information see AWS GovCloud (US)
Region Support.
To sign up for AWS Customer Support for the AWS GovCloud (US) Region, go to the customer support
sign up page. You sign up for support by using the standard AWS root account credentials that are
associated with your AWS GovCloud (US) account.You can sign up for Business Level support or submit
a request for Enterprise Level support by completing the Enterprise Support form.
Note
Your premium support options are associated with your standard AWS account but also apply
to your AWS GovCloud (US) account. If you already have support on your standard AWS account,
you aren't required to sign up for support again.
To open a new case, sign in to the Support Center with your standard AWS root account credentials. If
you are opening a case for your AWS GovCloud (US) account, include a note that this case is for your
AWS GovCloud (US) account, and include your AWS GovCloud (US) account ID. Do not enter any
ITAR-regulated data in the case.
Customer Support Differences for the AWS GovCloud (US) Region
• The Customer Support Center is available only through the standard AWS account that is associated
with your AWS GovCloud (US) account.
• Select Premium Support features, such as some AWS Trusted Advisor (p. 63) checks, are not available
for your AWS GovCloud (US) account.
• The Service Health Dashboard for the AWS GovCloud (US) Region can be found at: http://
status.aws.amazon.com/govcloud.
• The AWS GovCloud (US) Region does not have a dedicated forum area.
• AWS accounts with an associated AWS GovCloud (US) account are prohibited from uploading
attachments in Support Center.
16
CloudFront with Your Resources
Setting Up AWS GovCloud (US)

with AWS Services Outside of the
AWS GovCloud (US) Region
The following sections describe how to set up different services as part of your AWS GovCloud (US)
architecture.
Topics
• Setting Up Amazon CloudFront with Your AWS GovCloud (US) Resources (p. 17)
• Setting Up Amazon Route 53 with Your AWS GovCloud (US) Resources (p. 19)
• Setting Up Amazon Route 53 Zone Apex Support with an AWS GovCloud (US) Elastic Load Balancing
Load Balancer (p. 19)
• Setting Up Amazon Simple Email Service in Your AWS GovCloud (US) Architecture (p. 24)
Setting Up Amazon CloudFront with Your AWS

GovCloud (US) Resources
Amazon CloudFront is a web service that uses a global network of edge locations to deliver content to
end users with low latency and high data transfer speeds. CloudFront is an AWS global service that you
can leverage with your AWS GovCloud (US) resources. Requests for your content are routed to the
nearest edge location, so content is delivered with the best possible performance. CloudFront is optimized
to work with other Amazon Web Services, like Amazon Simple Storage Service (Amazon S3), Amazon
Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon Route 53.
CloudFront also works seamlessly with any non-AWS origin server, which stores the original, definitive
versions of your files. Due to the isolation of the AWS GovCloud (US) Region, using CloudFront with your
AWS GovCloud (US) resources is analogous to using CloudFront with a non-AWS origin server.
Topics
• Credentials (p. 18)
• Tips for Setting Up CloudFront (p. 18)
• AWS WAF (p. 18)
17
Credentials
Credentials
If you use CloudFront with AWS GovCloud (US), be sure that you use the correct credentials:
• To use CloudFront with your AWS GovCloud (US) resources, you must have an AWS GovCloud (US)
account. If you don't have an account, see Signing Up for AWS GovCloud (US) (p. 7) for more
information.
• To set up CloudFront, sign in to the CloudFront console by using your standard AWS credentials. You
cannot use your AWS GovCloud (US) account credentials to sign in to the standard AWS Management
Console.
Tips for Setting Up CloudFront

As you set up CloudFront to serve your AWS GovCloud (US) content, keep the following in mind:
• You will be setting up CloudFront to distribute content from a custom origin server.
• Because you will be using a custom origin server, you do not have the option to restrict bucket access
using a CloudFront Origin Access Identity.
• If you want to restrict viewer access and use signed URLs, you must:
• Use your standard AWS account and one of its CloudFront key pairs to create the signed URLs. As
with other AWS regions, you use the CloudFront key pair with your code or third-party console to
create the signed URLs.
• You can further restrict access to your content by blocking requests not originating from CloudFront
IP addresses. You can use bucket policies to accomplish this for original content stored in AWS
GovCloud (US) Amazon S3 buckets. A list of IP addresses is maintained on a best-effort basis at
https://forums.aws.amazon.com/ann.jspa?annID=910.
• If you want CloudFront to log all viewer requests for files in your distribution, select an Amazon S3
bucket in an AWS standard region as a destination for the log files.
• Since CloudFront is not within the AWS GovCloud (US) Region, CloudFront is not within the ITAR
boundary. If you want to use CloudFront to distribute your ITAR-regulated content, encrypt your content
in transit.
• Integrated support for CloudFront Live Streaming is not available for origins located in the AWS GovCloud
(US) Region.
• Streaming prerecorded media using Adobe’s Real-Time Messaging Protocol (RTMP) is not supported
with CloudFront for custom origins.
• For detailed information about CloudFront, see the CloudFront documentation.
AWS WAF
To help protect your websites and web applications from attacks, you can integrate CloudFront with AWS
WAF, a web application firewall. With AWS WAF, you can filter traffic based on conditions you specify,
such as the IP addresses from which requests originate or values that appear in headers or query strings.
CloudFront responds to HTTP and HTTPS requests with either the requested content or an HTTP 403
status code (Forbidden).You can also configure CloudFront to return a custom error page when a request
is blocked.
For more information about AWS WAF, see the AWS WAF Developer Guide. For information about how
to add the ID for an AWS WAF web access control list (web ACL) to a CloudFront distribution, see the
Values that You Specify When You Create or Update a Web Distribution topic in the Amazon CloudFront
Developer Guide.
18
Amazon Route 53 with Your Resources
Setting Up Amazon Route 53 with Your AWS

GovCloud (US) Resources
Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It is
designed to give developers and businesses an extremely reliable and cost-effective way to route end
users to Internet applications by translating human readable names like www.example.com into the
numeric IP addresses like 192.168.0.1 that computers use to connect to each other.
Amazon Route 53's DNS implementation connects user requests to infrastructure running in Amazon
Web Services (AWS), such as an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Elastic
Load Balancing balancer, an Amazon CloudFront distribution, or an Amazon Simple Storage Service
(Amazon S3) bucket.
Amazon Route 53 can also be used to route users to infrastructure outside of AWS or to resources in the
AWS GovCloud (US) Region.
To use Amazon Route 53 with your AWS GovCloud (US) resources, you must have an AWS GovCloud
(US) account. If you don't have an account, see Signing Up for AWS GovCloud (US) (p. 7) for more
information.
To set up Amazon Route 53, go to the Amazon Route 53 console by using your standard AWS credentials.
You cannot use your AWS GovCloud (US) account credentials to sign in to the standard AWS Management
Console.
As you set up Amazon Route 53 to serve your AWS GovCloud (US) content, keep the following in mind:
• You must log in to the Amazon Route 53 console using your standard AWS credentials. Do not use
your AWS GovCloud (US) credentials.
• You will set up Amazon Route 53 to route end users to your AWS GovCloud (US) resources.
• Amazon Route 53 is not within the AWS GovCloud (US) Region so Amazon Route 53 is not within the
ITAR boundary. Amazon Route 53 domain names, subdomain names, hostnames, aliases, cnames,
and other record data fields are not permitted to contain ITAR-regulated data.
• For detailed information about Amazon Route 53, see the Amazon Route 53 Developer Guide.
Setting Up Amazon Route 53 Zone Apex Support

with an AWS GovCloud (US) Elastic Load
Balancing Load Balancer
Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It is
designed to provide an extremely reliable and cost effective way to route end users to Internet applications
by translating human readable names like www.example-company.com into numeric IP addresses like
192.168.0.1 that computers use to connect to each other.
Amazon Route 53's DNS implementation connects user requests to infrastructure running inside (and
outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on
Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer,
Amazon Route 53 will route all traffic addressed to your website (e.g. www.example.com) to the load
balancer DNS name (e.g. elb1234.elb.amazonaws.com).
Additionally, Amazon Route 53 supports the alias resource record set, which lets you map your zone
apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with
19
Step 1: Sign Up for AWS GovCloud (US)
Elastic Load Balancing can change at any time due to scaling or software updates. Amazon Route 53
responds to each request for an alias resource record set with one IP address for the load balancer. If a
load balancer has more than one IP address, Elastic Load Balancing selects one of the IP addresses in
a round-robin fashion and returns it to Amazon Route 53; Amazon Route 53 then responds to the request
with that IP address.
Alias resource record sets are virtual records that work like CNAME records. But they differ from CNAME
records in that they are not visible to resolvers. Resolvers only see the A record and the resulting IP
address of the target record. As such, unlike CNAME records, alias resource record sets are available
to configure a zone apex (also known as a root domain or naked domain) in a dynamic environment.
This section provides a solution for Amazon Route 53 zone apex alias support by setting up an Amazon
CloudFront distribution between Amazon Route 53 and an AWS GovCloud (US) Elastic Load Balancing
load balancer. The solution demonstrates how to configure Amazon Route 53 with a zone apex alias
resource record set that maps to a CloudFront web distribution DNS name. The CloudFront distribution
in turn points to the AWS GovCloud (US) load balancer DNS name as a custom origin.
An additional benefit of this approach is that CloudFront can help improve the performance of your website,
including both static and dynamic content. For more information about CloudFront, see the CloudFront
documentation.
The following figure shows the various AWS services used to demonstrate this solution:
Step 1: Sign Up for AWS GovCloud (US)

• To use AWS services in the AWS GovCloud (US) Region, you must have an AWS GovCloud (US)
account. If you don't have an account, see Signing Up for AWS GovCloud (US) (p. 7) for more
information.
Step 2: Create Your Resources in the AWS

1. Create two web application Amazon EC2 servers via the AWS GovCloud (US) console and confirm
that they are in a running state. Configuring the web servers on the Amazon EC2 instances is outside
of the scope of this section.
20
Step 2: Create Your Resources in the AWS GovCloud
(US) Region
2. Create an Elastic Load Balancing load balancer and add the two instances created in the previous
step to the load balancer. Confirm that the instances are in service and note the DNS name of the
newly created load balancer.
3. Test access to your website by entering the load balancer DNS name in a web browser. You can
verify the load balancer is balancing traffic between the two instances by waiting at least one minute
between requests.
21
Step 3: Create a CloudFront Custom Origin Web
Distribution

Distribution
Since AWS GovCloud (US) is not currently integrated into the CloudFront service, you need to create a
CloudFront distribution using your standard AWS account.
1. Create a new CloudFront distribution by logging into the CloudFront console with your standard AWS
account and clicking the Create Distribution button.
2. Select the Web distribution delivery method and click Continue.
3. In the Origin Domain Name box, enter the AWS GovCloud (US) load balancer DNS name to create
a custom origin.
22
Distribution
4. On the same screen, in the Alternate Domain Names (CNAMEs) box, add the zone apex name.
5. Click the Create Distribution button.
6. After the new distribution status changes to Deployed, note the domain name. You will use the
domain name when setting up Amazon Route 53 in the next step.
For information about how CloudFront processes and forwards requests to a customer origin server, such
as an AWS GovCloud (US) load balancer, see the CloudFront Documentation.
23
Step 4: Configure a New Amazon Route 53 Alias
Resource Record Set
Step 4: Configure a New Amazon Route 53 Alias

