# Using AWS GovCloud (US) Regions
If you have used other AWS Regions, you should be aware of specific differences in the AWS GovCloud (US) Regions. For example, Amazon Resource Names (ARNs) and endpoints are different in the AWS GovCloud (US) Regions. For CLI and SDK calls, the Region names are us-gov-west-1 and us-gov-east-1.
In addition to the specific differences, the following topics describe how to maintain compliance with International Traffic in Arms Regulations (ITAR), how to access AWS GovCloud (US), and how to control access to your AWS GovCloud (US) account.
# Amazon Resource Names (ARNs) in GovCloud (US) Regions
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon S3 bucket names, and API calls. In AWS GovCloud (US) Regions, ARNs have an identifier that is different from the one in other standard AWS Regions. For all other standard regions, ARNs begin with:
```
arn:aws
```
In the AWS GovCloud (US) Regions, ARNs begin with:
```
arn:aws-us-gov
```
If an ARN requires you to specify a Region:
+ For the AWS GovCloud (US-West) Region, use `us-gov-west-1`.
+ For AWS GovCloud (US-East) Region, use `us-gov-east-1`.
For additional information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the * AWS General Reference *.
# Service Endpoints
If you access AWS GovCloud (US-West) or AWS GovCloud (US-East) by using the command line interface (CLI) or programmatically by using the APIs, you need the AWS GovCloud (US-West) or AWS GovCloud (US-East) Region endpoints. These HTTPS endpoints are referred to as the control plane used to configure AWS services.
If you require FIPS 140-3 compliance you should use the FIPS Endpoints linked in the following section. For more information about FIPS 140-3, see "Cryptographic Module Validation Program" on the NIST Computer Security Resource Center website.
If you require the use of FIPS 140-3 validated modules for TLS termination performed on the data plane of the Application Load Balancer HTTPS Listeners, have your account team reach out to the Elastic Load Balancing team.
FIPS-140-3 validated modules in the data plane of Amazon Relational Database Service (Amazon RDS) SSL can be configured for certain database engines. For more information about RDS SSL, see the [Amazon RDS User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html).
**FIPS Endpoints for the AWS GovCloud (US) Regions**
For a list of all GovCloud AWS FIPS endpoints, see *AWS GovCloud (US)* in [FIPS Endpoints by Service](https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service).
**Endpoints for AWS Services**
For a list of AWS endpoints, see [View the service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#view-service-endpoints) in the * AWS General Reference *.
**Regions for AWS Services**
For a list of AWS Regions, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the * AWS General Reference *.
For information about giving federated users single sign-on access to the AWS Management Console, see [Giving Federated Users Direct Access to the AWS Management Console](https://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole.html).
# VPC Endpoints
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses. AWS PrivateLink restricts all network traffic between your VPC and services to the Amazon network. You do not need an internet gateway, a NAT device, or a virtual private gateway.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service.
**VPC Endpoints for the AWS GovCloud (US) Regions**
The following table lists each AWS service available in the AWS GovCloud (US) Regions and the corresponding VPC endpoints.