Resource Record Set
1. Using your standard AWS account from the previous step, sign in to the Amazon Route 53 console.
2. Create a new alias resource record set for your root domain name. Make sure to click Yes for Alias
and to select the CloudFront distribution name created earlier from the Alias Target drop-down list.
Step 5: Test that Your Website is Accessible

• Enter your root domain in a web browser to verify that your website is accessible.
Congratulations! You have successfully pointed your zone apex at your Elastic Load Balancing load
balancer in the AWS GovCloud (US) Region.
For more information about Amazon Route 53, see the Amazon Route 53 Documentation.
Setting Up Amazon Simple Email Service in Your

AWS GovCloud (US) Architecture
Amazon Simple Email Service (Amazon SES) is a cost-effective outbound-only email-sending service
built on the reliable and scalable infrastructure originally developed to serve the Amazon.com customer
base. With Amazon SES, you can send transactional email, marketing messages, or any other type of
high-quality content, and you only pay for what you use.
Amazon SES offers a wide number of functions beyond simply sending email. Along with high deliverability,
Amazon SES provides easy, real-time access to your sending statistics and built-in notifications for
bounces and complaints to help you fine-tune your email-sending strategy.
24
Amazon SES
To use Amazon SES in your AWS GovCloud (US) architecture, you must have both an AWS account
and an AWS GovCloud (US) account. If you do not have an AWS GovCloud (US) account, go to Signing
Up for AWS GovCloud (US) (p. 7) for more information.
To set up Amazon SES, go to the Amazon SES console using your standard AWS credentials. Note that
you cannot use your AWS GovCloud (US) account credentials to sign into the standard AWS Management
Console.
As you set up Amazon SES to use within your AWS GovCloud (US) architecture, keep the following in
mind:
• Amazon SES is not within the ITAR boundary and ITAR data cannot be sent using Amazon SES.
• You must log into the Amazon SES console using your standard AWS credentials. Do not use your
AWS GovCloud (US) credentials.
• When making API calls to the Amazon SES endpoint from the AWS GovCloud (US) Region, you must
use your standard AWS account credentials. Do not use your AWS GovCloud (US) credentials.
Region name Region API (HTTPS) endpoint SMTP endpoint
US East (N. Virginia) us-east-1 email.us-east-1.amazon- email-smtp.us-east-

aws.com 1.amazonaws.com
US West (Oregon) us-west-2 email.us-west-2.amazon- email-smtp.us-west-

aws.com 2.amazonaws.com
• Amazon SES access is "sandboxed" by default. With sandbox access you can only send email to the
Amazon SES mailbox simulator and to email addresses or domains that you have verified. After you
test your setup and want to go into production, you must request production access.
25
Amazon Resource Names
Using AWS GovCloud (US)
If you have used other AWS regions, you should be aware of specific differences in the AWS GovCloud
(US) Region. For example, Amazon Resource Names (ARNs) and endpoints are different in the AWS
GovCloud (US) Region.
In addition to the specific differences, the following topics describe how to maintain compliance with
International Traffic in Arms Regulations (ITAR), how to access AWS GovCloud (US), and how to control
access to your AWS GovCloud (US) account.
Topics
• Amazon Resource Names (ARNs) in AWS GovCloud (US) (p. 26)
• AWS GovCloud (US) Endpoints (p. 31)
• Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance (p. 33)
• Accessing the AWS GovCloud (US) Region (p. 34)
• Controlling Access to Your AWS GovCloud (US) Account (p. 34)
• Command Line and API Access (p. 34)
• Resource Limits (p. 35)
• Penetration Testing (p. 35)
• Service Health Dashboard (p. 36)
Amazon Resource Names (ARNs) in AWS

GovCloud (US)
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need
to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon S3 bucket
names, and API calls. In the AWS GovCloud (US) Region, Amazon Resource Names (ARNs) have a
different identifier than in other AWS regions. For all other regions, ARNs begin with:
arn:aws
In the AWS GovCloud (US) Region, ARNs begin with:
arn:aws-us-gov
26
ARN Format
If an ARN requires a region, for the AWS GovCloud (US) Region, the region should be identified as
us-gov-west-1.
Topics
• ARN Format (p. 27)
• Example ARNs (p. 27)
• Paths in ARNs (p. 30)
ARN Format
Here are some example ARNs:


arn:aws-us-gov:iam::123456789012:David


arn:aws-us-gov:ec2:us-gov-west-1:001234567890:instance/*


arn:aws-us-gov:s3:::my_corporate_bucket/*
The following are the general formats for ARNs; the specific components and values used depend on
the AWS service.
arn:aws-us-gov:service:region:account:resource
arn:aws-us-gov:service:region:account:resourcetype/resource
arn:aws-us-gov:service:region:account:resourcetype:resource
service
The service namespace that identifies the AWS product (for example, Amazon S3, or IAM). For a
list of namespaces, see AWS Service Namespaces in the Amazon Web Services General Reference.
region
The region the resource resides in. Note that the ARNs for some resources do not require a region,
so this component might be omitted. For the AWS GovCloud (US) Region, the region is
us-gov-west-1.
account
The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012.
Note that the ARNs for some resources don't require an account number, so this component might
be omitted.
resource, resourcetype:resource, or resourcetype/resource
The content of this part of the ARN varies by service. It often includes an indicator of the type of
resource—for example, IAM user—followed by a slash (/) or a colon (:), followed by the resource
name itself. Some services allows paths for resource names, as described in Paths in ARNs (p. 30).
Example ARNs
The following sections provide syntax and examples of the ARNs for different services. For more information
about using ARNs in a specific AWS service, see the documentation for that service.
Topics
27
Example ARNs

Amazon DynamoDB
Syntax:
arn:aws-us-gov:dynamodb:region:account:table/tablename
Example:
arn:aws-us-gov:dynamodb:us-gov-west-1:123456789012:table/books_table
Amazon Elastic Compute Cloud (Amazon EC2)

Syntax:
arn:aws-us-gov:ec2:region:account:instance/instance-id
arn:aws-us-gov:ec2:region:account:placement-group/placement-group-name
arn:aws-us-gov:ec2:region::snapshot/snapshot-id
arn:aws-us-gov:ec2:region:account:volume/volume-id
Examples:
arn:aws-us-gov:ec2:us-gov-west-1:123456789012:instance/*
arn:aws-us-gov:ec2:us-gov-west-1:123456789012:volume/*
arn:aws-us-gov:ec2:us-gov-west-1:123456789012:volume/vol-1a2b3c4d
Amazon Simple Notification Service (Amazon SNS)

Syntax:
arn:aws-us-gov:sns:region:account:topicname
arn:aws-us-gov:sns:region:account:topicname:subscriptionid
Examples:
arn:aws-us-gov:sns:us-gov-west-1:123456789012:my_corporate_topic
arn:aws-us-gov:sns:us-gov-west-1:123456789012:my_corporate_topic:02034b43-fefa-
4e07-a5eb-3be56f8c54ce
Amazon Simple Queue Service (Amazon SQS)

Syntax:
28
Example ARNs
arn:aws-us-gov:sqs:region:account:queuename
Example:
arn:aws-us-gov:sqs:us-gov-west-1:123456789012:queue1
Amazon Simple Storage Service (Amazon S3)

Syntax:
arn:aws-us-gov:s3:::bucketname
arn:aws-us-gov:s3:::bucketname/objectpath
Note that Amazon S3 does not require an account number or region in ARNs.
Examples:
arn:aws-us-gov:s3:::my_corporate_bucket
arn:aws-us-gov:s3:::my_corporate_bucket/Development/*
Amazon Simple Workflow Service (Amazon SWF)

Syntax:
arn:aws-us-gov:swf:region:account:domain/domainname
Examples:
arn:aws-us-gov:swf:us-gov-west-1:123456789012:domain/department1
arn:aws-us-gov:swf:us-gov-west-1:123456789012:/domain/*
Auto Scaling
Syntax:
arn:aws-us-gov:autoscaling:region:account:scalingPolicy:policyid:autoScalingGroup
Name/groupfriendlyname:policyname/policyfriendlyname
arn:aws-us-gov:autoscaling:region:account:autoScalingGroup:groupid:autoScal
ingGroupName/groupfriendlyname
Example:
arn:aws-us-gov:autoscaling:us-gov-west-1:123456789012:scalingPolicy:c7a27f55-
d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-
scaleout-policy
29
Paths in ARNs
AWS Identity and Access Management (IAM)

Syntax:
arn:aws-us-gov:iam::account:root
arn:aws-us-gov:iam::account:user/username
arn:aws-us-gov:iam::account:group/groupname
arn:aws-us-gov:iam::account:role/rolename
arn:aws-us-gov:iam::account:instance-profile/instanceprofilename
arn:aws-us-gov:sts::account:federated-user/username
arn:aws-us-gov:iam::account:mfa/virtualdevicename
arn:aws-us-gov:iam::account:server-certificate/certificatename
Examples:
arn:aws-us-gov:iam::123456789012:root
arn:aws-us-gov:iam::123456789012:user/Bob
arn:aws-us-gov:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws-us-gov:iam::123456789012:group/Developers
arn:aws-us-gov:iam::123456789012:group/division_abc/subdivision_xyz/product_A/De
velopers
arn:aws-us-gov:iam::123456789012:role/S3Access
arn:aws-us-gov:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws-us-gov:iam::123456789012:instance-profile/Webserver
arn:aws-us-gov:sts::123456789012:federated-user/Bob
arn:aws-us-gov:iam::123456789012:mfa/BobJonesMFA
arn:aws-us-gov:iam::123456789012:server-certificate/ProdServerCert
arn:aws-us-gov:iam::123456789012:server-certificate/division_abc/subdivi
sion_xyz/ProdServerCert
Paths in ARNs
Some services let you specify a path for the resource name. For example, in Amazon S3, the resource
identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and
group names can include paths.
Paths can include wildcard characters such as an asterisk (*). For example, to specify all IAM users
whose user name includes the prefix product_1234, you can use a wildcard like this:
arn:aws-us-gov:iam::123456789012:user/Development/product_1234/*
To specify all IAM users or IAM groups in the AWS account, use a wildcard after the user/ or group/part
of the ARN, respectively.
arn:aws-us-gov:iam::123456789012:user/*
arn:aws-us-gov:iam::123456789012:group/*
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a
path:
arn:aws-us-gov:s3:::my_corporate_bucket/Development/*
30
Endpoints
You cannot use a wildcard in the resource type, such as the term user in an IAM ARN. The following is
not allowed:
arn:aws-us-gov:iam::123456789012:u*
For more information about ARNs and namespaces, see Amazon Resource Names (ARNs) and AWS
Service Namespaces.
AWS GovCloud (US) Endpoints

If you access AWS GovCloud (US) by using the command line interface (CLI) or programmatically by
using the APIs, you need the AWS GovCloud (US) Region endpoints. The following table lists each AWS
service available in GovCloud (US) and its corresponding endpoints.
AWS Service AWS GovCloud (US) Endpoint Protocol
Auto Scaling autoscaling.us-gov-west-1.amazonaws.com HTTP and HTTPS
AWS CloudForma- cloudformation.us-gov-west-1.amazonaws.com HTTPS

tion
AWS CloudHSM cloudhsm.us-gov-west-1.amazonaws.com HTTPS
AWS CloudTrail cloudtrail.us-gov-west-1.amazonaws.com HTTPS
Amazon Cloud- monitoring.us-gov-west-1.amazonaws.com HTTPS

Watch
logs.us-gov-west-1.amazonaws.com HTTPS
AWS Direct Con- directconnect.us-gov-west-1.amazonaws.com HTTPS

nect
Amazon Dy- dynamodb.us-gov-west-1.amazonaws.com HTTP and HTTPS

namoDB
Amazon Dy- streams.dynamodb.us-gov-west-1.amazonaws.com HTTP and HTTPS

namoDB Streams
Amazon Elastic ec2.us-gov-west-1.amazonaws.com HTTPS

Block Store
(Amazon EBS)
Amazon Elastic ec2.us-gov-west-1.amazonaws.com HTTPS

Compute Cloud
(Amazon EC2)
Elastic Load Balan- elasticloadbalancing.us-gov-west-1.amazonaws.com HTTP and HTTPS

cing
Amazon ElastiC- elasticache.us-gov-west-1.amazonaws.com HTTPS

ache
Amazon Elastic elasticmapreduce.us-gov-west-1.amazonaws.com HTTP and HTTPS

MapReduce
(Amazon EMR)
Amazon Glacier glacier.us-gov-west-1.amazonaws.com HTTPS
31
Endpoints
AWS Identity and iam.us-gov.amazonaws.com HTTPS

Access Manage-
ment (IAM)
AWS Key Manage- kms.us-gov-west-1.amazonaws.com ** HTTPS

ment Service
(AWS KMS)
Amazon Redshift redshift.us-gov-west-1.amazonaws.com HTTPS
Amazon Relational rds.us-gov-west-1.amazonaws.com HTTPS

Database Service
(Amazon RDS)
Amazon Simple s3-us-gov-west-1.amazonaws.com ** HTTP and HTTPS

Storage Service
(Amazon S3)
Amazon Simple s3-fips-us-gov-west-1.amazonaws.com HTTPS

Storage Service
(Amazon S3)
(FIPS 140-2)
Amazon Simple s3-website-us-gov-west-1.amazonaws.com HTTP

Storage Service
(Amazon S3)
(website)
Amazon Simple sns.us-gov-west-1.amazonaws.com HTTP and HTTPS

Notification Service
(Amazon SNS)
Amazon Simple sqs.us-gov-west-1.amazonaws.com HTTP and HTTPS

Queue Service
(Amazon SQS)
Amazon Simple swf.us-gov-west-1.amazonaws.com HTTPS

Workflow Service
(Amazon SWF)
AWS Security sts.us-gov-west-1.amazonaws.com HTTPS

Token Service
(AWS STS)
Amazon Virtual ec2.us-gov-west-1.amazonaws.com HTTPS

Private Cloud
(Amazon VPC)
AWS Management console.amazonaws-us-gov.com HTTPS

Console for the
AWS GovCloud signin.amazonaws-us-gov.com
(US) Region
AWS Management signin.amazonaws-us-gov.com/federation HTTPS

Console with Feder-
ation
32
Maintaining ITAR Compliance
AWS Management signin.amazonaws-us-gov.com/saml HTTPS

Console with
SAML
Note
** All HTTPS endpoints are FIPS 140-2 validated except:
• The non-FIPS alternative for Amazon S3: s3-us-gov-west-1.amazonaws.com

• The AWS Key Management Service endpoint is not yet FIPS 140-2 validated:
kms.us-gov-west-1.amazonaws.com
• AWS Snowball has no endpoints.
For information about giving federated users single sign-on access to the AWS Management Console,
see Giving Federated Users Direct Access to the AWS Management Console.
You can also see a list of all AWS endpoints by viewing Regions and Endpoints in the AWS General
Reference.
Maintaining U.S. International Traffic in Arms

Regulations (ITAR) Compliance
If you store and process ITAR-regulated data in the AWS GovCloud (US) Region, you must conform to
the following ITAR requirements, in addition to any other ITAR or export control restrictions that may be
applicable to you:
• You are an individual or entity that qualifies as a U.S. Person under the applicable regulations.
• You have and will maintain a valid Directorate of Defense Trade Controls (DDTC) registration.
• You have full export privileges under U.S. export control laws and regulations and are not a denied or
debarred party or otherwise subject to sanctions.
• If your export control privileges are revoked, suspended or terminated, or you otherwise become subject
to sanctions or are barred from maintaining export-controlled data, you will immediately remove ITAR
and other export controlled data from the AWS services.
• You must maintain an effective compliance program to ensure compliance with applicable U.S. export
control laws and regulations, including ITAR, if applicable.
Note
Even if you don't process any ITAR-regulated data, the owner of the AWS GovCloud (US) account
must be a U.S. person. AWS doesn't require IAM users or users of applications that run in the
AWS GovCloud (US) Region to be U.S. persons. As part of the shared responsibility model, you
are responsible for restricting access to your IAM users and to your application in accordance
with regulations that apply to you.
ITAR Boundary for AWS GovCloud (US) Services
If you maintain ITAR-regulated data in the AWS GovCloud (US) Region, you must comply with the ITAR
restrictions for each AWS services in the AWS GovCloud (US) Region. For more information about the
ITAR boundaries for each service, view the service-specific information in Services in the AWS GovCloud
(US) Region (p. 37).
33
Accessing the AWS GovCloud (US) Region
Accessing the AWS GovCloud (US) Region

When you access the AWS GovCloud (US) Region, use your AWS GovCloud (US) credentials. Although
your AWS GovCloud (US) account is associated with your standard AWS account, each account has
distinct credentials, where users from one account cannot access AWS resources from the other account.
In other words, when you use the AWS GovCloud (US) Region, you must use credentials that were
created in that region. Similarly, when you use the standard AWS regions, you must use credentials that
were created in those regions.
You can access and manage resources in the AWS GovCloud (US) Region by using any of the following
methods:
• The AWS Management Console for the AWS GovCloud (US) Region provides an easy-to-use
graphical interface to manage your compute, storage, and other cloud resources. Most AWS products
can be used with the console, and the console supports the majority of functionality for each service.
You can sign in to the console only as an IAM user. For more information, see On-boarding to AWS
GovCloud (US) (Resellers or Reseller Customers) (p. 11).
• The AWS command line interface (CLI) allows you to control AWS services from a command line
and automate commands through scripts. For more information about accessing the CLI for each
service, go to AWS Command Line Tools in the AWS General Reference.
• The AWS SDKs offer SDKs for Java, .NET, PHP, Android, iOS, and Ruby. The Sample Code & Libraries
Catalog also provides a listing of code, SDKs, sample applications, and other tools available for use.
• The Toolkits for developers provide programming libraries that help you quickly deploy your applications
to AWS for Java or .NET. For more information, see AWS Toolkit for Eclipse or AWS Toolkit for Visual
Studio.
• You can construct REST or Query APIs calls to AWS services. For API syntax and examples, see the
API references for each service at http://aws.amazon.com/documentation/.
• The AWS ElasticWolf Client Console can be used to manage AWS resources in all regions.
Controlling Access to Your AWS GovCloud (US)

Account
Your AWS GovCloud (US) account credentials grant full access to your AWS GovCloud (US) account.
We recommend that you don't share your account credentials; instead, use AWS Identity and Access
Management (IAM) to grant users access to AWS GovCloud (US). With IAM, you can control who can
do which actions on a specific resource. Signing Up for AWS GovCloud (US) (p. 7) discusses how you
create your first IAM administrative user.
For more information about IAM, see What is IAM? in Using IAM.
Also, for additional suggestions on how to secure your account with IAM, see IAM Best Practices in Using
IAM.
Command Line and API Access

You can use the command line interface (CLI), Query API, or REST interfaces to access AWS GovCloud
(US) services.You can also use a language-specific software development kit (SDK). For more information
about the CLI and SDK tools, see Tools for Amazon Web Services.
34
Resource Limits
For the CLI and APIs, you are required to use access and secret access keys. You can create keys for
each individual user by creating IAM users. For more information, see Working with Users and Groups
in Using IAM.
After you have installed your preferred tool, you can access AWS GovCloud (US) by specifying the AWS
GovCloud (US) endpoint for the AWS service that you want to access.
For information about setting regions using the AWS SDKs, go to Available Region Endpoints for the
AWS SDKs in the AWS Developer Center.
If you use the CLI, you can either specify the AWS GovCloud (US) endpoint every time you enter a
command or you can set an environment variable that specifies the endpoint. See the service's CLI
documentation for more information.
Resource Limits
By default, AWS maintains limits for certain resources in your AWS GovCloud (US) account. For example,
accounts have a limit on the number of Amazon EC2 instances that can be launched. You can see your
current limits and request limit increases by navigating to the Amazon EC2 console, Limits Page. When
you request a limit increase, specify your AWS GovCloud (US) account ID and select the AWS GovCloud
(US) Region from the region drop-down list.
For more information about the specific limits, see AWS Service Limits.
Penetration Testing
Penetration testing can be indistinguishable from activity that is prohibited by AWS, such as certain
security violations and network abuse. As a result, AWS has established a policy that you request
permission for penetration testing. In order to request permission to conduct penetration testing on your
AWS GovCloud (US) instances, submit a request.
You are required to sign in by using the standard AWS root account credentials that are associated with
your AWS GovCloud (US) account. You can request up to 3 months of penetration testing by specifying
the start and end times. The form also includes our testing terms and policies. After you submit the form,
AWS reviews your request and will respond in approximately 1 to 2 business days.
If you do not have standard AWS root account credentials, submit your request by sending an email to
[email protected] with the following information:
• Account name:
• Account number:
• Email address:
• Additional email address to cc:
• Account owner must be specified on cc.
• IPs to be scanned:
• Target or source:
• Instance IDs:
• Be aware that testing to or from m1.small or t1.micro instances is prohibited.
• These instances must be specified.
• Source IPs:
• Region:
• Timezone:
35
Service Health Dashboard
• Start date/time:
• End date/time:
• Additional comments:
For more information about AWS and penetration testing, see Penetration Testing.
Service Health Dashboard

AWS GovCloud (US) includes a dashboard that displays up-to-the-minute information on service availability
in the region. To get current status information, or subscribe to an RSS feed to be notified of interruptions
to each individual service, see the Service Health Dashboard.
36
Services in the AWS GovCloud

(US) Region
The following sections describe the differences between the AWS GovCloud (US) Region and the standard
AWS regions. They include links to documentation and describe the ITAR boundaries (where you can
and can't enter or process ITAR-regulated data) for each service. ITAR-regulated data is permitted in
most configuration data fields. However, some of the data fields, such as Amazon S3 bucket names or
Amazon EC2 tags, cannot contain ITAR-regulated data. Also, some services cannot process
ITAR-regulated data at all, such as Amazon SNS.
Topics
• AWS CloudFormation (p. 38)
• AWS CloudHSM (p. 39)
• AWS CloudTrail (p. 39)
• Amazon CloudWatch (p. 42)
• AWS Direct Connect (p. 42)
• Amazon Elastic Block Store (Amazon EBS) (p. 44)
• Elastic Load Balancing (p. 47)
• Amazon ElastiCache (p. 48)
• Amazon Elastic MapReduce (Amazon EMR) (p. 50)
• Amazon Glacier (p. 50)
• AWS Import/Export (p. 52)
• AWS Key Management Service (AWS KMS) (p. 53)
• Amazon Redshift (p. 54)
• Amazon Relational Database Service (Amazon RDS) (p. 56)
37
Auto Scaling
• Amazon Virtual Private Cloud (Amazon VPC) (p. 61)