| AWS Service | AWS GovCloud (US-West) VPC Endpoints | AWS GovCloud (US-East) VPC Endpoints |
| --- | --- | --- |
| Application Auto Scaling | com.amazonaws.us-gov-west-1.application-autoscaling | com.amazonaws.us-gov-east-1.application-autoscaling |
| AWS Auto Scaling | com.amazonaws.us-gov-west-1.autoscaling-plans | com.amazonaws.us-gov-east-1.autoscaling-plans |
| AWS Application Migration Service | com.amazonaws.us-gov-west-1.mgn | com.amazonaws.us-gov-east-1.mgn |
| AWS Backup | com.amazonaws.us-gov-west-1.backup com.amazonaws.us-gov-west-1.backup-gateway | com.amazonaws.us-gov-east-1.backup com.amazonaws.us-gov-east-1.backup-gateway |
| AWS Batch | com.amazonaws.us-gov-west-1.batch | com.amazonaws.us-gov-east-1.batch |
| AWS CloudHSM | com.amazonaws.us-gov-west-1.cloudhsmv2 | com.amazonaws.us-gov-east-1.cloudhsmv2 |
| AWS CodeBuild | com.amazonaws.us-gov-west-1.codebuild com.amazonaws.us-gov-west-1.codebuild-fips | com.amazonaws.us-gov-east-1.codebuild com.amazonaws.us-gov-east-1.codebuild-fips |
| AWS CodeConnections | com.amazonaws.us-gov-east-1.codestar-connections | codestar-connections.us-gov-east-1.amazonaws.com |
| AWS CloudFormation | com.amazonaws.us-gov-west-1.cloudformation | com.amazonaws.us-gov-east-1.cloudformation |
| AWS CloudTrail | com.amazonaws.us-gov-west-1.cloudtrail | com.amazonaws.us-gov-east-1.cloudtrail |
| AWS CodeCommit | com.amazonaws.us-gov-west-1.codecommit com.amazonaws.us-gov-west-1.codecommit-fips | com.amazonaws.us-gov-east-1.codecommit com.amazonaws.us-gov-east-1.codecommit-fips |
| AWS CodePipeline | com.amazonaws.us-gov-west-1.codepipeline | Not applicable |
| AWS Config | com.amazonaws.us-gov-west-1.config | com.amazonaws.us-gov-east-1.config |
| AWS Database Migration Service | com.amazonaws.us-gov-west-1.dms | com.amazonaws.us-gov-east-1.dms |
| AWS DataSync | com.amazonaws.us-gov-west-1.datasync | com.amazonaws.us-gov-east-1.datasync |
| AWS Direct Connect | com.amazonaws.us-gov-west-1.directconnect | com.amazonaws.us-gov-east-1.directconnect |
| AWS Directory Service | com.amazonaws.us-gov-west-1.ds | com.amazonaws.us-gov-east-1.ds |
| AWS Elastic Beanstalk | com.amazonaws.us-gov-west-1.elasticbeanstalk com.amazonaws.us-gov-west-1.elasticbeanstalk-health | com.amazonaws.us-gov-east-1.elasticbeanstalk com.amazonaws.us-gov-east-1.elasticbeanstalk-health |
| AWS Elastic Disaster Recovery | com.amazonaws.us-gov-west-1.drs | com.amazonaws.us-gov-east-1.drs |
| AWS Fault Injection Service | com.amazonaws.us-gov-west-1.fis | com.amazonaws.us-gov-east-1.fis |
| AWS Glue | com.amazonaws.us-gov-west-1.glue | com.amazonaws.us-gov-east-1.glue |
| AWS Glue DataBrew | com.amazonaws.us-gov-west-1.databrew | Not applicable |
| AWS IAM Access Analyzer | com.amazonaws.us-gov-west-1.access-analyzer | com.amazonaws.us-gov-east-1.access-analyzer |
| AWS IoT Greengrass | com.amazonaws.us-gov-west-1.greengrass | com.amazonaws.us-gov-east-1.greengrass |
| AWS IoT SiteWise | com.amazonaws.us-gov-west-1.iotsitewise.api com.amazonaws.us-gov-west-1.iotsitewise.data | Not applicable |
| AWS IoT TwinMaker | com.amazonaws.us-gov-west-1.iottwinmaker.api com.amazonaws.us-gov-west-1.iottwinmaker.data | Not applicable |
| AWS Key Management Service | com.amazonaws.us-gov-west-1.kms com.amazonaws.us-gov-west-1.kms-fips | com.amazonaws.us-gov-east-1.kms com.amazonaws.us-gov-east-1.kms-fips |
| AWS Lake Formation | com.amazonaws.us-gov-west-1.lakeformation | Not applicable |
| AWS Lambda | com.amazonaws.us-gov-west-1.lambda | com.amazonaws.us-gov-east-1.lambda |
| AWS License Manager | com.amazonaws.us-gov-west-1.license-manager com.amazonaws.us-gov-west-1.license-manager-fips | com.amazonaws.us-gov-east-1.license-manager com.amazonaws.us-gov-east-1.license-manager-fips |
| AWS Mainframe Modernization | com.amazonaws.us-gov-west-1.m2 m2.us-gov-west-1.amazonaws.com | com.amazonaws.us-gov-east-1.m2 m2.us-gov-east-1.amazonaws.com |