• AWS Management Console for the AWS GovCloud (US) Region (p. 62)
• AWS Trusted Advisor (p. 63)
Auto Scaling
For more information about Auto Scaling, see the Auto Scaling documentation.
ITAR Boundary
The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service
in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR
compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section
does not apply to you. The following information identifies the ITAR boundary for this service:
ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
• Not applicable • Auto Scaling is not permitted to contain ITAR-

regulated data.
• For example, do not enter ITAR-regulated data
in the following fields:
• Capacity group tag names
• Capacity group tag name values
• Capacity group names
• Amazon EC2 Security Group names
• Scaling policies
• Launch notifications
• Notification topics
• Policy documents
AWS CloudFormation
The following list details the differences for using this service in the AWS GovCloud (US) Region compared
to other AWS regions:
• Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other
regions, you can use HTTP or HTTPS.
For more information about AWS CloudFormation, see the AWS CloudFormation documentation.
ITAR Boundary
38
AWS CloudHSM
• The user data section of AWS CloudFormation • No ITAR-regulated data may be entered, stored,
templates can refer to scripts containing ITAR- or processed by AWS CloudFormation. For ex-
regulated. The scripts containing ITAR-regulated ample, AWS CloudFormation metadata is not
data must be stored in an AWS GovCloud (US) permitted to contain ITAR-regulated data. This
Amazon S3 bucket. metadata includes all the configuration data that
• ITAR-regulated data may be stored and pro- you enter when creating and maintaining your
cessed on the instances launched using AWS AWS CloudFormation templates.
CloudFormation.
AWS CloudHSM
For more information about AWS CloudHSM, see the AWS CloudHSM documentation.
ITAR Boundary
• AWS CloudHSM secret access keys are protec- • AWS CloudHSM metadata is not permitted to
ted as ITAR-regulated data. contain ITAR-regulated data. This includes all
configuration data that you enter when creating
and maintaining your AWS CloudHSM config
and partitions. Audit and syslogs should not
contain ITAR-regulated data.
AWS CloudTrail
• For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail is enabled automatically,
with logging turned on. However, you must set up Amazon SNS notifications.You can disable CloudTrail
or turn off logging through the CloudTrail console in the AWS Management Console for the AWS
• You can create up to five trails in the AWS GovCloud (US) Region. For more information, see Create
Multiple Trails.
• Since AWS GovCloud (US) operates as a single isolated region, the capability to receive CloudTrail
log files from multiple regions does not apply.
39
Services Supported within CloudTrail
• If you are using AWS Direct Connect, you must enable CloudTrail in your AWS account (not your AWS
GovCloud (US) account) and enable logging.
• The Amazon S3 and Amazon SNS policy statements must refer to the ARN for the AWS GovCloud
(US) Region. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud
(US) (p. 26).
• To enable CloudTrail to write log files to your bucket in the AWS GovCloud (US) Region, you can use
the following policy.
Caution
If the bucket already has one or more policies attached, add the statements for CloudTrail
access to that policy or policies. We recommend that you evaluate the resulting set of
permissions to be sure they are appropriate for the users who will be accessing the bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": "arn:aws-us-gov:s3:::myBucketName"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": "arn:aws-us-gov:s3:::myBucketName/[optional] prefix/AWS
Logs/myAccountID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
For more information, see Amazon S3 Bucket Policy and Permissions for SNS Notifications.
Note
In the AWS GovCloud (US) Region, do not add CloudTrail account IDs of non-isolated regions
to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are
in a non-isolated region, do not add the CloudTrail account ID for AWS GovCloud (US) to your
policy templates.
For more information about CloudTrail, see the CloudTrail documentation.
Services Supported within CloudTrail

The following services are supported within CloudTrail in the AWS GovCloud (US) Region:
40
ITAR Boundary
AWS Service Support Start Date
AWS CloudFormation 12/16/2014
AWS CloudHSM 08/05/2015
AWS CloudTrail 12/16/2014
Amazon CloudWatch 12/16/2014
Amazon CloudWatch Logs 11/19/2015
Amazon DynamoDB 05/28/2015
Amazon Elastic Block Store (Amazon EBS) 12/16/2014
Amazon Elastic Compute Cloud (Amazon EC2) 12/16/2014
Elastic Load Balancing 12/16/2014
ElastiCache 01/29/2015
Amazon Elastic MapReduce (Amazon EMR) 12/16/2014
Amazon Glacier 12/30/2014
AWS Identity and Access Management (IAM) 12/16/2014
AWS Key Management Service (AWS KMS) 04/29/2015
Amazon Redshift 12/16/2014
Amazon RDS 01/22/2015
AWS Security Token Service (AWS STS) 12/16/2014
Amazon Simple Storage Service (Amazon S3) 10/01/2015
Amazon Simple Notification Service (Amazon SNS) 12/16/2014
Amazon Simple Queue Service (Amazon SQS) 12/16/2014
Amazon Simple Workflow Service (Amazon SWF) 12/16/2014
Amazon Virtual Private Cloud (Amazon VPC) 12/16/2014
ITAR Boundary
• Not applicable • CloudTrail logs do not contain ITAR-regulated

data.
• CloudTrail configuration data may not contain
ITAR-regulated data.
41
Amazon CloudWatch
Amazon CloudWatch
• CloudWatch Logs uses Amazon Kinesis to process the log data. Because Amazon Kinesis is not
available in the AWS GovCloud (US) Region, the data is first encrypted in AWS GovCloud (US) using
AES-256 encryption inside the ITAR boundary. The encrypted data is then sent to Amazon Kinesis in
the US West (Oregon) region to queue the encrypted data stream for processing in the AWS GovCloud
(US) Region. Only encrypted data is sent to Amazon Kinesis in US West (Oregon). The keys exist
within the ITAR boundary, so the data cannot be decrypted outside of the AWS GovCloud (US) Region.
For more information about CloudWatch, see the CloudWatch documentation.
ITAR Boundary
• Not applicable • No ITAR-regulated data may be entered, stored,

or processed by CloudWatch. For example,
CloudWatch metadata is not permitted to contain
ITAR-regulated data. This metadata includes all
the configuration data that you enter when creat-
ing and maintaining your CloudWatch alarms.
• Monitor configuration names
• Descriptions
• Trigger names
• Metric names
AWS Direct Connect

• To set up an AWS Direct Connect connection to the AWS GovCloud (US) Region, you must use the
AWS GovCloud (US) console and the AWS GovCloud (US) credentials associated with your AWS
GovCloud (US) account. For instructions about how to provision and configure AWS Direct Connect,
see the AWS Direct Connect User Guide.
• When you create a public virtual interface on your AWS Direct Connect connection, a data path to AWS
GovCloud (US) is made available.
42
ITAR Boundary
• To access your VPC without using the Amazon VPC service (for non-ITAR uses), create a private
virtual interface. You must create the AWS Direct Connect connection in the US West (N. California)
region only.
• Use the Amazon VPC section of the AWS GovCloud (US) console to set up hardware VPN access to
the AWS GovCloud (US) Region over a public virtual interface.
• If you are processing ITAR-regulated workloads, you must configure your AWS Direct Connect
connection with a VPN to encrypt data in transit. For detailed instructions about how to create your
VPC and VPN, see Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon VPC User
Guide. For instructions about how to configure your on-premises VPN hardware, see the Amazon VPC
Network Administrator Guide.
For more information about AWS Direct Connect, see the AWS Direct Connect documentation.
ITAR Boundary
• If you are transferring any type of ITAR-regulated • AWS Direct Connect metadata is not permitted
data through the AWS Direct Connect connec- to contain ITAR-regulated data. This metadata
tion, you must encrypt the data that is being includes all of the configuration data that you
transferred by using a VPN tunnel. enter when creating and maintaining AWS Direct
Connect, such as connection names.
• Do not enter ITAR-regulated data in the following
console fields:
• Connection Name
• VIF Name
Amazon DynamoDB
• Import Table is not available in the DynamoDB console.

• Export Table is not available in the DynamoDB console.
For more information about DynamoDB, see the DynamoDB documentation.
ITAR Boundary
43
Amazon EBS
• All data entered, stored and processed in Dy- • DynamoDB metadata is not permitted to contain
namoDB database tables can contain ITAR- ITAR-regulated data. This metadata includes all
regulated data. the configuration data that you enter when creat-
ing and maintaining your DynamoDB tables, such
as table names, hash attribute names, and range
attribute names.
fields:
• Table names
• Hash attribute names
• Range attribute names
• Resource tags
If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain
ITAR compliance. For a list of endpoints, see AWS GovCloud (US) Endpoints (p. 31).
Amazon Elastic Block Store (Amazon EBS)

• The copy snapshot commands can be used, but only allow you to copy snapshots available to your
account within the AWS GovCloud (US) Region. If you specify a source or destination region to copy
to or from, the commands will return an error.
For more information about Amazon EBS, see Amazon Elastic Block Store in the Amazon Elastic Compute
Cloud User Guide.
ITAR Boundary
44
Amazon EC2
• All data entered, stored, and processed in • Amazon EBS metadata is not permitted to con-
Amazon EBS volumes can contain ITAR-regu- tain ITAR-regulated data. This metadata includes
lated data all configuration data that you enter when creat-
ing and maintaining your Amazon EBS volumes.
fields:
• Volume names
• Snapshot names
• Image names
• Image descriptions
Amazon Elastic Compute Cloud (Amazon EC2)

• Spot instances and select Amazon EC2 instance types are not available in the AWS GovCloud (US)
Region.
• The public IP range for AWS GovCloud (US) Region Amazon EC2 instances is 96.127.0.0/18 and
96.127.64.0/18.
• Reserved Instance resale is not available in the AWS GovCloud (US) Region.
• AMI copy and snapshot copy are not available in the AWS GovCloud (US) Region. For information
about how to migrate your AMIs from another AWS region into the AWS GovCloud (US) Region, see
Importing Virtual Machines into the AWS GovCloud (US) Region (p. 15).
• When using the Amazon EC2 AMI tools, the AWS GovCloud (US) Region uses a non-default public
key certificate to encrypt AMI manifests. The ec2-bundle-image, ec2-bundle-vol, ec2-migrate-bundle,
and ec2-migrate-manifest commands require the --ec2cert
$EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem option in the AWS GovCloud (US)
Region.
• By default, enhanced networking is not enabled on Windows Server 2012 R2 AMIs. For more information,
see Enabling Enhanced Networking on Windows Instances in a VPC.
• In the AWS GovCloud (US) Region, you must launch all Amazon EC2 instances in an Amazon Virtual
Private Cloud (Amazon VPC). In some cases, your account might have a default VPC; otherwise, you
must create a VPC before launching instances. For more information, see Determining if Your Account
Has a Default Amazon VPC (p. 46).
• When you launch an instance in the AWS GovCloud (US) Region using the CLI ec2-run-instances
command or API RunInstances action, you must specify the subnet parameter.
• Use SSL (HTTPS) when generating key pairs using ec2-create-keypair and CreateKeyPair commands.
• To import your own set of key pairs, follow the directions in Importing Your Own Key Pair to Amazon
EC2.
• When using VM Import:
• If your account is set up as default VPC, then your default VPC will be the target for your import.
45
Determining if Your Account Has a Default Amazon VPC
• If your account is not set up as default VPC, then you will need to specify an Availability Zone and
subnet. To specify a subnet to use when you create the import task, use the --subnet subnet_id
option and –z availability_zone option (specifying the Availability Zone corresponding to the
subnet ID) with the ec2-import-instance command.
• The AWS CLI commands, aws ec2 import-image and aws ec2 import-snapshot, and the ImportImage
API are not available in the AWS GovCloud (US) Region.
• When using VM Export:
• The Amazon EC2 instance must have been previously imported using VM Import.
• The Amazon S3 bucket for the destination image must exist and must have WRITE and READ_ACP
permissions granted to the AWS GovCloud (US) account with canonical ID:
af913ca13efe7a94b88392711f6cfc8aa07c9d1454d4f190a624b126733a5602.
• To export an instance, you can use the ec2-create-instance-export-task command. For more
information, see Exporting Amazon EC2 Instances.
• Microsoft System Center Virtual Machine Manager (SCVMM) is not yet supported in the AWS GovCloud
(US) Region.
• AWS Management Portal for vCenter is not compatible with the AWS GovCloud (US) Region.
• Automatic instance recovery is not supported.
• Dedicated hosts are not available.
For more information about Amazon EC2, see the Amazon Elastic Compute Cloud documentation.
Determining if Your Account Has a Default Amazon

VPC
In the AWS GovCloud (US) Region, you must launch all Amazon EC2 instances in an Amazon Virtual
Private Cloud (Amazon VPC). In some cases, your account might have a default VPC, where you launch
all your Amazon EC2 instances. If your account doesn't have a default VPC, you must create a VPC
before you can launch Amazon EC2 instances. For more information, see What is Amazon VPC? in
Amazon VPC User Guide.
To determine if your account has a default VPC
1. Sign in to the AWS Management Console for the AWS GovCloud (US) Region.
2. Navigate to the dashboard of the Amazon EC2 console.
3. In the Account Attributes section, view the Supported Platforms.
• If you see only EC2-VPC, as shown in the following figure, your account has a VPC by default.
• If you see both EC2-Classic and EC2-VPC, as shown in the following figure, your account doesn't
have a default VPC. You must create a VPC before you launch Amazon EC2 or Amazon RDS
instances.
46
ITAR Boundary
If you don't want a default VPC for your AWS GovCloud (US) account, you can delete the default VPC
and default subnets. The default VPC and subnets will not be recreated. However, you still need to create
a VPC before launching instances.
If you deleted your default VPC but want to recreate it, you can submit a request by completing the AWS
GovCloud (US) Contact Us form. In the form, include your AWS GovCloud (US) account ID and indicate
that you want to reset your default VPC.
If your account doesn't have a default VPC but you want a default VPC, you can submit a request by
completing the AWS GovCloud (US) Contact Us form. In the form, include your AWS GovCloud (US)
account ID and indicate that you want to enable your account for a default VPC.
ITAR Boundary
• All data entered, stored, and processed within • Amazon EC2 metadata is not permitted to con-
an Amazon EC2 instance and ephemeral drives tain ITAR-regulated data. This metadata includes
can contain ITAR-regulated data. all configuration data that you enter when creat-
• Key Pairs created using HTTPS. ing and maintaining your instances.
• Imported Key Pairs. • Do not enter ITAR-regulated data in the following
fields:
• Instance names
• AMI descriptions
• Resource tags
• Key pairs created using HTTP.
• When using VM Import, you may not enter any
ITAR-regulated data as part of CLI arguments,
paths, or OS disk images. Any data that is ITAR-
regulated should be encrypted and placed in
partitions other than root and boot.
• If importing ITAR-regulated images, do not use
pre-signed URLs for the CLI argument --mani-
fest-url.
Elastic Load Balancing

• Elastic Load Balancing must run in an Amazon VPC.

• Because Elastic Load Balancing must run in an Amazon VPC, Elastic Load Balancing does not provide
IPV6 capability that is offered in standard AWS regions when running outside of a VPC.
• You need to use encryption for Elastic Load Balancing with data that leaves the AWS GovCloud (US)
Region in order to maintain ITAR compliance. Because Elastic Load Balancing sends the data to DNS
servers outside of ITAR protection, you must use SSL certificates on your load balancers. For more
47
ITAR Boundary
information, see Update an SSL Certificate for a Load Balancer in the Elastic Load Balancing Developer
Guide.
• Elastic Load Balancing uses the following account ID. For information about when it is used, see Attach
a Policy to Your Amazon S3 Bucket.
Region Elastic Load Balancing Account ID
us-gov-west-1 048591011584
For more information about Elastic Load Balancing, see the Elastic Load Balancing documentation.
ITAR Boundary
• All data transmitted through Elastic Load Balan- • All customer parameters provided as input to
cing must be encrypted if it contains ITAR-regu- Elastic Load Balancing (via console, APIs, or
lated data. Encryption must be used both other mechanism) are not permitted to contain
between clients and the load balancer and ITAR-regulated data. Examples include the
between the load balancer and registered in- names of load balancers and the names of load
stances. It is strongly recommended that balancer policies.
Backend Authentication is enabled to enforce • Do not enter ITAR-regulated data in the following
public key authentication of the registered in- fields:
stance.
• Resource tags
Amazon ElastiCache
• All ElastiCache instances must be launched in an Amazon VPC.

• ElastiCache clusters have a preferred weekly maintenance window. For information about the time
blocks, see Cache Engine Version Management.
For more information about ElastiCache, see the ElastiCache documentation.
48
ITAR Boundary
ITAR Boundary
• You may store and process ITAR-regulated data • Unencrypted data stored in a cache cluster may
in ElastiCache cache clusters only if the data is not contain ITAR-regulated data.
encrypted on the client side. • ElastiCache metadata is not permitted to contain
ITAR-regulated data. This metadata includes all
the configuration data that you enter when creat-
ing and maintaining your ElastiCache clusters.
fields:
• Cluster instance identifier
• Cluster name
• Cluster snapshot name
• Cluster security group name
• Cluster security group description
• Cluster parameter group name
• Cluster parameter group description
• Cluster subnet group name
• Cluster subnet group description
• Replication group name
• Replication group description
If you are processing ITAR-regulated data with ElastiCache, follow these guidelines in order to maintain
ITAR compliance:
• To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering
and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on
all the ports.
• For example, if you're running an application server on an Amazon EC2 instance that connects to
an ElastiCache cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated
data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US)
Region.
• To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network
traffic from exiting the VPC on the database port. For more information, see Network ACLs in the
• For each cluster that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon
EC2 security groups can access the database instance, especially when an Internet gateway is attached
to the VPC. Only allow connections that are from the AWS GovCloud (US) Region or other
ITAR-controlled environments to ITAR-controlled clusters.
ElastiCache requires the use of the SSL (HTTPS) endpoint for service API calls. For a list of endpoints,
see AWS GovCloud (US) Endpoints (p. 31).
49
Amazon EMR
Amazon Elastic MapReduce (Amazon EMR)

• MapR distributions are currently not supported in the AWS GovCloud (US) Region.
• In the AWS GovCloud (US) Region, you launch all Amazon EMR job flows in Amazon Virtual Private
Cloud (Amazon VPC). For information about configuring an Amazon VPC that can run a job flow, see
Select an Amazon VPC and Subnet for the Cluster.
• Launching a job flow by using Spot instances is not currently supported in the AWS GovCloud (US)
Region.
• Launching a job flow with debugging is not currently supported in the AWS GovCloud (US) Region.
For more information about Amazon EMR, see the Amazon Elastic MapReduce documentation.
ITAR Boundary
• All input and output data that is entered, stored, • Amazon EMR metadata is not permitted to con-
and processed in Amazon EMR can contain IT- tain ITAR-regulated data. This metadata includes
AR-regulated data. all configuration data that you enter when creat-
ing and maintaining your job flows.
• Do not enter ITAR-regulated data in Amazon
EMR when doing the following:
• Naming a job flow
• Specifying a file location
• Naming a bootstrap action
• Providing arguments
• Resource tags
• ITAR-regulated data should not be printed to
your logs. (Amazon EMR metadata and logs are
not permitted to contain ITAR-regulated data.)
Amazon Glacier
For more information about Amazon Glacier, see the Amazon Glacier documentation.
50
ITAR Boundary
ITAR Boundary
• All data entered and stored in Amazon Glacier • Amazon Glacier metadata is not permitted to
archives can contain ITAR-regulated data. contain ITAR-regulated data. This metadata in-
cludes all configuration data that you enter when
creating and maintaining your Amazon Glacier
vaults names.
fields:
• Resource tags: Key
• Resource tags: Value
AWS Identity and Access Management (IAM)

• IAM users that you create in the AWS GovCloud (US) Region are specific to the AWS GovCloud (US)
Region and do not exist in other AWS regions.
• Hard token multi-factor authentication (MFA) devices are not available in the AWS GovCloud (US)
Region. You can still use virtual MFA. For more information, see Enabling Virtual Multi-Factor
Authentication (MFA) (p. 14).
• You can't create a role to delegate access between an AWS GovCloud (US) account and an AWS
account.
• IAM roles can be used to protect ITAR data, but you cannot enter ITAR-regulated data into the roles
and role names, and you cannot assign a non-US person to a role that can access ITAR data.
• If you create policies, use the correct AWS GovCloud (US) ARN prefix. For more information, see
Amazon Resource Names (ARNs) in AWS GovCloud (US) (p. 26).
• Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region.
• When you use a SAML provider in the AWS GovCloud (US) Region, use the following URL for the XML
document that contains relying party information and certificates:
https://signin.amazonaws-us-gov.com/static/saml-metadata.xml. For more information,
see Configuring a Relying Party and Adding Claims in IAM User Guide.
• SSH public keys are used only in conjunction with AWS CodeCommit, which is currently not available
in the AWS GovCloud (US) Region.
For more information about IAM, see the IAM documentation.
ITAR Boundary
51
AWS Import/Export
• IAM passwords are protected as ITAR-regulated • IAM metadata is not permitted to contain ITAR-
data. regulated data.This metadata includes all config-
• Secret access keys are protected as ITAR-regu- uration data that you enter when creating and
lated data. maintaining your IAM entities.
• Virtual MFA seeds are protected as ITAR-regu- • Do not enter ITAR-regulated data in the following
lated data. fields:
• Authentication codes, which are clear text
memcached
• User names
• Group names
• Password policies
• Policy names
• Roles and role names
• Policy documents
AWS Import/Export
• AWS Import/Export Disk is not available in the AWS GovCloud (US) Region.
• AWS Snowball, a feature of AWS Import/Export, is available in the AWS GovCloud (US) Region.
• Users can only select AWS GovCloud (US) as the import or export destination region. The AWS
GovCloud (US) Region selection is available only when signed in to AWS GovCloud (US).
For more information about Snowball, see the AWS Import/Export documentation.
ITAR Boundary
52
AWS KMS
• All data downloaded to the Snowball appliance • Snowball metadata is not permitted to contain
can contain ITAR-regulated data. ITAR-regulated data. This includes the naming
and configuration data that you enter when cre-
ating and managing your Snowball import or ex-
port job. For example, do not enter ITAR-regu-
lated data into user input fields describing your
job, such as import job name, Amazon S3 bucket
name, or Amazon SNS topic name. Snowball
generated metadata will not contain ITAR-regu-
lated data.
AWS Key Management Service (AWS KMS)