| AWS Parallel Computing Service | com.amazonaws.us-gov-west-1.pcs com.amazonaws.us-gov-west-1.pcs-fips | com.amazonaws.us-gov-east-1.pcs com.amazonaws.us-gov-east-1.pcs-fips |
| AWS Private Certificate Authority | com.amazonaws.us-gov-west-1.acm-pca com.amazonaws.us-gov-west-1.acm-pca-fips | com.amazonaws.us-gov-east-1.acm-pca com.amazonaws.us-gov-east-1.acm-pca-fips |
| AWS Resilience Hub | resiliencehub.us-gov-west-1.amazonaws.com | resiliencehub.us-gov-east-1.amazonaws.com |
| AWS Resource Groups Tagging API | com.amazonaws.us-gov-west-1.tagging | com.amazonaws.us-gov-east-1.tagging |
| AWS SDK for SAP ABAP | com.amazonaws.us-gov-west-1.awssdk-sapabap com.amazonaws.us-gov-west-1.sapabap | com.amazonaws.us-gov-east-1.awssdk-sapabap com.amazonaws.us-gov-east-1.sapabap |
| AWS Secrets Manager | com.amazonaws.us-gov-west-1.secretsmanager | com.amazonaws.us-gov-east-1.secretsmanager |
| AWS Security Hub CSPM | com.amazonaws.us-gov-west-1.securityhub | com.amazonaws.us-gov-east-1.securityhub |
| AWS Security Token Service | com.amazonaws.us-gov-west-1.sts | com.amazonaws.us-gov-east-1.sts |
| AWS Server Migration Service | com.amazonaws.us-gov-west-1.sms com.amazonaws.us-gov-west-1.sms-fips | com.amazonaws.us-gov-east-1.sms com.amazonaws.us-gov-east-1.sms-fips |
| AWS Service Catalog | com.amazonaws.us-gov-west-1.servicecatalog | com.amazonaws.us-gov-east-1.servicecatalog |
| AWS Service Catalog AppRegistry | com.amazonaws.us-gov-west-1.servicecatalog-appregistry | com.amazonaws.us-gov-east-1.servicecatalog-appregistry |
| AWS SimSpace Weaver | com.amazonaws.us-gov-west-1.simspaceweaver | com.amazonaws.us-gov-east-1.simspaceweaver |
| AWS Storage Gateway | com.amazonaws.us-gov-west-1.storagegateway | com.amazonaws.us-gov-east-1.storagegateway |
| AWS Systems Manager | com.amazonaws.us-gov-west-1.ssm com.amazonaws.us-gov-west-1.ssmmessages | com.amazonaws.us-gov-east-1.ssm com.amazonaws.us-gov-east-1.ssmmessages |
| AWS Transfer Family | com.amazonaws.us-gov-west-1.transfer | com.amazonaws.us-gov-east-1.transfer |
| AWS X-Ray | com.amazonaws.us-gov-west-1.xray | com.amazonaws.us-gov-east-1.xray |
| Amazon API Gateway | com.amazonaws.us-gov-west-1.execute-api | com.amazonaws.us-gov-east-1.execute-api |
| Amazon WorkSpaces Applications | com.amazonaws.us-gov-west-1.appstream.api com.amazonaws.us-gov-west-1.appstream.streaming | com.amazonaws.us-gov-east-1.appstream.api com.amazonaws.us-gov-east-1.appstream.streaming |
| Amazon Athena | com.amazonaws.us-gov-west-1.athena | com.amazonaws.us-gov-east-1.athena |
| Amazon Bedrock | bedrock.gov-us-west-1.amazonaws.com | bedrock-runtime.gov-us-west-1.amazonaws.com |
| Amazon Cloud Directory | com.amazonaws.us-gov-west-1.clouddirectory | Not applicable |
| Amazon CloudWatch Logs | com.amazonaws.us-gov-west-1.logs | com.amazonaws.us-gov-east-1.logs |
| Amazon Comprehend | com.amazonaws.us-gov-west-1.comprehend | Not applicable |
| Amazon Comprehend Medical | com.amazonaws.us-gov-west-1.comprehendmedical | Not applicable |
| Amazon DynamoDB | com.amazonaws.us-gov-west-1.dynamodb | com.amazonaws.us-gov-east-1.dynamodb |
| Amazon EC2 Auto Scaling | com.amazonaws.us-gov-west-1.autoscaling | com.amazonaws.us-gov-east-1.autoscaling |
| Amazon ElastiCache | com.amazonaws.us-gov-west-1.elasticache | com.amazonaws.us-gov-east-1.elasticache |
| Amazon Elastic Compute Cloud | com.amazonaws.us-gov-west-1.ec2 com.amazonaws.us-gov-west-1.ec2messages | com.amazonaws.us-gov-east-1.ec2 com.amazonaws.us-gov-east-1.ec2messages |
| Amazon Elastic Container Registry | com.amazonaws.us-gov-west-1.ecr.api com.amazonaws.us-gov-west-1.ecr.dkr | com.amazonaws.us-gov-east-1.ecr.api com.amazonaws.us-gov-east-1.ecr.dkr |
| Amazon Elastic Container Service | com.amazonaws.us-gov-west-1.ecs com.amazonaws.us-gov-west-1.ecs-agent com.amazonaws.us-gov-west-1.ecs-telemetry | com.amazonaws.us-gov-east-1.ecs com.amazonaws.us-gov-east-1.ecs-agent com.amazonaws.us-gov-east-1.ecs-telemetry |