• At this time, the endpoint is not yet FIPS 140-2 validated.
For more information about AWS KMS, see the AWS Key Management Service Developer Guide.
ITAR Boundary
• All data encrypted with an AWS KMS key con- • AWS KMS metadata is not permitted to contain
tains ITAR-regulated data ITAR-regulated data. Do not enter ITAR-regu-
lated data in the following fields:
• Alias
• Descriptions
• The Encryption Context is outside the ITAR
boundary.
• AWS KMS generated metadata will not contain
ITAR-regulated data:
• Key Administrators
• Key Users
• Key ID
• Key ARN
53
Amazon Redshift
Amazon Redshift
• In the AWS GovCloud (US) Region, all Amazon Redshift clusters must be launched in an Amazon
VPC.
• Snapshot copy is not available in the AWS GovCloud (US) Region.
• If you want Amazon Redshift to write logs to an Amazon S3 bucket, the bucket must have a policy that
uses 665727464434 for the Amazon Redshift Account ID. For more information, see Managing Log
Files in the Amazon Redshift Cluster Management Guide.
The following shows an example of a bucket policy that enables audit logging for the AWS GovCloud
(US) Region, where BucketName is a placeholder for your bucket name:
{
"Statement": [
{
"Sid": "Put bucket policy needed for audit logging",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::665727464434:user/logs"
},
"Resource": "arn:aws-us-gov:s3:::BucketName/*"
},
{
"Sid": "Get bucket policy needed for audit logging ",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-us-gov:iam::665727464434:user/logs"
},
"Resource": "arn:aws-us-gov:s3:::BucketName"
}
]
}
For more information about Amazon Redshift, see the Amazon Redshift documentation.
ITAR Boundary
54
ITAR Boundary
• Amazon Redshift master passwords are protec- • Amazon Redshift metadata is not permitted to
ted as ITAR-regulated data. contain ITAR-regulated data. This metadata in-
• All data stored and processed in Amazon Red- cludes all configuration data that you enter when
shift clusters can contain ITAR-regulated data. creating and maintaining your Amazon Redshift
You cannot transfer ITAR-regulated data in and clusters except the master password.
out of Amazon Redshift using the API or CLI. • Do not enter ITAR-regulated data in the following
You must use database tools for data transfer of fields:
ITAR-regulated data. • Database instance identified
• Master user name
• Database name
• Database snapshot name
• Database security group name
• Database security group description
• Database parameter group name
• Database parameter group description
• Option group name
• Option group description
• Database subnet group name
• Database subnet group description
• Event subscription name
• Resource tags
If you are processing ITAR-regulated data with Amazon Redshift, follow these guidelines in order to
maintain ITAR compliance:
• When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated
data is the Amazon Redshift Master Password.
• After you create your database, change the master password of your Amazon Redshift cluster by
directly using the database client.
• You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do
not pass ITAR-regulated data by using the web service APIs that are provided by Amazon Redshift.
all the ports.
an Amazon Redshift cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated
data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US)
Region.
To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network
• For each cluster that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon
EC2 security groups can access the cluster, especially when an Internet gateway is attached to the
55
Amazon RDS
VPC. Only allow connections that are from the AWS GovCloud (US) Region or other ITAR-controlled
environments to ITAR-controlled clusters.
Amazon Relational Database Service (Amazon

RDS)
• In the AWS GovCloud (US) Region, all Amazon RDS instances must be launched in an Amazon VPC.
• DB event notifications via SMS are not supported in the AWS GovCloud (US) Region.
For more information about Amazon RDS, see the Amazon Relational Database Service documentation.
ITAR Boundary
• Amazon RDS master passwords are protected • Amazon RDS metadata is not permitted to con-
as ITAR-regulated data. tain ITAR-regulated data. This metadata includes
• All data stored and processed in Amazon RDS all configuration data that you enter when creat-
database tables can contain ITAR-regulated ing and maintaining your Amazon RDS instances
data. You cannot transfer ITAR-regulated data except the master password.
in and out of your Amazon RDS instance using • Do not enter ITAR-regulated data in the following
the API or CLI. You must use database tools for fields:
data transfer of ITAR-regulated data. • Database instance identifier
• Master user name
• Database name
• Database snapshot name
• Database security group name
• Database security group description
• Database parameter group name
• Database parameter group description
• Option group name
• Option group description
• Database subnet group name
• Database subnet group description
• Event subscription name
• Resource tags
56
Amazon S3
If you are processing ITAR-regulated data with Amazon RDS, follow these guidelines in order to maintain
ITAR compliance:
• When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated
data is the Amazon RDS Master Password.
• After you create your database, change the master password of your Amazon RDS instance by directly
using the database client.
• You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do
not pass ITAR-regulated data by using the web service APIs that are provided by Amazon RDS.
all the ports.
an Amazon RDS database instance, a non-U.S. person could reconfigure the DNS to redirect
ITAR-regulated data out of the VPC and into any server that might be outside of the AWS GovCloud
(US) Region.
To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network
• For each database instance that contains ITAR-regulated data, ensure that only specific CIDR ranges
and Amazon EC2 security groups can access the database instance, especially when an Internet
gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Region
or other ITAR-controlled environments to ITAR-controlled database instances.
Amazon Simple Storage Service (Amazon S3)

• You cannot do a direct copy of the contents of an Amazon S3 bucket in the AWS GovCloud (US) Region
to or from another AWS region.
• Cross-region replication is not supported in the AWS GovCloud (US) Region.
• If you use Amazon S3 policies, use the AWS GovCloud (US) ARN identifier. For more information, see
Amazon Resource Names (ARNs) in AWS GovCloud (US) (p. 26).
• In the AWS GovCloud (US) Region, Amazon S3 has three endpoints. If you are processing
ITAR-regulated data, use one of the SSL endpoints. If you have FIPS requirements, use the FIPS 140-2
validated endpoint (https://s3-fips-us-gov-west-1.amazonaws.com). You can access VPC endpoints
for Amazon S3 over both the FIPS and non-FIPS endpoints. For a list of AWS GovCloud (US) endpoints,
see AWS GovCloud (US) Endpoints (p. 31).
• Amazon S3 bucket names are unique to the AWS GovCloud (US) Region. Bucket names in the AWS
GovCloud (US) Region are not shared across other AWS regions.
• Amazon S3 Transfer Acceleration is not available in the AWS GovCloud (US) Region.
For more information about Amazon S3, see the Amazon Simple Storage Service documentation.
57
ITAR Boundary
ITAR Boundary
• All data entered and stored in Amazon S3 buck- • Amazon S3 metadata is not permitted to contain
ets can contain ITAR-regulated data. ITAR-regulated data. This metadata includes all
configuration data that you enter when creating
and maintaining your Amazon S3 buckets, such
as bucket names.
fields:
• Resource tags
Amazon Simple Notification Service (Amazon

SNS)
For more information about Amazon SNS, see the Amazon Simple Notification Service documentation.
ITAR Boundary
58
Amazon SQS
• You may enter ITAR-regulated data in the fol- • ITAR-regulated data may not be entered, stored,
lowing field when meeting the notification end- or processed in Amazon SNS notification mes-
points conditions below: sages when the following notification endpoints
• Notification Message are being used:
• ITAR-regulated data may be entered, stored, Notification Endpoints
and processed in the Amazon SNS notification
• Mobile push notifications – not permitted to
when the following notification endpoints are
contain ITAR-regulated data
being used:
• Email – not permitted to contain ITAR regulated
Notification Endpoints data
• Amazon SQS queues in AWS GovCloud (US) • Amazon SQS queues outside of AWS Gov-
– may receive notifications containing ITAR- Cloud (US) – not permitted to contain ITAR-
regulated data regulated data
• HTTPS URL endpoint in AWS GovCloud (US) • HTTP URL endpoint – not permitted to contain
– may receive notifications containing ITAR- ITAR-regulated data
regulated data if the service is allowed to ac- • Amazon SNS metadata is not permitted to contain
cept ITAR regulated data (see the service for ITAR-regulated data. This metadata includes all
details) configuration data that you enter when setting up
• HTTPS URL endpoint outside of AWS Gov- and maintaining your topics.
Cloud (US) – may receive notifications con-
taining ITAR-regulated data if the customer For example, do not enter ITAR-regulated data in
has set up the endpoint URL in compliance the following fields:
with ITAR regulations • Topic Name
• Display Name
• Topic Policy
• Topic Delivery Policy
• Topic ARN
• Endpoint
• Subject
• Application Name
Amazon Simple Queue Service (Amazon SQS)

For more information about Amazon SQS, see the Amazon Simple Queue Service documentation.
ITAR Boundary
59
Amazon SWF
• Not applicable • No ITAR-regulated data may be entered, stored,

or processed in Amazon SQS.
• Amazon SQS metadata is not permitted to con-
tain ITAR-regulated data. This metadata includes
all configuration data that you enter when setting
up and maintaining your queues.
For example, do not enter ITAR-regulated data

• Queue Name
• Queue Configuration
• Queue Policy Document
• Queue Permissions
• SQS Message
Amazon Simple Workflow Service (Amazon SWF)

For more information about Amazon SWF, see the Amazon Simple Workflow Service documentation.
ITAR Boundary
60
Amazon VPC
• Not applicable • No ITAR-regulated data can be entered, stored,

or processed in Amazon SWF.
• Amazon SWF metadata is not permitted to con-
tain ITAR-regulated data. This metadata includes
all of the configuration data that you enter when
setting up and maintaining your workflows.
• Workflow type name
• Workflow type version
• Activity type name
• Activity type version
• Execution workflow ID
• Activity task ID
• The input, result, or details arguments
to workflow executions
• The input, result, or details arguments
to activity tasks
Amazon Virtual Private Cloud (Amazon VPC)

• You must launch Amazon EC2 instances, Amazon RDS instances, or Amazon EMR instances in an
Amazon VPC. In some cases, your account might have a default VPC. For more information, see
Determining if Your Account Has a Default Amazon VPC (p. 46).
For more information about Amazon VPC, see the Amazon Virtual Private Cloud documentation.
ITAR Boundary
61
AWS Management Console
• All data entered, stored, and processed in • Amazon VPC metadata is not permitted to con-
Amazon VPC can contain ITAR-regulated data. tain ITAR-regulated data. This metadata includes
• You can transmit ITAR-regulated data in clear all of the configuration data that you enter when
text across the network within your Amazon VPC. setting up and maintaining your VPCs.
• You can transmit ITAR-regulated data in clear • If you are using VPC Flow Logs, the following
text across your Amazon VPC VPN tunnels, as- field is not permitted to contain ITAR-regulated
suming the destination endpoint is ITAR compli- data:
ant. • Destination log group name
AWS Management Console for the AWS

• You access the AWS GovCloud (US) console by using a different URL than the standard AWS
Management Console.
• You can only access the console by using an IAM user name and password, not with the AWS GovCloud
(US) root account.
• The console includes only the services that are available in the AWS GovCloud (US) Region.
• You are automatically signed out from the console after 4 hours.
• Hardware Multi-factor Authentication (MFA) tokens are not available for the console.
• The console does not permit navigation to any regions other than the AWS GovCloud (US) Region.
• You can sign in to the AWS GovCloud (US) console and the standard AWS Management Console
concurrently.
• You cannot automatically create a support ticket from the AWS GovCloud (US) console.
ITAR Boundary
• Console passwords are protected as ITAR-regu- • Your user name is not permitted to contain ITAR-
lated data. regulated data.
• All console data fields inherit the ITAR restric- • All console data fields inherit the ITAR restric-
tions for the specific service that is being actions for the specific service that is being ac-
cessed. See each service for details. cessed. See each service for details.
62
AWS Trusted Advisor
AWS Trusted Advisor

• Email notifications are not yet enabled in Trusted Advisor in the AWS GovCloud (US) Region.
• All 23 checks are available to all AWS GovCloud (US) customers today.
The following table lists the Trusted Advisor checks that are available in the AWS GovCloud (US) Region
and the required support level:
Category Check Enabled in Support Level
AWS Gov-
Cloud (US)
Cost Optimiza- Unassociated Elastic IP Address Yes Business and

tion Enterprise
Security Security Groups - Specific Ports Unrestricted Yes Basic
Security Groups - Unrestricted Access Yes Business and

Enterprise
Amazon S3 Bucket Permissions Yes Business and

Enterprise
IAM Password Policy Yes Business and

Enterprise
AWS CloudTrail Logging Yes Business and

Enterprise
ELB Listener Security Yes Business and

Enterprise
ELB Security Groups Yes Business and

Enterprise
Fault Toler- Amazon EBS Snapshots Yes Business and

ance Enterprise
Amazon EC2 Availability Zone Balance Yes Business and

Enterprise
Load Balancer Optimization Yes Business and

Enterprise
VPN Tunnel Redundancy Yes Business and

Enterprise
Auto Scaling Group Resources Yes Business and

Enterprise
Auto Scaling Group Health Check Yes Business and

Enterprise
Amazon S3 Bucket Logging Yes Business and

Enterprise
63
AWS Trusted Advisor
AWS Gov-
Cloud (US)
ELB Connection Draining Yes Business and

Enterprise
ELB Cross-Zone Load Balancing Yes Business and

Enterprise
Performance High Utilization Amazon EC2 Instances Yes Business and

Enterprise
Service Limits Yes Basic
Amazon EBS Provisioned IOPS (SSD) Volume At- Yes Business and
tachment Configuration Enterprise
Large Number of Rules in an EC2 Security Group Yes Business and

Enterprise
Large Number of EC2 Security Group Rules Applied Yes Business and
to an Instance Enterprise
Overutilized Amazon EBS Magnetic Volumes Yes Business and

Enterprise
The following table lists the Trusted Advisor checks that are not available in the AWS GovCloud (US)
Region:
AWS Gov-
Cloud (US)
Cost Optimiza- Amazon EC2 Reserved Instance Optimization No Business and

tion Enterprise
Low Utilization Amazon EC2 Instances No Business and

Enterprise
Idle Load Balancers No Business and

Enterprise
Underutilized Amazon EBS Volumes No Business and

Enterprise
Amazon RDS Idle DB Instances No Business and

Enterprise
Security IAM Use No Basic
MFA on Root Account No Basic
Amazon RDS Security Group Access Risk No Business and

Enterprise
Amazon Route 53 MX Resource Record Sets and No Business and

Sender Policy Framework Enterprise
64
ITAR Boundary
AWS Gov-
Cloud (US)
Fault Toler- Amazon RDS Backups No Business and

ance Enterprise
Amazon RDS Multi-AZ No Business and

Enterprise
Amazon Route 53 Name Server Delegations No Business and

Enterprise
Amazon Route 53 High TTL Resource Record Sets No Business and

Enterprise
Amazon Route 53 Failover Resource Record Sets No Business and

Enterprise
Amazon Route 53 Deleted Health Checks No Business and

Enterprise
Performance Amazon Route 53 Alias Resource Record Sets No Business and

Enterprise
Amazon CloudFront Content Delivery Optimization No Business and

Enterprise
Amazon Route 53 Latency Resource Record Sets No Business and

Enterprise
For more information about Trusted Advisor, see Meet AWS Trusted Advisor.
ITAR Boundary
• Not applicable • Not applicable
65
Client.UnsupportedOperation: Instances can only be
launched within Amazon VPC in this region
Troubleshooting
The following section discusses common issues that you might encounter when you work in the AWS
Topics
• Client.UnsupportedOperation: Instances can only be launched within Amazon VPC in this region (p. 66)
Client.UnsupportedOperation: Instances can

only be launched within Amazon VPC in this
region
Service: Amazon EC2
Issue: When I attempt to launch an instance by using the CLI or API, I get a "Client.UnsupportedOperation:
Instances can only be launched within Amazon VPC in this region" error.
Cause: Your account might not have a VPC.
Recommended Action: Verify that your account has a VPC. If not, create a VPC and then launch
instances using that VPC.
In some cases, your account might have a default VPC. For more information, see Determining if Your
Account Has a Default Amazon VPC (p. 46). If you still receive this error when you run the
ec2-run-instances command (or the RunInstances action) to launch an Amazon EC2 instance,
you must specify the subnet parameter. Although the subnet parameter is optional in other regions, if
you omit it in the AWS GovCloud (US) Region, you receive an error.
66
New to AWS
Related Resources
This topic lists additional resources related to AWS GovCloud (US).
New to AWS
The following table lists additional resources for users new to AWS:
Resource Description
Development and Test on AWS This paper describes how AWS adds value in the
various phases of the software development cycle,
with a specific focus on development and test.
Amazon VPC Network Connectivity Options This paper describes connectivity options for integ-
rating remote customer networks with Amazon
VPC, as well as interconnecting multiple Amazon
VPCs into a contiguous virtual network.
Microsoft SharePoint Server on AWS Reference This paper discusses general concepts regarding
Architecture how to run SharePoint on AWS and provides de-
tailed technical guidance on how to configure, de-
ploy, and run a SharePoint Server farm on AWS.
Operational Checklists for AWS This paper provides two checklists, Basic and En-
terprise, that you can use to evaluate your applica-
tions against a list of essential and recommended
best practices.
Amazon's Corporate IT Deploys SharePoint 2010 This paper describes how and why Amazon's cor-
to the AWS Cloud porate IT organization deployed its corporate in-
tranet (an enterprise mission-critical corporate IT
application that involves highly sensitive data) run-
ning Microsoft SharePoint 2010 to the AWS cloud.
Extend Your IT Infrastructure with Amazon VPC This paper highlights common use cases and best
practices for Amazon VPC and related services.
67
Experienced with AWS
Auditing Security Checklist for Use of AWS This paper provides a checklist to help you design
and execute a security assessment of your organ-
ization's use of AWS, which may be required by
industry or regulatory standards.
Security at Scale: Governance on AWS This paper discusses the security and governance
features built in to AWS services to help you incor-
porate security benefits and best practices in
building your integrated environment with AWS.
AWS Security Best Practices This paper explains the AWS shared security
model and provides an overview of various security
topics. These topics include identifying, categoriz-
ing, and protecting your assets on AWS; managing
access to AWS resources using the IAM service;
and suggesting ways to help secure your data, your
operating systems, and applications in the cloud.
AWS: Overview of Security Processes This paper describes AWS physical and operational
security processes for network and server infrastruc-
ture under AWS's management, as well as service-
specific security implementations.
AWS: Risk and Compliance This paper helps you integrate AWS into the exist-
ing control framework that supports your IT envir-
onment. This paper also addresses AWS-specific
information about general cloud computing compli-
ance questions.
AWS Compliance Whitepapers This site has information and whitepapers related
to compliance.
Experienced with AWS

The following table lists additional resources for users experienced with AWS:
Web Identity Federation with Mobile Applications This article discusses the web identity federation
feature of AWS Security Token Service and a
sample for use in the AWS Mobile SDKs.
High Availability for Amazon VPC NAT Instances: This article provides all the necessary resources,
An Example including an easy-to-use script and instructions on
how you can leverage bidirectional monitoring
between two NAT instances, to implement a high
availability (HA) failover solution for network ad-
dress translation (NAT).
Securing Data at Rest with Encryption This paper provides an overview of methods for
encrypting your data at rest.
68
Document History
The following table describes important changes to the documentation since the last release of the AWS
GovCloud (US) User Guide.
• Latest documentation update: April 19, 2016
Change Description Date Changed
AWS Im- AWS Snowball, a feature of AWS Import/Export, is now available April 19, 2016
port/Export in the AWS GovCloud (US) Region. See AWS Import/Ex-
port (p. 52).
AWS Updated information about creating multiple trails. See AWS March 24, 2016
CloudTrail CloudTrail (p. 39).
Importing VMs Updated information about importing virtual machines into the February 11, 2016
AWS GovCloud (US) Region. See Importing Virtual Machines into
the AWS GovCloud (US) Region (p. 15).
Signing up for Describes the new sign-up process for direct customers and re- December 18,
AWS Gov- sellers. See Signing Up for AWS GovCloud (US) (p. 7). 2015
Cloud (US)
IAM Updates to MFA for the AWS GovCloud (US) console. See En- December 18,
abling Virtual Multi-Factor Authentication (MFA) (p. 14). 2015
Amazon S3 Updated text about VPC endpoints for Amazon S3. See Amazon December 18,
Simple Storage Service (Amazon S3) (p. 57). 2015
Amazon EBS Updated text about copying snapshots. See Amazon Elastic Block December 18,
Store (Amazon EBS) (p. 44). 2015
CloudWatch CloudWatch Logs is now supported within CloudTrail in the AWS November 19,
Logs and GovCloud (US) Region. See AWS CloudTrail (p. 39). 2015
CloudTrail
AWS Direct Updated information about using AWS Direct Connect. See AWS October 28, 2015
Connect Direct Connect (p. 42).
Amazon Glaci- Updated ITAR-regulated data for Amazon Glacier. See Amazon October 28, 2015
er Glacier (p. 50).
69
VPC Flow VPC Flow Logs are now supported in AWS GovCloud (US). See October 27, 2015
Logs Amazon Virtual Private Cloud (Amazon VPC) (p. 61).
CloudWatch CloudWatch Logs are now supported in AWS GovCloud (US). October 27, 2015
Logs See Amazon CloudWatch (p. 42).
AWS WAF and Added information about using AWS WAF with CloudFront. See October 27, 2015
Amazon Setting Up Amazon CloudFront with Your AWS GovCloud (US)
CloudFront Resources (p. 17).
AWS Added a policy example that enables CloudTrail to write log files August 25, 2015
CloudTrail to your bucket. See AWS CloudTrail (p. 39).
AWS AWS CloudHSM is now available in the AWS GovCloud (US) August 5, 2015
CloudHSM Region. See AWS CloudHSM (p. 39).
Penetration Updated instructions for submitting a request. See Penetration August 5, 2015
testing Testing (p. 35).
IAM Added information about SSH public keys. See AWS Identity and July 9, 2015
Access Management (IAM) (p. 51).
IAM and VM Added information about using roles to delegate access. Added June 12, 2015
Import a note about ImportImage. See AWS Identity and Access
Management (IAM) (p. 51) and Importing Virtual Machines into
DynamoDB DynamoDB is now supported within CloudTrail in the AWS Gov- May 28, 2015
and CloudTrail Cloud (US) Region. See AWS CloudTrail (p. 39).
AWS Key AWS KMS is now available in the AWS GovCloud (US) Region. May 7, 2015
Management See AWS Key Management Service (AWS KMS) (p. 53).
Service
Encryption Encryption is now available for Amazon Elastic Block Store May 7, 2015
(Amazon EBS) (p. 44), Amazon Elastic MapReduce (Amazon
EMR) (p. 50), and Amazon Simple Storage Service (Amazon
S3) (p. 57).
AWS Direct Updated instructions for setting up AWS Direct Connect. See April 3, 2015
Connect AWS Direct Connect (p. 42).
Amazon S3 Added info about cross-region replication. See Amazon Simple March 24, 2015
Storage Service (Amazon S3) (p. 57).
AWS Trusted Added two new Trusted Advisor checks that are now supported March 18, 2015
Advisor (IAM Password Policy, ELB Connection Draining). See AWS
Trusted Advisor (p. 63).
AWS Trusted Added three new Trusted Advisor checks that are now supported March 11, 2015
Advisor (ELB Cross-Zone Load Balancing, ELB Listener Security, ELB
Security Groups). See AWS Trusted Advisor (p. 63).
VM Export Updated information about using VM Export. See Amazon Elastic March 9, 2015
Compute Cloud (Amazon EC2) (p. 45).
VM Import Updated information about using VM Import. See Amazon Elastic March 6, 2015
70
Importing VMs Updated information about importing virtual machines into the February 11, 2015
AWS GovCloud (US) Region. See Importing Virtual Machines into
Amazon Elast- ElastiCache is now available in the AWS GovCloud (US) Region. January 29, 2015
iCache See Amazon ElastiCache (p. 48).
AWS Trusted Updated information about Trusted Advisor. See AWS Trusted January 29, 2015
Advisor Advisor (p. 63).
Amazon RDS Amazon RDS is now supported within CloudTrail in the AWS January 22, 2015
and CloudTrail GovCloud (US) Region. See AWS CloudTrail (p. 39).
AWS Trusted Trusted Advisor is now available in the AWS GovCloud (US) Re- January 20, 2015
Advisor gion. See AWS Trusted Advisor (p. 63).
Amazon Glaci- Amazon Glacier is now available in the AWS GovCloud (US) December 30,
er Region. See Amazon Glacier (p. 50). 2014
AWS CloudTrail is now available in the AWS GovCloud (US) Region. December 16,
CloudTrail See AWS CloudTrail (p. 39). 2014
Importing VMs Updated information about importing virtual machines into the December 15,
AWS GovCloud (US) Region. See Importing Virtual Machines into 2014
the AWS GovCloud (US) Region (p. 15) and Amazon Elastic
Amazon Red- Amazon Redshift is now available in the AWS GovCloud (US) November 18,
shift Region. See Amazon Redshift (p. 54). 2014
Feedback links Fixed links to provide feedback. September 26,