| Amazon Elastic File System | com.amazonaws.us-gov-west-1.elasticfilesystem com.amazonaws.us-gov-west-1.elasticfilesystem-fips | com.amazonaws.us-gov-east-1.elasticfilesystem com.amazonaws.us-gov-east-1.elasticfilesystem-fips |
| Amazon EMR | com.amazonaws.us-gov-west-1.elasticmapreduce | com.amazonaws.us-gov-east-1.elasticmapreduce |
| Amazon FSx | com.amazonaws.us-gov-west-1.fsx com.amazonaws.us-gov-west-1.fsx-fips | com.amazonaws.us-gov-east-1.fsx com.amazonaws.us-gov-east-1.fsx-fips |
| Amazon Inspector | com.amazonaws.us-gov-west-1.inspector2 inspector2.us-gov-west-1.amazonaws.com | com.amazonaws.us-gov-east-1.inspector2 inspector2.us-gov-east-1.amazonaws.com |
| Amazon Kendra | com.amazonaws.us-gov-west-1.kendra | Not applicable |
| Amazon Keyspaces (for Apache Cassandra) | com.amazonaws.us-gov-west-1.cassandra | com.amazonaws.us-gov-east-1.cassandra |
| Amazon Data Firehose | com.amazonaws.us-gov-west-1.kinesis-firehose | com.amazonaws.us-gov-east-1.kinesis-firehose |
| Amazon Kinesis Data Streams | com.amazonaws.us-gov-west-1.kinesis-streams | com.amazonaws.us-gov-east-1.kinesis-streams |
| Amazon Location Service | com.amazonaws.us-gov-west-1.geo | Not Applicable |
| Amazon Managed Service for Prometheus | com.amazonaws.us-gov-west-1.aps com.amazonaws.us-gov-west-1.aps-workspaces | com.amazonaws.us-gov-east-1.aps com.amazonaws.us-gov-east-1.aps-workspaces |
| Amazon Redshift | com.amazonaws.us-gov-west-1.redshift com.amazonaws.us-gov-west-1.redshift-data | com.amazonaws.us-gov-east-1.redshift com.amazonaws.us-gov-east-1.redshift-data |
| Amazon Rekognition | com.amazonaws.us-gov-west-1.rekognition com.amazonaws.us-gov-west-1.rekognition-fips | Not applicable |
| Amazon Relational Database Service | com.amazonaws.us-gov-west-1.rds | com.amazonaws.us-gov-east-1.rds |
| Amazon Application Recovery Controller (ARC) | arc-zonal-shift.us-gov-west-1.amazonaws.com | arc-zonal-shift.us-gov-east-1.amazonaws.com |
| Amazon SageMaker AI | aws.sagemaker.us-gov-west-1.notebook aws.sagemaker.us-gov-west-1.studio com.amazonaws.us-gov-west-1.sagemaker.api com.amazonaws.us-gov-west-1.sagemaker.api-fips com.amazonaws.us-gov-west-1.sagemaker.runtime | aws.sagemaker.us-gov-east-1.notebook aws.sagemaker.us-gov-east-1.studio com.amazonaws.us-gov-east-1.sagemaker.api com.amazonaws.us-gov-east-1.sagemaker.api-fips com.amazonaws.us-gov-east-1.sagemaker.runtime |
| Amazon Simple Notification Service | com.amazonaws.us-gov-west-1.sns | com.amazonaws.us-gov-east-1.sns |
| Amazon Simple Queue Service | com.amazonaws.us-gov-west-1.sqs | com.amazonaws.us-gov-east-1.sqs |
| Amazon Simple Storage Service | com.amazonaws.us-gov-west-1.s3 | com.amazonaws.us-gov-east-1.s3 |
| Amazon SWF | com.amazonaws.us-gov-west-1.swf-fips | com.amazonaws.us-gov-east-1.swf-fips |
| Amazon Textract | com.amazonaws.us-gov-west-1.textract | com.amazonaws.us-gov-east-1.textract |
| Amazon Timestream | com.amazonaws.us-gov-west-1.timestream | Not Applicable |
| Amazon Transcribe | com.amazonaws.us-gov-west-1.transcribe | com.amazonaws.us-gov-east-1.transcribe |
| Amazon Verified Permissions | com.amazonaws.us-gov-west-1.verifiedpermissions com.amazonaws.us-gov-east-1.verifiedpermissions | verifiedpermissions.us-gov-east-1.amazonaws.com verifiedpermissions.us-gov-west-1.amazonaws.com |
| Amazon WorkSpaces | com.amazonaws.us-gov-west-1.workspaces | Not applicable |
| EBS direct APIs | com.amazonaws.us-gov-west-1.ebs | com.amazonaws.us-gov-east-1.ebs |
| EC2 Image Builder | com.amazonaws.us-gov-west-1.imagebuilder | com.amazonaws.us-gov-east-1.imagebuilder |
| Elastic Load Balancing | com.amazonaws.us-gov-west-1.elasticloadbalancing | com.amazonaws.us-gov-east-1.elasticloadbalancing |
| Amazon EventBridge | com.amazonaws.us-gov-west-1.events | com.amazonaws.us-gov-east-1.events |
| Git CodeCommit | com.amazonaws.us-gov-west-1.git-codecommit com.amazonaws.us-gov-west-1.git-codecommit-fips | com.amazonaws.us-gov-east-1.git-codecommit com.amazonaws.us-gov-east-1.git-codecommit-fips |
| S3 on Outposts | com.amazonaws.us-gov-west-1.s3-outposts | com.amazonaws.us-gov-east-1.s3-outposts |
| Service Quotas | com.amazonaws.us-gov-west-1.servicequotas | com.amazonaws.us-gov-east-1.servicequotas |
**Note**
All the information provided in this page is manually updated. If you are looking for the most current version of the list, it can be found in the console or by using the AWS CLI command **"aws ec2 describe-vpc-endpoint-services --region us-gov-east-1 or --region us-gov-west-1"** as appropriate.
# Compliance
AWS GovCloud (US) gives government customers and their partners the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-3; IRS-1075; and other compliance regimes.
## FedRAMP
The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data. For more information, see https://aws.amazon.com/compliance/fedramp
## DoD CC SRG
A growing number of military customers are adopting AWS services to process, store, and transmit US Department of Defense (DoD) data. AWS enables defense organizations and their business associates to create secure environments to process, maintain, and store DoD data. For more information, see https://aws.amazon.com/compliance/dod
## CMMC
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements. For more information, see https://aws.amazon.com/compliance/cmmc
## ITAR
AWS GovCloud (US) supports compliance with United States International Traffic in Arms Regulations (ITAR). As a part of managing a comprehensive ITAR compliance program, companies that are subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons, and by restricting physical location of protected data to the US. AWS GovCloud (US) provides an environment that is physically located in the US, and access by AWS personnel is limited to US Persons, thereby allowing qualified companies to use AWS to transmit, process, and store protected articles and data subject to ITAR restrictions. For more information, see https://aws.amazon.com/compliance/itar
## CJIS
The [CJIS Security Policy](https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center) outlines the "appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit," irrespective of the underlying information technology model. For more information, see https://aws.amazon.com/compliance/cjis
## IRS 1075
Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance for US government agencies and their agents to protect Federal Tax Information (FTI). While the IRS does not publish an official designation or certification for compliance with Pub 1075, AWS supports organizations to protect FTI managed in AWS by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements. For more information, see https://aws.amazon.com/compliance/irs-1075
## FIPS
The Federal Information Processing Standard (FIPS) Publication 140-3 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. For more information, see https://aws.amazon.com/compliance/fips
## ATO on AWS
The Authority to Operate (ATO) on AWS Program helps AWS Partners meet their customers’ authorization needs, whether it be architecting, configuring, deploying, or integrating tools and controls. AWS supports businesses globally that need to meet security, privacy, and compliance requirements for healthcare, privacy, national security, and financial sectors. ATO on AWS supports workloads for government organizations such as FedRAMP, FISMA, the RMF, and CMMC in the U.S. For more information, see https://aws.amazon.com/partners/programs/ato
# Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance
If you store and process ITAR-regulated data in the AWS GovCloud (US) Regions, you must conform to the following ITAR requirements, in addition to any other ITAR or export control restrictions that may be applicable to you:
+ You are an individual or entity that qualifies as a U.S. Person under the applicable regulations.
+ You have and will maintain a valid Directorate of Defense Trade Controls (DDTC) registration.
+ You have full export privileges under U.S. export control laws and regulations and are not a denied or debarred party or otherwise subject to sanctions.
+ If your export control privileges are revoked, suspended, or terminated, or you otherwise become subject to sanctions or are barred from maintaining export-controlled data, you will immediately remove ITAR and other export-controlled data from the AWS services.
+ You must maintain an effective compliance program to ensure compliance with applicable U.S. export control laws and regulations, including ITAR, if applicable.
**Note**
Even if you don’t process any ITAR-regulated data, the owner of the AWS GovCloud (US) account must be a U.S. person. AWS doesn’t require IAM users or users of applications that run in AWS GovCloud (US) to be U.S. persons. As part of the shared responsibility model, you are responsible for restricting access to your IAM users and to your application in accordance with regulations that apply to you.
**Export Controlled Data in AWS GovCloud (US) Services**
If you maintain export-controlled data in the AWS GovCloud (US) Regions, you are responsible for using services in the AWS GovCloud (US) Regions in a manner that is consistent with your obligations under applicable laws and regulations, including export control regulations. For more information about maintaining export controlled data in AWS GovCloud (US) Regions for each service, see the service-specific information in [Services in AWS GovCloud (US) Regions](using-services.md).
# Accessing the AWS GovCloud (US) Regions
When you access the AWS GovCloud (US) Regions, use your AWS GovCloud (US) credentials. Although your AWS GovCloud (US) account is associated with your standard AWS account, each account has distinct credentials, where users from one account cannot access AWS resources from the other account.
You can use any of the following methods to access and manage resources in AWS GovCloud (US) Regions:
+ The [AWS Management Console for the AWS GovCloud (US) Region](https://console.amazonaws-us-gov.com) provides an easy-to-use graphical interface to manage your compute, storage, and other cloud resources. Most AWS products can be used with the console, and the console supports the majority of functionality for each service. You can sign in to the console only as an IAM user. For more information, see [Onboarding to AWS GovCloud (US) as a Solution Provider reselling in AWS GovCloud (US)](getting-started-console.md).
+ The **AWS command line interface (CLI)** allows you to control AWS services from a command line and automate commands through scripts. For more information about accessing the CLI for each service, see [AWS Command Line Tools](https://docs.aws.amazon.com/general/latest/gr/GetTheTools.html) in the * AWS General Reference *.
+ The **AWS SDK**s offer SDKs for a variety of languages. Some service operations that require computation of an md5 content hash, such as S3, may be unavailable or require additional code. The Sample Code and Libraries Catalog also provides a listing of code, SDKs, sample applications, and other tools available for use. For SDKs that leverage cryptography other than OpenSSL, such as Go, make sure you are following best practices for meeting compliance. Go leverages a built-in cryptography library that is not FIPS 140-3 validated.
+ The **Toolkits for developers** provide programming libraries that help you quickly deploy your applications to AWS for Java or .NET. For more information, see [AWS Toolkit for Eclipse](https://aws.amazon.com/eclipse/) or [AWS Toolkit for Visual Studio](https://aws.amazon.com/visualstudio/).
+ You can construct **REST or Query API** calls to AWS services. For API syntax and examples, see the API references for each service at https://docs.aws.amazon.com/.
# Controlling Access to Your AWS GovCloud (US) Account
Your AWS GovCloud (US) account credentials grant full access to your AWS GovCloud (US) account. We recommend that you don’t share your account credentials. Instead, use AWS Identity and Access Management (IAM) to grant users access to AWS GovCloud (US). With IAM, you can control who can perform which actions on a specific resource. [AWS GovCloud (US) Sign Up](getting-started-sign-up.md) discusses how you create your first IAM administrative user.
Because of the shared responsibility model, customers are responsible for determining who should or should not access the AWS GovCloud (US) console, in accordance with the customer compliance requirements.
For more information, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html) in *Using IAM *.
For suggestions about how to secure your account with IAM, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html) in *Using IAM *.
# Command Line and API Access
You can use the command line interface (CLI), Query API, or REST interfaces to access AWS GovCloud (US) services. You can also use a language-specific software development kit (SDK). For more information about the CLI and SDK tools, see [Tools for Amazon Web Services](https://aws.amazon.com/tools/).
For the CLI and APIs, users need programmatic access.
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that’s accessing AWS.
To grant users programmatic access, choose one of the following options.
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. \$1 For the AWS CLI, see [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) in the *AWS Command Line Interface User Guide*. \$1 For AWS SDKs, tools, and AWS APIs, see [IAM Identity Center authentication](https://docs.aws.amazon.com/sdkref/latest/guide/access-sso.html) in the *AWS SDKs and Tools Reference Guide*. |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the *IAM User Guide*. |
| IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. \$1 For the AWS CLI, see [Authenticating using IAM user credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html) in the *AWS Command Line Interface User Guide*. \$1 For AWS SDKs and tools, see [Authenticate using long-term credentials](https://docs.aws.amazon.com/sdkref/latest/guide/access-iam-users.html) in the *AWS SDKs and Tools Reference Guide*. \$1 For AWS APIs, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the *IAM User Guide*. |
After you have installed your preferred tool, you can access AWS GovCloud (US) by specifying the AWS GovCloud (US) Region [endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html#govcloud_region) for the AWS service that you want to access.
For information about setting Regions using the AWS SDKs, see [Available Region Endpoints for the AWS SDKs](https://aws.amazon.com/articles/3912) in the AWS Developer Center.
If you use the CLI, you can either specify the AWS GovCloud (US) endpoint every time you enter a command, or you can set an environment variable that specifies the endpoint. For more information, see the CLI documentation for the service.
```
#Example Call
aws s3 ls --endpoint-url https://s3-fips.us-gov-west-1.amazonaws.com --region us-gov-west-1
```
# Resource Limits
By default, AWS maintains limits for certain resources in your AWS GovCloud (US) account. For example, accounts have a limit on the number of Amazon EC2 instances that can be launched. You can see your current limits and request limit increases on the [Limits Page in the Amazon EC2 console](https://console.amazonaws-us-gov.com/ec2/v2/home?region=us-gov-west-1#Limits:). When you request a limit increase, specify your AWS GovCloud (US) account ID and select the AWS GovCloud (US) Region from the Region drop-down list.
For more information, see [AWS Service Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
# Penetration Testing
AWS customers are permitted to perform penetration testing on certain services by following the AWS Customer Support Policy for [Penetration Testing](https://aws.amazon.com/security/penetration-testing/). Please refer to the Policy before planning and performing penetration testing activities.
# Service Health Dashboard
\$1govcloud-us\$1 includes a dashboard that displays up-to-the-minute information about service availability in the Region. To get current status information, or subscribe to an RSS feed to be notified of interruptions to each individual service, see the [Service Health Dashboard](http://status.aws.amazon.com/govcloud).
# Closing an AWS GovCloud (US) account
The following instructions describe the process to close an AWS GovCloud (US) account. Because AWS account management functions are not available in the AWS GovCloud (US) Management Console, closing an AWS GovCloud (US) account may require additional steps.
**Note**
There is no **Close account** option available in the AWS GovCloud (US) Management Console as there is in the standard AWS account Management Console.
Use the following AWS GovCloud (US) account closure procedure that is most applicable to your business needs.
## Close an AWS GovCloud (US) standalone or member account
You can close an AWS GovCloud (US) standalone or member account by initiating closure of its associated standard account.
**To close an AWS GovCloud (US) standalone or member account**
1. Sign in to the AWS GovCloud (US) account.
1. [Find and terminate all active resources](https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources) currently running in the AWS GovCloud (US) account (both Regions if applicable).
**Important**
Before terminating your resources, back up your data where appropriate. After your account has been closed, you will no longer have access to the data or AWS services.
1. After you’ve terminated all active resources from your AWS GovCloud (US) account, delete all IAM users, and rotate and delete the access keys from the AWS GovCloud (US) account.
1. Close the standard AWS account using the **Close account** option available in the standard account Management Console. After the standard AWS account closure, your AWS GovCloud (US) account will be closed, without further action needed from you.
If you run into issues with billing/access to the AWS GovCloud (US) Management Console after this time, please submit an Support case using your standard AWS account, referencing the issue and the AWS GovCloud (US) account ID.
**Notes**
Closing your standard AWS account will not automatically terminate all your active resources in the AWS GovCloud (US) account. We recommend that you terminate all the resources in your AWS GovCloud (US) account before closing the standard AWS account.
Closed AWS GovCloud (US) member accounts are not automatically removed from the AWS GovCloud (US) organization after the post-closure period and they remain visible in the AWS GovCloud (US) organization in suspended status. You must remove the AWS GovCloud (US) member accounts from your AWS GovCloud (US) organization if you wish to delete your AWS GovCloud (US) organization.
## Close an AWS GovCloud (US) management account
You can only close an AWS GovCloud (US) management account after you’ve deleted the organization associated with it. After deleting the organization, your management account will change to a standalone AWS GovCloud (US) account. At this point, you can initiate the closing of the standalone AWS GovCloud (US) account by closing its associated standard AWS account.
**Note**
Your AWS GovCloud (US) management account will not close if there are active member accounts in your AWS GovCloud (US) organization. You will continue to incur charges for any active resources in the AWS GovCloud (US) management account and member accounts until they are closed.
**To close an AWS GovCloud (US) management account**
1. Remove and close all the AWS GovCloud (US) member accounts from the AWS GovCloud (US) management account. For more information, see [Removing a member account from your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html).
**Note**
Removing an AWS GovCloud (US) member account does not close the account, instead it removes the member account from the AWS GovCloud (US) organization and the member account becomes a standalone AWS account. If you wish to close the removed member accounts, follow the instructions in the previous section [Close an AWS GovCloud (US) standalone or member account](#closing-govcloud-and-standard).
1. Sign in to the AWS GovCloud (US) management account and delete the AWS GovCloud (US) organization. For more information, see [Deleting an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html).
1. [Find and terminate all active resources](https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources), delete all IAM users, and rotate and delete the access keys of the AWS GovCloud (US) management account.
1. Close the standard management account associated with the AWS GovCloud (US) management account using the **Close account** option available in the standard account’s Management Console. After the standard management account has been closed, your AWS GovCloud (US) management account will close within the next billing cycle. For more information, see [Closing a member account in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html).
## What to expect after you close your AWS GovCloud (US) account
After your AWS GovCloud (US) account is closed:
+ You will not be able to sign in to the AWS Management Console for your AWS GovCloud (US) account.
+ You will no longer have access to the data or AWS services in the AWS GovCloud (US) account.
+ If you had shared resources from your AWS GovCloud (US) account with other AWS GovCloud (US) accounts, those other accounts will no longer have access to the shared resources after the AWS GovCloud (US) account closure.
## Reopening an AWS GovCloud (US) account
Within the post-closure period, which are the 90 days after your account is closed, you can reopen your standard AWS account and AWS GovCloud (US) account by contacting AWS Support.
**Important**
Re-opening your AWS GovCloud (US) account will only restore data/resources that were not terminated. If you terminated resources to avoid incurring charges during the closure process, they will not be restored. To ensure access to important data that might be needed upon re-opening, it is recommended that you backup that data prior to terminating AWS GovCloud (US) resources.
After the post-closure period, you cannot reopen your standard AWS account or AWS GovCloud (US) account.