2014
Service Health The Service Health Dashboard is supported in AWS GovCloud August 27, 2014
Dashboard (US). See Service Health Dashboard (p. 36).
IP range Another public IP range for Amazon EC2 instances has been August 27, 2014
added. See Amazon Elastic Compute Cloud (Amazon
EC2) (p. 45).
IAM Updates to MFA for changes in IAM console. See Enabling Virtual August 5, 2014
Multi-Factor Authentication (MFA) (p. 14).
IAM Added the URL for the XML document that contains relying party July 25, 2014
information and certificates when using a SAML provider. See
AWS Identity and Access Management (IAM) (p. 51).
Amazon EC2 Updates to differences in Amazon EC2 AMI tools. See Amazon July 15, 2014
Elastic Compute Cloud (Amazon EC2) (p. 45).
Amazon SNS Updates to Amazon SNS ITAR boundary. See Amazon Simple July 2, 2014
Notification Service (Amazon SNS) (p. 58).
Provisioned Provisioned IOPS and tagging in the console are supported for May 28, 2014
IOPS Amazon RDS in the AWS GovCloud (US) Region. For information
about using Amazon RDS in the AWS GovCloud (US) Region,
see Amazon Relational Database Service (Amazon RDS) (p. 56).
71
Accessing the Updates for the AWS GovCloud (US) Management Console on- April 7, 2014
console board tool. See On-boarding to AWS GovCloud (US) (Resellers
or Reseller Customers) (p. 11).
Provisioned Provisioned IOPS is supported in the AWS GovCloud (US) Region. April 1, 2014
IOPS For information about using Amazon EC2 and Amazon EBS in
the AWS GovCloud (US) Region, see Amazon Elastic Compute
Cloud (Amazon EC2) (p. 45) and Amazon Elastic Block Store
(Amazon EBS) (p. 44).
Amazon EC2 Updates to Amazon EC2 and troubleshooting. For information, March 19, 2014
see Amazon Elastic Compute Cloud (Amazon EC2) (p. 45) and
Troubleshooting (p. 66).
Amazon SES Added instructions on how to set up Amazon SES in your AWS March 4, 2014
GovCloud (US) architecture. See Setting Up Amazon Simple
Email Service in Your AWS GovCloud (US) Architecture (p. 24).
Migrating AMIs Added information about how to migrate your AMIs from another March 4, 2014
AWS region into the AWS GovCloud (US) Region. See Importing
Virtual Machines into the AWS GovCloud (US) Region (p. 15).
Red Hat Linux Red Hat Linux is now available in the AWS GovCloud (US) Region. March 4, 2014
For information about using Amazon EC2 in the AWS GovCloud
(US) Region, see Amazon Elastic Compute Cloud (Amazon
EC2) (p. 45).
SUSE Linux SUSE Linux is now available in the AWS GovCloud (US) Region. January 17, 2014
For information about using Amazon EC2 in the AWS GovCloud
(US) Region, see Amazon Elastic Compute Cloud (Amazon
EC2) (p. 45).
Amazon Elastic Load Balancing load balancers located in the AWS Gov- January 12, 2014
Route 53 Cloud (US) Region are now integrated into the Amazon Route 53
service. Updated text in Setting Up Amazon Route 53 Zone Apex
Support with an AWS GovCloud (US) Elastic Load Balancing
Load Balancer (p. 19).
Resources Updated list of additional resources. See Related Re- January 8, 2014
sources (p. 67).
Added note about Amazon SNS Mobile Push Notifications. See

Amazon Simple Notification Service (Amazon SNS) (p. 58).
DynamoDB The DynamoDB console is available and no longer in beta in the December 30,
AWS GovCloud (US) Region. See Amazon DynamoDB (p. 43). 2013
Endpoints Added AWS Management Console endpoints for federation and December 11,
SAML. See AWS GovCloud (US) Endpoints (p. 31). 2013
Amazon EC2 Added fix for instructions to create a key pair. See Amazon November 20,
Elastic Compute Cloud (Amazon EC2) (p. 45). 2013
Amazon Elast- The Amazon EMR console is now available in the AWS GovCloud November 12,
ic MapReduce (US) Region. See Amazon Elastic MapReduce (Amazon 2013
EMR) (p. 50).
72
Elastic Load Elastic Load Balancing is available and no longer in beta in the November 1, 2013
Balancing AWS GovCloud (US) Region. See Elastic Load Balancing (p. 47).
AWS Direct Incorporated changes for AWS Direct Connect console update. October 31, 2013
Connect
AWS Cloud- The AWS CloudFormation console is now available in the AWS October 31, 2013
Formation GovCloud (US) Region. See AWS CloudFormation (p. 38).
Kindle Published a Kindle version. October 22, 2013
AWS Elastic- Added link to AWS ElasticWolf Client Console. See Accessing October 18, 2013
Wolf Client the AWS GovCloud (US) Region (p. 34).
Console
Elastic Load Updates to Elastic Load Balancing ITAR boundary. See Elastic September 27,
Balancing Load Balancing (p. 47). 2013
AWS Cloud- Added information about differences with the AWS CloudFormation August 28, 2013
Formation console for AWS GovCloud (US). See AWS CloudForma-
tion (p. 38).
Virtual Multi- Added a section about enabling virtual MFA. See Enabling Virtual August 28, 2013
Factor Authen- Multi-Factor Authentication (MFA) (p. 14).
tication (MFA)
Amazon Added a new section about setting up Amazon Route 53 zone August 9, 2013
Route 53 zone apex. See Setting Up Amazon Route 53 Zone Apex Support with
apex an AWS GovCloud (US) Elastic Load Balancing Load Balan-
cer (p. 19).
AWS Gov-
Cloud (US)
AWS Direct
Connect
ARN Added an example to Amazon Resource Names (ARNs) in AWS July 24, 2013
GovCloud (US) (p. 26).
Amazon Added information about setting up Amazon CloudFront and July 16, 2013
CloudFront Amazon Route 53 for AWS GovCloud (US). See Setting Up
Amazon CloudFront with Your AWS GovCloud (US) Re-
Amazon sources (p. 17) and Setting Up Amazon Route 53 with Your AWS
Route 53 GovCloud (US) Resources (p. 19).
Amazon Virtu- Added information about AWS GovCloud (US) accounts having May 28, 2013
al Private an Amazon VPC by default. See Amazon Elastic Compute Cloud
Cloud (Amazon EC2) (p. 45).
AWS Direct Added information about AWS Direct Connect for AWS GovCloud May 8, 2013
Connect (US).
Initial release This is the first release of AWS GovCloud (US) User Guide. April 10, 2013
73
AWS Glossary
For the latest AWS terminology, see the AWS Glossary in the AWS General Reference.
74

Aws Govcloud (Us) : User Guide

Uploaded by

Copyright:

Available Formats

Aws Govcloud (Us) : User Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws Govcloud (Us) : User Guide

Uploaded by

Copyright:

Available Formats

AWS GovCloud (US)

AWS GovCloud (US): User Guide

ITAR Boundary ............................................................................................................ 43

What is AWS GovCloud (US)?

• Restricting physical and logical administrative access to U.S. persons only.

• For pricing information, see AWS GovCloud (US) Region Pricing.

AWS GovCloud (US) Region Compared to

AWS GovCloud (US) Billing and Payment

AWS GovCloud (US) account relationship to standard AWS account

• AWS CloudFormation (p. 38)

Getting Started with AWS

Signing Up for AWS GovCloud (US)

• Transfer the AWS GovCloud (US) account to another party.

To sign up for AWS GovCloud (US)

1. Determine if you are a direct customer, reseller, or reseller customer.

You are a reseller if your organization is reselling AWS services.

If you are a reseller:

1. Go to the AWS GovCloud (US) Contact Us page.

On-boarding to AWS GovCloud (US) (Direct

Configuring Your Account

To sign in to the AWS GovCloud (US) console

1. Open the AWS GovCloud (US) console.

To create an account alias

To create and download access keys

Verifying AWS CloudTrail Is Enabled

To verify the S3 bucket was created for CloudTrail log storage

To verify CloudTrail is enabled

On-boarding to AWS GovCloud (US) (Resellers

To create your first administrative IAM user

3. Enter a password for the administrator, and then click Next.

You can click Back to edit any information.

Enabling Virtual Multi-Factor Authentication

Setting Up a Virtual MFA Device for Your AWS

To enable virtual MFA for an AWS GovCloud (US) IAM user

1. Sign into the AWS GovCloud (US) console.

Importing Virtual Machines into the AWS

ITAR Best Practices

Signing Up for AWS GovCloud (US) Customer

Customer Support Differences for the AWS GovCloud (US) Region

Setting Up AWS GovCloud (US)

Setting Up Amazon CloudFront with Your AWS

Tips for Setting Up CloudFront

Setting Up Amazon Route 53 with Your AWS

Setting Up Amazon Route 53 Zone Apex Support

Step 1: Sign Up for AWS GovCloud (US)

Step 2: Create Your Resources in the AWS

Step 3: Create a CloudFront Custom Origin Web

2. Select the Web distribution delivery method and click Continue.

5. Click the Create Distribution button.

Step 4: Configure a New Amazon Route 53 Alias

Step 5: Test that Your Website is Accessible

Setting Up Amazon Simple Email Service in Your

Region name Region API (HTTPS) endpoint SMTP endpoint

US East (N. Virginia) us-east-1 email.us-east-1.amazon- email-smtp.us-east-

US West (Oregon) us-west-2 email.us-west-2.amazon- email-smtp.us-west-

Using AWS GovCloud (US)

Amazon Resource Names (ARNs) in AWS

In the AWS GovCloud (US) Region, ARNs begin with: