# Getting Started with AWS GovCloud (US)
<a name="getting-set-up"></a>

To sign up for AWS GovCloud (US) and to access the AWS Management Console for the AWS GovCloud (US) Regions, you follow procedures that are different from those for other AWS Regions.

The following topics describe how to sign up and get set up with AWS GovCloud (US).

# AWS GovCloud (US) Sign Up
<a name="getting-started-sign-up"></a>

In order to sign up for an AWS GovCloud (US) account, you need to be an individual or entity that meets the requirement of AWS GovCloud (US).
+ The account holder must be a U.S. entity incorporated to do business in the United States and is based on U.S. soil.
+ The account holder must be a U.S. Person defined as a U.S. Citizen or active Green Card holder.
+ The account holder must be able to handle International Traffic and Arms Regulation (ITAR) export controlled data.
+ In addition, AWS uses automated controls to prevent the creation of fraudulent accounts. This may cause new account creations to be denied. If you believe your request was denied in error, please contact AWS Customer Support for additional assistance in account creation.

## Create accounts as a direct consumer
<a name="create-accounts-consumer"></a>

There are two options for creating an AWS GovCloud (US) account as a direct consumer.

**Option 1: Creating an AWS GovCloud (US) from a standalone AWS account**  
If you are a direct customer of AWS and do not purchase AWS through an AWS Solution Provider or an AWS Reseller, follow the steps below. If you are using AWS Organizations to manage accounts, we recommend using the AWS Organizations API.

1. Create a new AWS standard account by [signing up for a new account](https://aws.amazon.com/resources/create-account/).

1. Log in to the new AWS account with the root credentials. If you do not have the root credentials, create a support ticket to recover the credentials.

1. Navigate to the **Account** page at the top right of the AWS Management Console.  
![\[AWS Management Console header showing account menu with options like Organization and Billing.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/account-menu-as-of-1-9-24.png)

1. On the **Account** page, scroll down to the **Other settings** section. Choose the ** AWS GovCloud** link. If you do not see this link, ensure you logged in with the root credentials otherwise, create a support ticket.  
![\[Other settings section with options for payment, communication, support, and AWS GovCloud.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/account-page-other-settings-card-as-of-1-9-24.png)

1. This will navigate you to the AWS GovCloud (US) Sign Up Portal where you are asked to accept the AWS GovCloud (US) legal agreement and provide additional information, so we can verify your eligibility for an AWS GovCloud (US) account.

**Option 2: Creating an AWS GovCloud (US) with AWS Organizations**  
 [AWS Organizations](https://aws.amazon.com/organizations/) helps you centrally govern your environment as you grow and scale your workloads on AWS. AWS Organizations manages a set of accounts within each partition and can help create accounts across partitions. For example, you can create an AWS organization within the AWS US Standard Regions to manage accounts in those Regions. You will need to create a separate AWS organization in AWS GovCloud (US) to manage accounts in the AWS GovCloud (US) partition.

1. Follow the steps above to create a standalone AWS GovCloud (US) account that is mapped to your AWS Organizations management account.

1. Call the AWS Organizations [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API from the AWS Standard account that is the management account of your Organization. This will create two accounts, one in the AWS Standard Region Organization and an associated AWS GovCloud (US) Account. This API will create roles for accessing the new AWS Standard account from the Standard Organization and will create roles in the AWS GovCloud (US) account that is mapped to your management account for accessing the new AWS GovCloud (US) account.

1. The API call will return success but is executed asynchronously and may take a few minutes to complete. For more information, visit the [AWS Organizations documentation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/create-gov-cloud-account.html).

   In order to get the account numbers being created, please run the describe-create-account-status command.

    **Example** 

   describe-create-account-status --create-account-request-id [value].

   aws organizations describe-create-account-status --create-account-request-id car-examplecreateaccountrequestid111

   See [here](https://docs.aws.amazon.com/cli/latest/reference/organizations/describe-create-account-status.html) for more information.

1. Once complete, you can log in to your AWS GovCloud (US) management account and switch role into the new AWS GovCloud (US) account.

1. After creating the standalone account in the AWS GovCloud (US), you can invite it to an organization in the AWS GovCloud (US) only.

## Creating an AWS GovCloud (US) account through a Reseller or Solution Provider
<a name="solution-providers"></a>

Contact your AWS Solution Provider or AWS Reseller to sign up for an AWS GovCloud (US) account.

### Solution Providers or Resellers
<a name="solution-providers-resellers"></a>

If you are a **Solution Provider and wish to resell Authorized Services in the AWS GovCloud (US) Regions **please contact your AWS business representative by going to the AWS GovCloud (US) [Contact Us](https://aws.amazon.com/govcloud-us/contact/) page and completing the form to start the sign-up process.

### AWS Marketplace
<a name="marketplace"></a>

Software vendors who want to be listed in the AWS Marketplace for AWS GovCloud (US) must have a direct agreement with AWS. Software vendors who want to be listed in the AWS GovCloud (US) Region should sign up as a Direct Customer whether they are resellers or not.

## Close Account
<a name="closing-accounts"></a>

For instructions on how to close an AWS GovCloud (US) account, see [Closing an AWS GovCloud (US) account](Closing-govcloud-account.md).

# AWS Standard Account Linking
<a name="getting-started-standard-account-linking"></a>

 AWS GovCloud (US) accounts are associated 1:1 with standard AWS accounts for billing, service, and support purposes. Customers are required to have an existing standard account before signing up for an AWS GovCloud (US) account

**Important**  
We recommend creating a new AWS account that will only be used for AWS GovCloud (US) sign up and billing (i.e. do not deploy any AWS workloads into AWS standard account). A dedicated AWS account for the new AWS GovCloud (US) account will enable you to transfer the AWS GovCloud (US) account to another party in the future and fully close the AWS GovCloud (US) accounts without affecting your other AWS workloads.

![\[Standard Account and GovCloud Account icons connected by a bidirectional arrow.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/std-govcloud.png)


If you are using AWS Organizations to manage accounts within AWS standard regions, you can create the new standard account from AWS Organizations console or using the [AWS Organizations API](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/create-gov-cloud-account.html). Your AWS Organization in your standard AWS account is separate from the AWS Organizations in your AWS GovCloud (US) should you choose to create one, even though the accounts are linked. You must manage each separately. Only the standard AWS account will be managed by the existing Organization.

You can create a new AWS Organizations within the AWS GovCloud (US) partition by creating a set of new accounts, creating a new AWS Organizations root within one of the new accounts, and inviting the other AWS GovCloud (US) accounts to the new AWS Organization. Follow the steps for [inviting accounts to an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) here. This will result in separate AWS Organization, one in each partition.

![\[AWS Standard and GovCloud account structures with mapped relationships between regions.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/org_std-govcloud.png)


# Signing in to AWS GovCloud (US)
<a name="signing-into-govcloud"></a>

The AWS Management Console provides a web-based user interface that you can use to create and manage your AWS resources. For example, you can start and stop Amazon EC2 instances, create Amazon DynamoDB tables, create Amazon S3 buckets, and so on.

Before you can use the AWS Management Console, you must sign in to your AWS GovCloud (US) account. There are two different types of users in AWS GovCloud (US). You are either the account owner (root user) or you are an IAM user. The root user is created when the AWS GovCloud (US) account is created. IAM users are created by the root user or an IAM administrator within the AWS GovCloud (US) account.

If you do not remember your credentials or have trouble signing in using your credentials, see [Troubleshooting AWS GovCloud (US) sign-in or account issues](govcloud-sign-in-issues.md).

## Sign in as the root user
<a name="sign-in-root-user-govcloud"></a>

The AWS Management Console for AWS GovCloud (US) only supports signing in as an IAM user. Signing in to the AWS Management Console for AWS GovCloud (US) as the AWS GovCloud (US) account root user or as the associated standard AWS account root user is not supported.

For more information, see [AWS Identity and Access Management in AWS GovCloud (US)](govcloud-iam.md).

For more information about the AWS GovCloud (US) account root user, see [AWS GovCloud (US) account root user](govcloud-account-root-user.md).

## Sign in as an IAM user
<a name="sign-in-iam-govcloud"></a>

Before you sign in to an AWS GovCloud (US) account as an IAM user, be sure that you have the following required information. If you do not have this information, contact the administrator for the AWS GovCloud (US) account.

**Requirements**
+ One of the following:
  + The account alias.
  + The 12-digit AWS GovCloud (US) account ID.
+ The user name for your IAM user.
+ The password for your IAM user.

If you are a root user or IAM administrator and need to provide the AWS GovCloud (US) account ID or AWS GovCloud (US) account alias to an IAM user, see [Your AWS GovCloud (US) account ID and its alias](govcloud-account-ID-alias.md).

If you are an IAM user, you can log in using either a sign-in URL or the main sign-in page.

**To sign in to an AWS GovCloud (US) account as an IAM user using an IAM user sign-in URL**

1. Open a browser and enter the following sign-in URL, replacing account\$1alias\$1or\$1id with the account alias or account ID provided by your administrator.

   ```
   https://<account_alias_or_id>.signin.amazonaws-us-gov.com
   ```

1. Enter your IAM user name and password and choose **Sign in**.  
![\[iam-user Sign-in Page\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/sign-in-iam-user-capture.png)

**To sign in to an AWS GovCloud (US) account as an IAM user using the main sign-in page**

1. Open [link](https://console.amazonaws-us-gov.com).

   If you have signed in previously using this browser, your browser might remember the account alias or account ID for the AWS GovCloud (US) account.

1. Enter account alias or account ID, IAM user name and password and choose **Sign in**.  
![\[iam User Sign-in Page\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/govcloud-sign-in-1.png)

# Your AWS GovCloud (US) account ID and its alias
<a name="govcloud-account-ID-alias"></a>

To sign in to an AWS GovCloud (US) account as an IAM user, you must have an account alias or an account ID for the AWS GovCloud (US) account. If you are signed in to the AWS Management Console or have configured the AWS CLI or an AWS SDK with your account credentials, you can find the account alias or account ID for the AWS GovCloud (US) account. If you cannot sign in, ask your administrator for the information that you need to sign in.

**Note**  
Account aliases are not secrets, and they will appear in your public-facing sign-in page URL. Do not include any sensitive information in your account alias.

## Finding your AWS GovCloud (US) account ID
<a name="finding-govlcoud-id"></a>

You can find the account ID for your AWS GovCloud (US) account using the following methods.

**Note**  
 Support can’t help you recover this information.

### Finding your AWS GovCloud (US) account ID using the AWS Management Console for AWS GovCloud (US)
<a name="find-govcloud-id-govcloud-console"></a>

You can retrieve your AWS GovCloud (US) account ID by [Signing in to AWS GovCloud (US)](signing-into-govcloud.md). In the navigation bar, choose **Support**, and then **Support Center**. Your currently signed-in 12-digit account number (ID) appears in the **Support Center** navigation pane.

### Finding your AWS GovCloud (US) account ID using the standard AWS Management Console
<a name="find-govcloud-id-console"></a>

You can retrieve your AWS GovCloud (US) account ID by signing in to [the standard AWS Management Console as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) of the [associated standard AWS account](getting-started-standard-account-linking.md). In the navigation bar, choose your account name on the top right of the window, and then choose **Account**. On the **Account Settings** page, under ** AWS GovCloud (US) **, choose the **Sign up for AWS GovCloud (US) ** button. You will be directed to a page that indicates you already have access and displays your account ID.

### Finding your AWS GovCloud (US) account ID using the AWS CLI
<a name="find-govcloud-id-cli"></a>

With AWS GovCloud (US) account credentials use the following command to view your user ID, account ID, and your user ARN:
+  [aws sts get-caller-identity](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-create-account-status.html) 

If your AWS GovCloud (US) account was created using the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API, use the following command view your AWS GovCloud (US) account ID and its associated standard AWS account ID. This call must be made from the standard [AWS Organizations management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) or by a member account that is a delegated administrator for an AWS service.
+  [aws organizations list-create-account-status](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-create-account-status.html) 

### Finding your AWS GovCloud (US) account ID using the API
<a name="find-govcloud-id-api"></a>

With AWS GovCloud (US) account credentials, use the following API to view your user ID, account ID, and your user ARN:
+  [GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) 

If your AWS GovCloud (US) account was created using the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API, use the following command view your AWS GovCloud (US) account ID and its associated standard AWS account ID. This call must be made from the standard [AWS Organizations management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) or by a member account that is a delegated administrator for an AWS service.
+  [ListCreateAccountStatus](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListCreateAccountStatus.html) 

## Finding your associated standard AWS account ID
<a name="find-standard-id"></a>

**Note**  
 Support can’t help you recover this information.

### Finding your associated standard AWS account ID using the AWS Management Console for AWS GovCloud (US)
<a name="find-standard-id-govcloud-console"></a>

You can retrieve your associated standard AWS account ID by signing into your AWS GovCloud (US) account.

In the navigation bar, choose **Support**, and then **Support Center**. In the **Support Center** navigation pane, choose **Your support cases** and open the most recently created support case by choosing its **Case ID** or **Subject**. In the **Case details**, look for the email address listed in the **Opened by** field. If your account email address has not changed since opening the case, this will be your account email address. [Sign in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) of your standard AWS account using this email and follow [Finding your AWS account ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#FindingYourAWSId) in the * AWS Identity and Access Management User Guide*guide.

**Note**  
If you have never opened a support case or believe the email address has since changed, [create a support case for account and billing](https://docs.aws.amazon.com/awssupport/latest/user/case-example.html) and [resolve it](https://docs.aws.amazon.com/awssupport/latest/user/monitoring-your-case.html#resolve-a-support-case) immediately. Review the case’s **Open by** field to see the associated account email.

### Finding your associated standard AWS account ID using the AWS CLI
<a name="find-standard-id-cli"></a>

If your AWS GovCloud (US) account was created using [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API, use the following command view your AWS GovCloud (US) account ID and its associated standard AWS account ID. This call must be made from the standard [AWS Organizations management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) or by a member account that is a delegated administrator for an AWS service.
+  [aws organizations list-create-account-status](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-create-account-status.html) 

### Finding your associated standard AWS account ID using the API
<a name="find-standard-id-api"></a>

If your AWS GovCloud (US) account was created using the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API, use the following command view your AWS GovCloud (US) account ID and its associated standard AWS account ID. This call must be made from the standard [AWS Organizations management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) or by a member account that is a delegated administrator for an AWS service.
+  [ListCreateAccountStatus](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListCreateAccountStatus.html) 

## About account aliases
<a name="about-account-alias"></a>

If you want the URL for your sign-in page to contain your company name (or other friendly identifier) instead of your AWS GovCloud (US) account ID, you can create an account alias. This section provides information about AWS account aliases and lists the API operations that you use to create an alias.

Your sign-in page URL has the following format, by default.

```
https://<Your_Account_ID>.signin.aws.amazon.com/console/
```

If you create an AWS account alias for your AWS GovCloud (US) ID, your sign-in page URL looks like the following example.

```
https://<Your_Account_Alias>.signin.aws.amazon.com/console/
```

The original URL containing your AWS GovCloud (US) ID remains active and can be used after you create your AWS account alias.

**Tip**  
To create a bookmark for your account sign-in page in your web browser, you should manually type the sign-in URL in the bookmark entry. Don’t use your web browser’s "bookmark this page" feature.

## Creating, deleting, and listing an AWS account alias
<a name="create-account-alias"></a>

You can use the AWS Management Console, the IAM API, or the command line interface to create or delete your AWS GovCloud (US) account alias.

**Considerations**
+ Your AWS GovCloud (US) account can have only one alias. If you create a new alias for your AWS GovCloud (US) account, the new alias overwrites the previous alias, and the URL containing the previous alias stops working.
+ The account alias must be unique across all Amazon Web Services products. It must contain only digits, lowercase letters, and hyphens. For more information on limitations on AWS account entities, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
+ Changes to your AWS GovCloud (US) account alias or the associated standard AWS account alias will not overwrite the other alias. They can each be customized without interference of the other. See [Creating](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#CreateAccountAlias) in the * AWS Identity and Access Management User Guide*to learn more about customizing the associated standard AWS account alias.

### Creating, editing, and deleting aliases (console)
<a name="create-alias-console"></a>

You can create, edit, and delete an account alias from the AWS Management Console for AWS GovCloud (US).

**To create, edit, or remove an account alias (console)**

1. Sign in to the AWS Management Console for AWS GovCloud (US) and open the IAM console at https://console.amazonaws-us-gov.com/iam/.

1. In the navigation pane, choose **Dashboard**.

1. In the ** AWS account ** section, find **Account Alias**, and choose **Create**. If an alias already exists, then choose **Edit**.

1. Type the name you want to use for your alias, then choose **Save changes**.

1. To remove the alias, next to **Account Alias** choose **Delete**, and then choose **Delete**. The sign-in URL reverts to using your AWS account ID.

### Creating, deleting, and listing aliases (AWS CLI)
<a name="create-alias-cli"></a>

**Note**  
You must use AWS GovCloud (US) credentials.

To create an alias for your AWS Management Console for AWS GovCloud (US) sign-in page URL, run the following command:
+  [aws iam create-account-alias](https://docs.aws.amazon.com/cli/latest/reference/iam/create-account-alias.html) 

To delete an AWS account ID alias, run the following command:
+  [aws iam delete-account-alias](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-account-alias.html) 

To display your AWS account ID alias, run the following command:
+  [aws iam list-account-aliases](https://docs.aws.amazon.com/cli/latest/reference/iam/list-account-aliases.html) 

### Creating, deleting, and listing aliases (AWS API)
<a name="create-alias-api"></a>

**Note**  
You must use AWS GovCloud (US) credentials.

To create an alias for your AWS Management Console for AWS GovCloud (US) sign-in page URL, call the following operation:
+  [aws CreateAccountAlias](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccountAlias.html) 

To delete an alias for your AWS Management Console for AWS GovCloud (US) sign-in page URL, call the following operation:
+  [aws DeleteAccountAlias](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountAlias.html) 

To display your AWS account ID alias, call the following operation:
+  [aws ListAccountAliases](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html) 

# Troubleshooting AWS GovCloud (US) sign-in or account issues
<a name="govcloud-sign-in-issues"></a>

Use the information here to help you troubleshoot sign-in and other AWS GovCloud (US) account issues. For step-by-step directions to sign in to an AWS account, see [Sign in as the root user](signing-into-govcloud.md#sign-in-root-user-govcloud) 

If you are having trouble signing in to your [associated standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html), see [Troubleshooting sign-in issues](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html) in the * AWS Sign-In User Guide* instead.

**Note**  
For security purposes, AWS doesn’t have access to view, provide, or change your credentials.

## My AWS GovCloud (US) credentials aren’t working
<a name="troubleshoot-my-credentials-are-not-working"></a>

When you can’t sign in to the AWS Management Console for AWS GovCloud (US), try to remember how you previously accessed AWS.

 **If you don’t remember signing in using a password at all** 

You might have previously accessed AWS without using AWS credentials. This is common for enterprise single sign-on through IAM Identity Center. Accessing AWS this way means that you use your corporate credentials to access AWS accounts or applications without entering your credentials.
+  ** AWS access portal** – If an administrator allows you to use credentials from outside AWS to access AWS, you need the URL for your portal. Check your email, browser favorites, or browser history for a URL that includes `awsapps.com/start` or `signin.aws/platform/login`.

  For example, your custom URL might include an ID or a domain such as `https://d-1234567890.awsapps.com/start`.

  If you can’t find your portal link, contact your administrator. Support can’t help you recover this information.

 **If you remember signing in using a password** 

You might be on the wrong page. Try signing in on a different page:
+  ** Root user sign-in page** – Signing in to the AWS Management Console for AWS GovCloud (US) as the root user is not supported. To learn more about the root user in AWS GovCloud (US), see [AWS GovCloud (US) account root user](govcloud-account-root-user.md) in the * AWS GovCloud (US) User Guide*.
+  ** IAM user sign-in page** – If you or someone else created an IAM user within a single AWS GovCloud (US) account, you must know that account ID or alias. Enter your account ID or alias, user name, and password in to the [AWS Management Console for AWS GovCloud (US)](https://console.aws.amazon.com/). To learn how to access the IAM user sign-in page, see [Sign in as the root user](signing-into-govcloud.md#sign-in-root-user-govcloud). If you forgot your IAM user password, see [I lost or forgot my AWS GovCloud (US)IAM user name or password](#troubleshoot-lost-iam-password) for information on resetting your IAM user password. If you forgot your account number, search your email, browser favorites, or browser history for a URL that includes `signin.amazonaws-us-gov.com/`. Your account ID or alias will precede this URL, such as ` account_alias_or_id.signin.amazonaws-us-gov.com`. The account ID can also follow the `account=` or `account%3D` text in the URL. If you can’t find your account ID or alias, see [I need my AWS GovCloud (US) account ID or account alias](#troubleshoot-need-account-id-alias).
+  ** AWS access portal** – If an administrator set up an AWS IAM Identity Center identity source for AWS, you must sign in using your user name and password. In this case, you need the URL for your portal. Check your email, secure password storage, browser favorites, or browser history for a URL that includes `start.us-gov-home.awsapps.com` or `s signin-fips.amazonaws-us-gov.com/platform/login`. For example, your custom URL might include an ID or a domain such as `https://start.us-gov-home.awsapps.com/directory/d-1234567890`.

  If you can’t find your portal link, contact your administrator. Support can’t help you recover this information.

For more assistance on troubleshooting your sign-in issues, see [What do I do if I’m having trouble signing in to or accessing my AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/sign-in-account/) 

## I need my AWS GovCloud (US) account ID or account alias
<a name="troubleshoot-need-account-id-alias"></a>

If you are an IAM user and you are not signed in, you must ask your administrator for the AWS account ID or AWS account alias. You need this information, plus your IAM user name and password, to sign in to an AWS account. To learn more about where to find your account ID and alias, see [Your AWS GovCloud (US) account ID and its alias](govcloud-account-ID-alias.md) in the * AWS GovCloud (US) User Guide*.

**Note**  
 Support can’t help you recover this information.

## I lost or forgot my AWS GovCloud (US) IAM user name or password
<a name="troubleshoot-lost-iam-password"></a>

If you are an IAM user, your administrator provides your credentials. If you forget your password, you must ask your administrator to reset your password. To learn how an administrator can manage your password, see [Managing passwords for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html).

If you are an administrator of the AWS GovCloud (US) account and have forgot your password to the AWS Management Console for AWS GovCloud (US), please contact another administrator in the account to assist with restoring your access. If there are no other users with administrative access to your account, you will need root credentials for your AWS GovCloud (US) account to restore console access. To learn how to restore administrative console access with the root user, see [AWS GovCloud (US) account root user](govcloud-account-root-user.md) in the * AWS GovCloud (US) User Guide*.

## I lost or forgot the access keys for my AWS GovCloud (US) IAM user name
<a name="troubleshoot-lost-access-keys"></a>

If you are an IAM user and you forget your access keys, you will need new access keys. If you have permission to create your own access keys, you can find instructions for creating a new one at [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). If you do not have the required permissions, you must ask your administrator to create new access keys. If you are still using your old keys, ask your administrator not to delete the old keys. To learn how an administrator can manage your access keys, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).

You should follow the AWS [best practice](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials) of periodically changing your password and AWS access keys. In AWS, you change access keys by rotating them. This means that you create a new one, configure your applications to use the new key, and then delete the old one. You are allowed to have two access key pairs active at the same time for just this reason. For more information, see [Rotating access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey).

## I lost or forgot the access keys for my AWS GovCloud (US) root user
<a name="troubleshoot-lost-access-keys-govcloud-root"></a>

If you forget your AWS GovCloud (US) account root access keys, you can request new access keys, see [AWS GovCloud (US) account root user](govcloud-account-root-user.md) in the * AWS GovCloud (US) User Guide*.

## I forgot the root user password for my standard AWS account
<a name="troubleshoot-forgot-root-standard-password"></a>

If you are a root user and you have lost or forgot the password for your [associated standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html), you can reset your password. You must know the email address used to create the associated standard AWS account and you must have access to the email account. For more information, see [Resetting lost or forgotten passwords or access keys for AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html).

## I don’t know the email for my standard AWS account or AWS GovCloud (US) account
<a name="troubleshoot-forgot-email-account"></a>

Your AWS GovCloud (US) account email address is the same as email address configured in its [assocated standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html). Changing the standard AWS account email will result in a change to the AWS GovCloud (US)) account email.

If you are not sure of the email address associated with your AWS GovCloud (US) account, [sign in to your AWS GovCloud (US) account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/sign-in-iam-govcloud.html). In the navigation bar, choose **Support**, and then **Support Center**. In the **Support Center** navigation pane, choose **Your support cases** and open the most recently created support case by choosing its **Case ID** or **Subject**. In the **Case details**, look for the email address listed in the **Opened by** field. If your account email address has not changed since opening the case, this will be your account email address.

**Note**  
If you have never opened a support case or believe the email address has since changed, [Create a support case for account and billing](https://docs.aws.amazon.com/awssupport/latest/user/case-example.html) and [resolve it](https://docs.aws.amazon.com/awssupport/latest/user/monitoring-your-case.html#resolve-a-support-case) immediately. Review this cases **Open by** field to see the associated account email.

If you can’t sign in to your AWS GovCloud (US) account to find your email address, see [I don’t have access to the email for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html#troubleshoot-lost-email) in the AWS Sign-In User Guide.

## I don’t have access to the email for my standard AWS account or AWS GovCloud (US) account
<a name="troubleshoot-no-access-to-email"></a>

If you know the email address, but no longer have access to the email, see [I don’t have access to the email for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html#troubleshoot-lost-email) in the * AWS Sign-In User Guide*.

## I need to change the credit card for my AWS GovCloud (US) account
<a name="troubleshoot-update-credit-card"></a>

To change the credit card for your AWS GovCloud (US) account, you must have access to its [associated standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html). See [I need to change the credit card for my AWS account](https://docs.aws.amazon.com/accounts/latest/reference/troubleshooting_other.html#troubleshoot-change-credit-card) in the * AWS Account Management Reference Guide*.

## I need to report fraudulent AWS GovCloud (US) account activity
<a name="troubleshoot-report-fraud"></a>

If you suspect fraudulent activity using your AWS GovCloud (US) account and would like to make a report, see [How do I report abuse of AWS resources](https://aws.amazon.com/premiumsupport/knowledge-center/report-aws-abuse/).

## I need to close my AWS GovCloud (US) account activity
<a name="troubleshoot-close-account"></a>

See [Closing an AWS GovCloud (US) account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/Closing-govcloud-account.html) in the *AWS GovCloud (US) User Guide*.

# AWS GovCloud (US) account root user
<a name="govcloud-account-root-user"></a>

When you first create a standard AWS account (not an AWS GovCloud (US) account), you begin with one identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password that you used to create the account.

When you finish the [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html) process and your AWS GovCloud (US) account is created, the AWS GovCloud (US) account root user is also created at that time. Unlike the conclusion of the standard AWS account sign up process, you cannot sign-in to the AWS Management Console for AWS GovCloud (US) using your account email address and password. Depending on the method you used to sign up, you are provided initial console access to your AWS GovCloud (US) account via either an Administrator IAM user or the `OrganizationAccountAccessRole` IAM role.

While AWS GovCloud (US) account root user console access is not supported, programmatic access keys are supported. Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Anyone who has root user access keys for your AWS GovCloud (US) account has unrestricted access to all the resources in your account.

In this guide you will find…​
+ How to identify if your AWS GovCloud (US) account has root access keys
+ Step-by-step directions to request your AWS GovCloud (US) account root user access keys
+ Information that will help you complete task that require the AWS GovCloud (US) account root user 

**Important**  
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user access keys and use them to perform only a few account and service management tasks. To view the tasks that require root user access keys, see [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user) 

## Does my AWS GovCloud (US) account have existing root access keys?
<a name="govcloud-account-existing-root"></a>

As an AWS GovCloud (US) account administrator, you may want to know if there are root access keys in your AWS GovCloud (US) account.

### Method 1
<a name="govcloud-account-existing-root-method-1"></a>

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA device from your AWS GovCloud (US) account.

To get your credential report, see [Getting credential reports for your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) in the * AWS Identity and Access Management User Guide*.

In the credential report CSV, the following columns will allow you to identify if you have root access keys in your account and if they are active.
+  **user** – Identify the `root_account` row.
+  **access\$1key\$11\$1active** – When the root user has an access key and the access key’s status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
+  **access\$1key\$11\$1last\$1rotated** – The date and time, in [ISO 8601 date-time format](https://en.wikipedia.org/wiki/ISO_8601), when the root user's access key was created or last changed. If the root user does not have an active access key, the value in this field is `N/A` (not applicable).
+  **access\$1key\$12\$1active** – When the root user has a second access key and the second key’s status is Active, this value is `TRUE`. Otherwise it is `FALSE`.
+  **access\$1key\$12\$1last\$1rotated** – The date and time, [ISO 8601 date-time format](https://en.wikipedia.org/wiki/ISO_8601), when the root user's second access key was created or last changed. If the root user does not have a second active access key, the value in this field is `N/A` (not applicable).

In this example, the root user has an active root access key in the account because the `access_key_1_last_rotated` field is not marked `N/A` and the `access_key_1_active` field is marked `TRUE`. You can also see there is not a second access key associated with the root user because `access_key_2_last_rotated` field is marked `N/A`. Since there is not a second access key `access_key_2_active` field is marked `FALSE`.

![\[In this example, the root has an active root access key in the account with no second access key.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/govcloud-root-user-cred-report.png)


For info on removing root user access keys, see [Deleting my AWS GovCloud (US) account root user access keys](#delete-govcloud-root-access-key).

### Method 2
<a name="govcloud-account-existing-root-method-2"></a>

If AWS Security Hub CSPM is enabled on your account, the following Security Hub CSPM controls have a Failed compliance status when root access keys exist in your AWS GovCloud (US) account.
+  [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root user access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) 
+  [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)]
+  [AWS Foundational Security Best Practices standard: [IAM.4 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)]

For more information on AWS Security Hub CSPM, see the [AWS Security Hub CSPM User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/index.html).

To remediate these findings, see [Deleting my AWS GovCloud (US) account root user access keys](#delete-govcloud-root-access-key).

## Requesting root access keys for an AWS GovCloud (US) account
<a name="requesting-root-user-keys"></a>

 AWS GovCloud (US) account root user access keys can be requested from Support. Once your request is processed and approved, any existing AWS GovCloud (US) account root user access keys in your AWS GovCloud (US) account will be deleted, followed by the creation of a single new access key. This new access key will stored as an encrypted secret with AWS Secrets Manager and AWS KMS in the **US East (N. Virginia)** Region. This secret is made available exclusively to the root user of the [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) associated with your AWS GovCloud (US) account.

AWS managed account for this process: **536883072436**.

Use the following guide to request and retrieve a new AWS GovCloud (US) account root user access key.

**Important**  
This process is for AWS GovCloud (US) customers who have already signed up for an AWS GovCloud (US) account and completed all onboarding steps. If you are having issues with onboarding into AWS GovCloud (US), see [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html) or [contact Support](https://console.aws.amazon.com/support/home#/case/create?issueType=customer-service&serviceCode=customer-account&categoryCode=aws-govcloud-us-onboarding).

### Prerequisites
<a name="requesting-root-user-keys-prerequisites"></a>

This task **requires root access** to the [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) associated with your AWS GovCloud (US) account.

**Important**  
The AWS GovCloud (US) account root user access keys provides unrestricted access to your AWS GovCloud (US) account. For security purposes Support will only process request for AWS GovCloud (US) root credentials when the requester is the root user of the [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) associated with your AWS GovCloud (US) account.

If your AWS GovCloud (US) account is in an AWS GovCloud (US) Organization and has a service control policy (SCP) applied to the AWS GovCloud (US) account that [disallows actions as the root user](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-auser-actions) or [prevents the creation of root access keys](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-access-keys), your AWS GovCloud (US) [Organization management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) will need to adjust the SCP before you can request AWS GovCloud (US) account root access keys. Specifically they will need to allow the following actions from the root user:
+  [CreateAccessKey](https://console.aws.amazon.com/cloudtrail/home?region=us-gov-west-1#/events/0b68c53f-66cf-4b01-a0c5-c4012b0877e2) 
+  [DeleteAccessKey](https://console.aws.amazon.com/cloudtrail/home?region=us-gov-west-1#/events/dc0b9902-6938-4750-99e5-b80b3052a41d) 
+  [ListAccessKeys](https://console.aws.amazon.com/cloudtrail/home?region=us-gov-west-1#/events/bbeea4d0-f041-4d0c-969d-d59c7ef2aa19) 

### For AWS GovCloud (US) Organization Management Account Administrators
<a name="requesting-root-user-keys-for-org-admin"></a>

The following SCP meets the minimum requirements to process a request for AWS GovCloud (US) account root user access keys while disallowing all other actions from the AWS GovCloud (US) account root user.

This is useful in the situation where a member account may have forgot or lost their existing AWS GovCloud (US) account root user access keys and you would like to prevent them from being used to take actions against account resources until Support can process your request for new AWS GovCloud (US) account root user access keys.

**Note**  
When a member account needs to perform administrative task as the root user after retrieving their new AWS GovCloud (US) account root access keys from Support, they may be blocked from completing the task. Move the member account to another OU with a less restrictive SCP applied or remove the policy completely to enable them to complete [Tasks in AWS GovCloud (US) Regions that require root user access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user.html).  
This SCP will not affect the AWS GovCloud (US) Organizations Management account should you move that account into an OU with this SCP applied. To learn more, see [Tasks and entities not restricted by SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#not-restricted-by-scp) in the * AWS Organizations User Guide*.

**Step 1: Gather required information**  
Gather the following required information so you have it on hand when you open a support case in Step 2:

1.  **Company Name** – This is the full legal name of a Company or Public Sector Organization associated with this account. If this AWS GovCloud (US) account is not associated with a Company or Public Sector Organization, provide Individual Account Owner as the Company Name.

1.  **Account Email** – If you are not aware of your account email, see [I don’t know the email for my standard AWS account or AWS GovCloud (US) account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-troubleshooting.html#troubleshoot-forgot-email-account) in the * AWS GovCloud (US) User Guide*. If you need to change your account email, see [How do I change the email address that’s associated with my AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/) 

1.  **Address** – This is the mailing address for your Company, Public Sector Organization, or the Individual Account Holder.

1.  ** AWS GovCloud (US) Account ID** – If you are not aware of your AWS GovCloud (US) account ID, see [Finding your AWS GovCloud (US) account ID](govcloud-sign-in-issues.md#troubleshoot-need-account-id-alias) in the * AWS GovCloud (US) User Guide*.

1.  **Asymmetric KMS key ** – You need to provide an asymmetric KMS key when requesting root access keys for an AWS GovCloud (US) account. Generate the key in the standard AWS account associated with the AWS GovCloud (US) account and in `us-east-1`.

   To generate a KMS key, use the following AWS CLI command:

   ```
   aws kms create-key \
       --region us-east-1 \
       --key-usage ENCRYPT_DECRYPT \
       --key-spec RSA_2048 \
       --description "Asymmetric KMS key for encryption and decryption" \
       --policy '{
           "Version": "2012-10-17",		 	 	 
           "Statement": [
               {
                   "Sid": "Enable IAM User Permissions",
                   "Effect": "Allow",
                   "Principal": {"AWS": "arn:aws:iam::<your-account-ID>:root"},
                   "Action": "kms:*",
                   "Resource": "*"
               },
               {
                   "Sid": "Allow external account to encrypt",
                   "Effect": "Allow",
                   "Principal": {"AWS": "arn:aws:iam::536883072436:root"},
                   "Action": "kms:Encrypt",
                   "Resource": "*"
               }
           ]
       }'
   ```

1.  **Account Owner** – This is the full legal name (First, Middle, Last Name) of the account owner who is requesting AWS GovCloud (US) account root user access keys. Account owner is the individual creating the support case that meets the requirements outlined in the template found in Step 2.

**Step 2: Create a support case**  
In this step, you create a support case to the Accounts and Billing support team to request root credentials for your AWS GovCloud (US) account.

1.  [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the * AWS Sign-In User Guide*.

   If you are having issues signing in to your standard AWS account as the root user, see [Troubleshooting AWS sign-in or account issues](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html) in the * AWS Sign-In User Guide*.

1. Navigate to [Support Center](https://console.aws.amazon.com/support/home#/case/create?issueType=customer-service&serviceCode=customer-account&categoryCode=aws-govcloud-us-request-root-credentials) by choosing the **?** icon in the navigation bar and then choose **Support Center** from the dropdown.

1. Choose **Create case** from the Open support cases section.

1. Choose **Account and billing**.

1. Use the dropdown box to choose **Account**. For **Category** choose ** AWS GovCloud (US) – Request Root Credentials**, and then choose **Next step: Additional information**.

1. For **Subject** enter ** AWS GovCloud (US) – Request Root Credentials**.

1. In the **Description** box, copy and paste the following template:

   ```
       Company Name: [Company Name From Step 1]
       Account Email: [Account Email  From Step 1]
       Address: [Address  From Step 1]
       {govcloud-us} Account ID: [{govcloud-us} Account ID From Step 1]
       Asymmetric {kms-key} ARN: [Asymmetric {kms-key} ARN from Step 1]
   
       I [Full Legal Name: First, Middle, Last Name of the Account Owner] hereby
       acknowledge the applicable requirements contained in the {govcloud-us}
       Addendum to the {aws} Customer Agreement (the "{govcloud-us} Addendum")
       that apply to and governs the use of the {aws-services} in the {govcloud-us}
       Region by the above referenced company. In accordance with the terms of the
       {govcloud-us} Addendum, I represent and warrant that: I am a U.S. person;
       not subject to export restrictions under U.S. export control laws and regulations
       (e.g., I am not on the denied or debarred party list or otherwise subject
       to sanctions); and have full authority to request {aws} release to me
       account credentials relating to the subject {govcloud-us} account listed above.
   
       By typing my name below, I certify the above statements to be true and correct
       to the best of my knowledge, and that this information can be used for the
       purpose of processing new root credentials for the {govcloud-us}
       account listed above.
   
       Name: [Full Legal Name: First, Middle, Last Name of the Account Owner]
       Title: [Your title related to the Company Name identified above]
       Date: [Enter the date]
   ```

1. Using the information collected in Step 1 fill out the required fields indicated by [brackets] in the template.
**Important**  
 Support will not process your request should the following be identified in your support case:  
An incomplete template was provided.
There is missing information in the required fields.
The AWS GovCloud (US) Account ID field has an AWS GovCloud (US) account ID not associated with the [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) that is creating this support case.
The Account Email field has an email that is not associated with the standard AWS account that creates this support case.
Multiple AWS GovCloud (US) account IDs were provided. Each AWS GovCloud (US) account requested will need its own support case from the associated [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) as the root user.

   The following image shows an example of a completed ticket:  
![\[Example of complete support case.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/root_user_support_case_example.png)

1. Choose **Next step**.

1. Choose **Contact us**, choose your **Preferred contact language**, and then choose **Web** as the contact method, if it’s not selected by default.  
![\[Web via email and Support Center contact method selected.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/contact_options_support.png)

1. Choose **Submit**.

1.  Support will work with our internal service teams on your request and follow up with any additional questions.

   Once approved and processed, Support will follow-up on the support case to provide the required information you need to continue onto Step 3.

**Step 3: Retrieving your AWS GovCloud (US) account root user access keys**  
In this step, you will retrieve your new AWS GovCloud (US) account root user access keys.

1.  [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the * AWS Sign-In User Guide*.

   If you are having issues signing in to your [standard AWS account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) as the root user, see [Troubleshooting AWS sign-in or account issues](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html) in the * AWS Sign-In User Guide*.

1. Navigate to [Support Center](https://support.console.aws.amazon.com/support/home#/case/history) by choosing the **?** icon in the navigation bar and then choose **Support Center** from the dropdown.

1. In the **Support Center** navigation pane, choose **Your support cases**.

1. Open your support case created in Step 2 by choosing the **Case ID** or **Subject**.

1. Find the latest **Correspondence** from Support.

1. Use keyboard shortcuts or context (right-click) menu to copy the AWS CLI command provided by Support, which looks like this:

   ```
   aws secretsmanager get-secret-value \
       --secret-id '<RCR secret ARN>' \
       --region 'us-east-1' \
       --version-stage 'AWSCURRENT' \
       --output 'text' \
       --query <'SecretString'> \
       --no-cli-pager
   ```

   Then decrypt the output of `get-secret-value` for the credentials using this AWS CLI command:

   ```
   aws kms decrypt \
       --key-id '<KMS ARN GENERATED IN STEP 1>' \
       --region 'us-east-1' \
       --encryption-algorithm RSAES_OAEP_SHA_256 \
       --ciphertext-blob '<OUTPUT FROM get-secret-value>' \
       --output text \
       --query Plaintext | base64 --decode
   ```

1. With the command copied, launch AWS CloudShell. You can launch CloudShell from the AWS Management Console using either one of the following two methods:
   + Choose the AWS CloudShell icon on the console navigation bar.
   + Start typing *cloudshell* in the **Find Services** box and then choose the **CloudShell** option.  
![\[console navigation bar with cshell icon displayed.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/console_cloudshell_navigation_bar.png)

1. Your environment will take a few seconds to get started. Once ready you will see `[[cloudshell-user@ip-xxx.xxx.xxx.xxx](mailto:cloudshell-user@ip-xxx.xxx.xxx.xxx) ~] $`.  
![\[console navigation bar with cshell icon displayed.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/cloudshell_waiting.png)  
![\[console navigation bar with cshell icon displayed.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/cloudshell_ready.png)

1. Paste the following commands into the AWS CloudShell terminal, then press Enter. Your AWS GovCloud (US) root access keys will be output to the terminal.

   Example

   ```
   SECRET_ID="arn:aws:secretsmanager:us-east-1:536883072436:secret:<rcr-example-02-0D3VUW>"
   BLOB=$(aws secretsmanager get-secret-value \
       --secret-id "$SECRET_ID" \
       --region 'us-east-1' \
       --version-stage AWSCURRENT \
       --output text \
       --query 'SecretString' \
       --no-cli-pager)
   
   KMS_ENCRYPTION_KEY='arn:aws:kms:us-east-1:536883072436:key/<12345678-90ab-cdef-0123-4567-8example>'
   aws kms decrypt \
       --region 'us-east-1' \
       --key-id "$KMS_ENCRYPTION_KEY" \
       --encryption-algorithm RSAES_OAEP_SHA_256 \
       --ciphertext-blob "$(echo "$BLOB")" \
       --output text \
       --query Plaintext | base64 -d
   ```
**Note**  
See the [Troubleshooting](#troubleshoot-get-root-user-access-keys) section below should you experience any errors running the get-secret-value command.

1. Save your AWS GovCloud (US) account root user access keys in a safe location. To learn more, see [Securing my AWS GovCloud (US) account root user access keys](#secure-govcloud-root-access-key) in this guide.

1.  [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli) to complete [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user).
**Important**  
The `aws secretsmanager``get-secret-value` command will fail any additional execution attempts after a single successful execution. If you closed the browser or cleared the terminal before saving your access key and secret access key, you will need to start this process over from the beginning. Support will not be able to re-enable access to the previous secret from the original support case.

### Troubleshooting
<a name="troubleshoot-get-root-user-access-keys"></a>

These are some of the most common issues you may face while retrieving your AWS GovCloud (US) account root user access keys.

#### Issue: DecryptionFailure
<a name="troubleshoot-get-root-user-access-keys-decryption-failure"></a>

```
$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF
--region us-east-1 --version-stage AWSCURRENT --output text --query <'SecretString'>
An error occurred (DecryptionFailure) when calling the GetSecretValue operation:
Secrets Manager can't decrypt the secret value: arn:aws:kms:us-east-1:<536883072436:key/73947a77-ddbe-4dc7-bd8f-3fe0bc840778> is disabled.
(Service: AWSKMS; Status Code: 400; Error Code: DisabledException; Request ID: <cdc4b7ed-e171-4cef-975a-ad829d4123e8; Proxy: null>)
```

 **Cause** 

Your AWS GovCloud (US) account root user access key have been successfully retrieved once.

 **Solution** 

If you lost or forgot your AWS GovCloud (US) account root user access keys from Step 3, you will need to start from Step 1 and submit a new support case. Support will not be able to re-enable access to the access keys generated in the original support case.

#### Issue: AccessDeniedException
<a name="troubleshoot-get-root-user-access-keys-access-denied"></a>

```
$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF
--region us-east-1 --version-stage AWSCURRENT --output text --query <'SecretString'>
An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:iam::123456789012:user/admin
is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF
because no resource-based policy allows the secretsmanager:GetSecretValue action
```

 **Cause** 

An IAM identity that was not the root user of the standard AWS account associated with your AWS GovCloud (US) account was used to run this command. For security purposes AWS will only allow the retrieval of your new AWS GovCloud (US) account root user access keys from the root user of the standard AWS account associated with your AWS GovCloud (US) account.

 **Solution** 

The AWS CLI in AWS CloudShell by default will assume the credentials of the user who is signed into the AWS Management Console. Sign in to the standard AWS account associated with your AWS GovCloud (US) account as the root user and run the provided command in AWS CloudShell.

**Note**  
If you are signed in as the root user of the standard AWS account associated with your AWS GovCloud (US) account and you receive this error, your AWS CloudShell environment may have been altered from its default state. You can return AWS CloudShell to its default settings by [deleting your home directory](https://docs.aws.amazon.com/cloudshell/latest/userguide/vm-specs.html#deleting-home-directory).

## Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)
<a name="configure-root-user-access-keys-cli"></a>

Before completing [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. If you do not have AWS GovCloud (US) account root user access keys, see [Requesting root access keys for an AWS GovCloud (US) account](#requesting-root-user-keys).

If you have just completed the steps to retrieve your AWS GovCloud (US) account root user access keys, you can continue to use AWS CloudShell in your standard AWS account as the AWS CLI is preinstalled. Alternatively, you can [download the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for local use.

A collection of settings in the AWS CLI is called a profile. By default, the AWS CLI uses the default profile. We recommend the creation and use of an additional named profile for storing these root access keys by specifying the `--profile` option and assigning a name.

The following example creates a profile named `govcloudroot` using sample values. This profile will be used in other examples throughout this guide.

 **Example** 

```
$ aws configure --profile govcloudroot
        {aws} Access Key ID [None]: <AKIAI44QH8DHBEXAMPLE>
        {aws} Secret Access Key [None]: <je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY>
        Default Region name [None]: <us-gov-west-1>
        Default output format [None]: json
```

**Note**  
If using AWS CloudShell you must specify the region in each command using the `--region` option.  
 **Example**   

```
$ aws sts get-caller-identity --profile govcloudroot --region us-gov-west-1
    {
        "UserId": <"123456789012">,
        "Account": <"123456789012">,
        "Arn": "arn:aws-us-gov:iam::<123456789012>:root"
    }
```

### AWS CLI security with AWS GovCloud (US) account root user access keys
<a name="configure-root-user-access-keys-cli-security"></a>

The credentials used by the AWS CLI are stored in plaintext files and are **not** encrypted. The `$HOME/.aws/credentials` file stores long-term credentials required to access your AWS resources. These include your access key ID and secret access key.

### AWS CLI security with AWS GovCloud (US) account root user access keys
<a name="configure-root-user-access-keys-cli-security-risk"></a>

Once you have completed [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), [delete your AWS GovCloud (US) account root user access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user#delete-govcloud-root-access-key).

If you would like to retain your AWS GovCloud (US) account root user access keys, it is recommended to remove them from your AWS CLI credentials file. Store your access keys in a safe location until the next time you need them. To remove your root access keys from the credentials file, you can use the following methods.
+ Directly edit the **credentials** files in a text editor. For more information, see [Where are configuration settings stored](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)?
+ Run the following commands to remove your root user access keys from the govcloudroot profile.

  1. Remove your access key ID.

     ```
     $ aws configure set aws_access_key_id "" --profile govcloudroot
     ```

  1. Remove your secret access key.

     ```
     $ aws configure set aws_secret_access_key "" --profile govcloudroot
     ```

## Tasks in AWS GovCloud (US) Regions that require root user access keys
<a name="govcloud-tasks-require-root-user"></a>

We recommend that you use an IAM user with appropriate permissions to [perform tasks and access AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials). However, you can perform the tasks listed below only when you use the AWS GovCloud (US) account root user access keys. [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli) before starting these tasks.

**Tasks**
+  [Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US)](#restore-root-user-keys) 
+  [Edit or delete an Amazon S3 bucket policy for a bucket where I accidentally denied everyone access](#edit-s3-bucket-denied-access) 
+  [Remediation of AWS Security Hub CSPM findings](#remediate-security-findings) 
+  [Rotate my AWS GovCloud (US) account root user access keys](#rotate-access-keys) 
+  [Deleting my AWS GovCloud (US) account root user access keys](#delete-govcloud-root-access-key) 
+  [Securing my AWS GovCloud (US) account root user access keys](#secure-govcloud-root-access-key) 
+  [Transferring the root user owner](#trasnfer-root-user-owner) 

## Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US)
<a name="restore-root-user-keys"></a>

The most common use of AWS GovCloud (US) account root user access keys is to restore administrator access to the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com). In this section, you will learn how to restore AWS Management Console access for the `Administrator` IAM user in your AWS GovCloud (US) account using your AWS GovCloud (US) account root user access keys.

Any additional IAM administrative task not requiring AWS GovCloud (US) account root user access keys are recommended to be completed in the AWS GovCloud (US) console as the `Administrator` IAM user.

To learn how to sign in to the AWS GovCloud (US) console as an IAM user, see [Sign in as an IAM user](signing-into-govcloud.md#sign-in-iam-govcloud) in the * AWS GovCloud (US) User Guide*.

**Important**  
Before completing [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli).

### Creating an Administrator IAM user and Administrators IAM group
<a name="restore-create-iam-user-group"></a>

Copy and paste the following AWS CLI commands into the terminal window to…​
+ Create the `Administrators` IAM group.
+ Attach the AWS managed `AdministratorAccess` policy to `Administrators` IAM group.
+ Create the `Administrator` IAM user.
+ Add the `Administrator` IAM user to the `Administrators` IAM group.

```
$ aws iam create-group --group-name Administrators --profile govcloudroot --region us-gov-west-1
                            $ aws iam attach-group-policy --group-name Administrators --policy-arn arn:aws-us-gov:iam::aws:policy/AdministratorAccess --profile govcloudroot --region us-gov-west-1
                            $ aws iam create-user --user-name Administrator --profile govcloudroot --region us-gov-west-1
                            $ aws iam add-user-to-group --user-name Administrator --group Administrators --profile govcloudroot --region us-gov-west-1
```

### Setting a new Administrator IAM user password
<a name="restore-set-new-iam-user-password"></a>

With the `Administrator` IAM user created you can now set a new password to access the AWS GovCloud (US) console. It is recommended you set a temporary password when using the AWS CLI and require the password to be changed once you sign in to the AWS GovCloud (US) console.

Copy and paste the following AWS CLI command into your terminal window to set a new temporary password for the `Administrator` IAM user. Sign in to the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com) with the temporary password to set your new password for the `Administrator` IAM user.

```
$ aws iam create-login-profile --user-name Administrator --password-reset-required
                            --profile govcloudroot --region us-gov-west-1 --password NewTempPasswordHere
```

**Note**  
PasswordPolicyViolation errors may occur depending on the password policy applied to your account.  
The default password policy enforces the following conditions:  
Minimum password length of 8 characters and a maximum length of 128 characters
Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and non-alphanumeric character (`! @ # $ % ^ & * ( ) _ + - = [ ] { } | '`)
Not be identical to your AWS account name or email address
Use the following command to review your account password policy.  

```
$ aws iam get-account-password-policy --profile govcloudroot --region us-gov-west-1
```
To learn more about account password policies, see [Setting an account password policy for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the * AWS Identity and Access Management Access Analyzer User Guide*.

### Disabling an MFA device associated with the Administrator IAM user password
<a name="restore-disable-iam-mfa"></a>

Use these commands to disassociate an MFA device from the `Administrator` IAM user and deactivate it. If the device is virtual, use the ARN of the virtual device as the serial number.

1. List MFA devices associated with the Administrator user. Note the `SerialNumber`.

   ```
   $ aws iam list-mfa-devices --user-name Administrator --profile govcloudroot --region us-gov-west-1
   ```

1. Disassociate the MFA device from the Administrator IAM user and deactivate it. Serial number from the last step will be used in the `--serial-number` option.

   ```
   aws iam deactivate-mfa-device --user-name Administrator --profile govcloudroot --region us-gov-west-1 --serial-number SerialNumberFromPreviousStepHere
   ```

## Edit or delete an Amazon S3 bucket policy for a bucket where I accidentally denied everyone access
<a name="edit-s3-bucket-denied-access"></a>

During development or implementation of a new Amazon S3 bucket policy, you may accidentally deny access to the bucket for all IAM users in your AWS GovCloud (US) account. Use the following commands with your AWS GovCloud (US) account root user access keys to retrieve, replace, or delete the policy.

**Important**  
Before completing [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli).

 [aws s3api get-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html#examples) 

```
aws s3api get-bucket-policy --profile govcloudroot --region us-gov-west-1 --bucket my-bucket
```

 [aws s3api put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html#example) 

```
aws s3api put-bucket-policy --profile govcloudroot --region us-gov-west-1
--bucket my-bucket --policy file://<policy.json>
```

**Note**  
To learn how to work with files on your operating system in the AWS CLI, see [Loading AWS CLI parameters from a file](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html).

 [aws s3api delete-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-bucket-policy.html#examples) 

```
aws s3api delete-bucket-policy --profile govcloudroot --region us-gov-west-1 --bucket my-bucket
```

## Remediation of AWS Security Hub CSPM findings
<a name="remediate-security-findings"></a>

The following AWS Security Hub CSPM findings can be remediated by deleting all root access keys in the AWS GovCloud (US) account. To learn how, see [Deleting my AWS GovCloud (US) account root user access keys](#delete-govcloud-root-access-key).
+  [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root user access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) 
+  [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1) IAM root user access key should not exist]
+  [AWS Foundational Security Best Practices standard: [IAM.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4) IAM root user access key should not exist]

## Rotate my AWS GovCloud (US) account root user access keys
<a name="rotate-access-keys"></a>

It is recommended to not have AWS GovCloud (US) root access keys in your account. If you must keep one available, rotate (change) the access key regularly. You can rotate access keys from the AWS Command Line Interface using an active AAWS GovCloud (US) account root user access key.

**Important**  
Before completing [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli).

1. While the first access key is still active, create a second access key, which is active by default. Run the following command:

   ```
   $ aws iam create-access-key --profile govcloudroot --region us-gov-west-1
   ```
**Note**  
At this point, the AWS GovCloud (US) root user has two active access keys.

1. Update all applications and tools to use the new access key. This includes the AWS CLI you are currently using. Update to the new access keys by running the following command:

   ```
   $ aws configure --profile govcloudroot
       {aws} Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
       {aws} Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
       Default Region name [None]: us-gov-west-1
       Default output format [None]: json
   ```

1. Determine whether the first access key is still in use by using this command:

   ```
   $ aws iam get-access-key-last-used --profile govcloudroot --region us-gov-west-1 --access-key-id FirstAccessKeyIdHere
   ```
**Note**  
One approach is to wait several days and then check the old access key for any use before proceeding.

1. Even if step 3 indicates no use of the old key, we recommend that you do not immediately delete the first access key. Instead, change the state of the first access key to Inactive using this command:

   ```
   $ aws iam update-access-key --status Inactive --profile govcloudroot --region us-gov-west-1 --access-key-id FirstAccessKeyIdHere
   ```

1. Use only the new access key to confirm that your applications are working. Any applications and tools that still use the original access key will stop working at this point because they no longer have access to AWS resources. If you find such an application or tool, you can switch its state back to Active to reenable the first access key. Then return to step 2 and update this application to use the new key.

1. After you wait some period of time to ensure that all applications and tools have been updated, you can delete the first access key with this command:

   ```
   $ aws iam delete-access-key --profile govcloudroot --region us-gov-west-1 --access-key-id FirstAccessKeyIdHere
   ```

## Deleting my AWS GovCloud (US) account root user access keys
<a name="delete-govcloud-root-access-key"></a>

It is recommended to not have AWS GovCloud (US)) root access keys in your account. Use the following commands with your AWS GovCloud (US) account root user access keys to delete any additional root user access keys and itself.

**Important**  
Before completing [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user), you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see [Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell)](#configure-root-user-access-keys-cli).

1. List all root access keys with the following command:

   ```
   $ aws iam list-access-keys --profile govcloudroot --region us-gov-west-1
   ```

1. List the root access key in use with the following command:

   ```
   $ aws configure get aws_access_key_id --profile govcloudroot
   ```

1. (Optional) If there was a second root access key returned in the `list-access-keys` command that does not match the access key provided in the `configure get aws_access_key_id` command, delete that access key first. This will be the access key that is not currently in use by the AWS CLI. To delete that access key run the following command:

   ```
   $ aws iam delete-access-key --profile govcloudroot --region us-gov-west-1 --access-key-id UnusedAccessKeyIdHere
   ```
**Note**  
You can verify the unused access key was deleted by running the `list-access-keys` command again.

1. Delete the root user access key that is currently in use.

   ```
   $ aws iam delete-access-key --profile govcloudroot --region us-gov-west-1 --access-key-id ConfiguredAccessKeyIdHere
   ```

## Securing my AWS GovCloud (US) account root user access keys
<a name="secure-govcloud-root-access-key"></a>

Safeguard your AWS GovCloud (US) account root user access keys the same way you would protect other sensitive personal information. We don’t recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. The root user in AWS GovCloud (US) does not support MFA. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see [Tasks in AWS GovCloud (US) Regions that require root user access keys](#govcloud-tasks-require-root-user) in this guide. Listed here are best practices to secure your AWS GovCloud (US) account root access keys.
+ If you don’t already have an access key for your AWS account root user, don’t create one unless you absolutely need to. Instead, use an IAM user that has administrative permissions.
+ If you do have an access key for your root user, delete it. You can request another at any time by following the [Requesting root access keys for an AWS GovCloud (US) account](#requesting-root-user-keys) workflow in this guide.
+ If you must keep one available, rotate (change) the access key regularly. To rotate your AWS GovCloud (US) account root user access keys, see [Rotate my AWS GovCloud (US) account root user access keys](#rotate-access-keys).

## Transferring the root user owner
<a name="trasnfer-root-user-owner"></a>

The [associated standard AWS accountroot user](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) is the AWS GovCloud (US) account owner. To transfer ownership of your AWS GovCloud (US) account, you will transfer ownership of the related standard AWS account root user, see [How do I transfer my AWS account to another person or business?](https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/) 

The method to provide the new owner access to the AWS GovCloud (US) account should be coordinated prior to the transfer of ownership and in accordance to the agreements between the individuals or organizations making the transfer.

If the previous owner has transferred the standard AWS account root user to you without providing access to the related AWS GovCloud (US) account, you can request root access keys for the AWS GovCloud (US) account from Support, see [Requesting root access keys for an AWS GovCloud (US) account](#requesting-root-user-keys).

# Onboarding to AWS GovCloud (US) (Direct Customers)
<a name="getting-started-direct-customers"></a>

AWS Direct Customers can follow the steps outlined in [Configuring Your Account](https://docs.aws.amazon.com/en_us/govcloud-us/latest/UserGuide/configure-account.html) to set up their GovCloud accounts and ensure CloudTrail is enabled.

We automatically enable AWS CloudTrail for AWS GovCloud (US) accounts, but you should also verify that CloudTrail is enabled to store logs.

# Configuring Your Account
<a name="configure-account"></a>

The steps in this section describe how to sign in and create an account alias and access keys.

**To sign in to the AWS GovCloud (US) console:**

1. Open the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com).

1. Sign in using your account number and IAM administrator user credentials. For your user name, type `Administrator`.
**Note**  
If you did not save your AWS GovCloud (US) sign-in link, which includes your account number, you can retrieve your account number by signing in to the standard AWS Management Console with your root user credentials, opening the **Accounts** page, and choosing the **Sign up for AWS GovCloud (US)** button. You will be directed to a page that indicates you already have access and displays your account number.

**To create an account alias**  
Creating an account alias is optional, but strongly recommended. If you do not create an account alias, be sure to save your AWS GovCloud (US) sign-in link because your AWS GovCloud (US) account number is different from your AWS account number.

1. Sign in to the AWS GovCloud (US) console and open the IAM console at https://console.amazonaws-us-gov.com/iam.

1. Next to the IAM users sign-in link, choose **Customize**.

1. Type an alias for your account.

    IAM users can now use either the account alias or account number when signing in to the AWS GovCloud (US) console.

**To create and download access keys**  
The password for your AWS GovCloud (US) administrator IAM user cannot be reset by the linked standard AWS account root user. Creating access keys for your AWS GovCloud (US) administrator user is helpful because they can be used to reset your administrator password from the command line.

1. Sign in to the AWS GovCloud (US) console and open the IAM console at https://console.amazonaws-us-gov.com/iam.

1. In the navigation pane, choose **Users**, and select the IAM user account for which you would like to generate access keys.

1. On the **My Security Credentials** tab, choose **Create Access Key**.

1. To download the access key, choose **Download Credentials** and save them locally.

**Important**  
If you configure an IAM password expiration policy that requires administrator reset, and your Administrator password expires, access keys with appropriate privileges can be used to reset your administrator password from the command line. If you do not have additional administrator users created or access keys for your Administrator account, you will need to contact support to regain access to your account.

# Verifying AWS CloudTrail Is Enabled
<a name="verifying-cloudtrail"></a>

As part of the automated AWS GovCloud (US) activation process, the CloudTrail service should be enabled for each account and an Amazon S3 bucket should be created to store CloudTrail logs. In the event of any interruptions in the automation process, you can manually enable CloudTrail.

**To verify the S3 bucket was created for CloudTrail log storage**

1. Sign in to the AWS GovCloud (US) console and open the Amazon S3 console at [link](https://console.amazonaws-us-gov.com/s3).

1. If a bucket already exists, skip to the next procedure to ensure CloudTrail is enabled.

1. Choose **Create Bucket**.

1. Type a name for your bucket.

   Bucket names must be unique. S3 buckets created during the automated process follow the naming convention "cloudtrail-<xxxxxxxxxxxx>" where <xxxxxxxxxxxx> is replaced by the AWS GovCloud (US) account number. If you want to use a different bucket name, you can delete this bucket, create a new bucket, and then follow the steps in the next section to enable CloudTrail.

**To verify CloudTrail is enabled**

1. Sign in to the AWS GovCloud (US) console and open the CloudTrail console at [link](https://console.amazonaws-us-gov.com/cloudtrail).

1. If CloudTrail is enabled, the **Dashboard** page opens, and the **Trails** section shows your trail.

1. If CloudTrail is not enabled, choose **Create a trail**. For more information about creating a trail using the console, see [Creating a trail in the console (advanced event selectors)](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html#creating-a-trail-in-the-console-adv) in the *AWS CloudTrail User Guide*.
**Note**  
For the **Storage location**, choose **Use existing S3 bucket**, and specify the S3 bucket you created in the previous procedure.

   This will set a bucket policy that allows the CloudTrail service to store logs in the S3 bucket. If the automated process created an S3 bucket and enabled CloudTrail, the following policy was applied:

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Principal": {
                   "Service": "cloudtrail.amazonaws.com"
               },
               "Action": "s3:GetBucketAcl",
               "Resource": "arn:aws-us-gov:s3:::s3_bucket_name",
               "Condition": {
                   "StringEquals": {
                       "aws:SourceArn": "arn:aws-us-gov:cloudtrail:region:account_id:trail/trail_name"
                   }
               }
           },
           {
               "Sid": "",
               "Effect": "Allow",
               "Principal": {
                   "Service": "cloudtrail.amazonaws.com"
               },
               "Action": "s3:PutObject",
               "Resource": "arn:aws-us-gov:s3:::s3_bucket_name/AWSLogs/account_id/*",
               "Condition": {
                   "StringEquals": {
                       "s3:x-amz-acl": "bucket-owner-full-control",
                       "aws:SourceArn": "arn:aws-us-gov:cloudtrail:region:account_id:trail/trail_name"
                   }
               }
           }
       ]
   }
   ```

# Onboarding to AWS GovCloud (US) as a Solution Provider reselling in AWS GovCloud (US)
<a name="getting-started-console"></a>

If you are serving as a Solution Provider and reselling in AWS GovCloud (US), you must create an IAM user to sign in to the AWS Management Console for the AWS GovCloud (US) Region. If you received your account credentials through a Solution Provider, please contact your Solution Provider to sign up.

**To create your first administrative IAM user**

1. Access the [AWS GovCloud (US) console onboard tool web application.](https://govcloud-onboarding-tool.us-east-1.amazonaws.com/).

1. Type your access key ID and secret access key, and then choose **Next**.  
![\[AWS GovCloud (US) Management Console login page with fields for access key ID and secret access key.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/setup-tool-keys.png)

1. Type a password for the administrator, and then choose **Next**.  
![\[Password entry form for creating an administrative user in AWS GovCloud Management Console.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/setup-tool-pw.png)

1. (Optional) If you want to create an account alias, type a name (all lowercase) for your account, and then choose **Next**.  
![\[AWS GovCloud (US) Management Console onboarding page for creating an account alias.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/setup-tool-alias.png)

   An account alias provides an easy-to-remember link for signing in to the console. For more information about account aliases, see [Your AWS Account ID and Its Alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccountAlias.html) in the *IAM User Guide*.

1. Review your information, and then choose **Complete**.  
![\[AWS GovCloud (US) Management Console onboarding review page with account details and key information.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/setup-tool-review.png)

   You can choose **Back** to edit any information.

1. Review your new AWS GovCloud (US) credentials. Your original keys have been deactivated.  
![\[AWS GovCloud (US) Management Console onboarding confirmation with new access key details.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/setup-tool-complete.png)

1. Choose **Download New Keys** and then save them in a secure location. If you do not download them, you will not be able to retrieve them in the future.

1. To access the AWS GovCloud (US) console, choose the link to your account’s sign-in URL.

You now have your first IAM user administrator, which you can use to sign in to the AWS GovCloud (US) console. The administrator has full access to manage your AWS GovCloud (US) resources. For example, as the administrator, you can use the AWS GovCloud (US) console to create additional IAM users. You can then manage users and their permissions by assigning them to groups. For more information, see [IAM users and Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html) in *IAM User Guide*.

# Configure Your Account using AWS CLI
<a name="configure-using-cli"></a>

The AWS Management Console for the AWS GovCloud (US) Region provides an easy-to-use graphical interface to manage your AWS resources, similar to the AWS Management Console for the standard Regions. In the AWS GovCloud (US) region, you must create an IAM user and use this user name and password to sign in to the console. You cannot use the AWS GovCloud (US) access keys to log into the console. You also cannot use your sign-in credentials for the standard AWS Management Console to access the AWS GovCloud (US) console. The AWS Management Console for the AWS GovCloud (US) Region is a completely separate console from the standard AWS Management Console.

Follow the directions below to create an administrator user name and password that will allow you to login to the console. You can create additional IAM accounts for all of your users once you sign in.

**Note**  
If you are not an AWS GovCloud (US) Customer, please visit [AWS GovCloud (US) Region Overview](https://aws.amazon.com/govcloud-us/) to find out about the AWS GovCloud (US) Region and then fill out the contact us form (https://aws.amazon.com/govcloud-us/contact/) to request an AWS GovCloud (US) Account.

## Configure the AWS CLI
<a name="configure-aws-cli"></a>

To get started, you will need install the AWS CLI on your local machine. To learn how to install the AWS CLI, [visit the AWS CLI documentation.](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) Next, you will need to configure your local CLI to use your new AWS GovCloud (US) (US) account. To do so, run the following command. This command will prompt for the Access Keys and Secret Keys that are provided in the onboarding email.

**Note**  
You can replace `--profile "govcloud"` with a name that is convenient for you.

```
# 1. Configure the cli
aws configure --profile "govcloud"

# 2. Check if the credentials are functioning
aws iam list-users --profile "govcloud"
```

Now that we have the CLI configured with our new AWS GovCloud (US) account, we can configure IAM users for accessing the environment.

## Create an IAM User to Access the Console
<a name="create-iam-user"></a>

To get started, we will create an IAM Group to manage administrator access to the AWS GovCloud (US) account. Then, we will create an IAM user, add them to the group, and configure a password for accessing the environment. Using the profile we configured above, run the following commands on the CLI.

```
# 1. Create an “Administrators” IAM Group so that we can centrally manage Administrator IAM permissions for many users.
aws iam create-group \
    --group-name "Administrators" \
    --profile "govcloud"

# 2. Attach the AdministratorAccess policy to the group
aws iam attach-group-policy \
    --group-name "Administrators" \
    --policy-arn "arn:aws-us-gov:iam::aws:policy/AdministratorAccess" \
    --profile "govcloud"

# 3. Create a new IAM User
aws iam create-user \
    --user-name "username" \
    --profile "govcloud"

# 4. Enable the IAM User to sign in to the AWS Console
aws iam create-login-profile \
    --user-name "username" \
    --password "password" \
    --no-password-reset-required \
    --profile "govcloud"

# 5. Add the User to the Administrators IAM Group
aws iam add-user-to-group \
    --group-name "Administrators" \
    --user-name "username" \
    --profile "govcloud"

# 6. Create Access Keys for accessing AWS via the CLI and SDK
aws iam create-access-key \
    --user-name "username" \
    --profile "govcloud"
```

**Logging in to the Console**

1. Open the [AWS GovCloud (US) console.](https://console.amazonaws-us-gov.com/) 

1. Sign in using your account number and the user name and password you created above.

1. Once you are signed in, navigate to the [IAM console.](https://console.amazonaws-us-gov.com/iam)).

1. You should now see 2 users listed. Administrator and the user name you created above. The Administrator credentials were the ones provided during sign up.

1. Confirm your new user has been added to the Administrators group and has the AdministratorAccess policy associated with the Administrators group.

1. You can now safely delete the administrator IAM user or deactivate the Access Credentials.

**Customizing the Sign In URL**  
Creating an account alias is optional, but strongly recommended. If you do not create an account alias, be sure to save your AWS GovCloud (US) sign-in link because your AWS GovCloud (US) account number is different from your AWS account number.

1. Sign in to the AWS AWS GovCloud (US) console and open the [IAM console.](https://console.amazonaws-us-gov.com/iam)) 

1. Next to the IAM users sign-in link, choose Customize.

1. Type an alias for your account.

1.  IAM users can now use either the account alias or account number when signing in to the AWS AWS GovCloud (US) console.

## Audit Logging
<a name="audit-login"></a>

As part of the automated AWS GovCloud (US) activation process, the CloudTrail service should be enabled for each account and an Amazon S3 bucket should be created to store CloudTrail logs. In the event of any interruptions in the automation process, you can manually enable CloudTrail.

# Enabling Multi-Factor Authentication (MFA) for users
<a name="mfa-device"></a>

For increased security, we recommend that you configure multi-factor authentication (MFA) to help protect your AWS GovCloud (US) resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device when they access AWS websites or services.

 AWS GovCloud (US) allows you to assign a hardware-based token device, a virtual MFA device, or a FIDO security key with FIPS-validated options to an IAM user or to your GovCloud administrator. A virtual or hardware token-based device generates a six-digit numeric code based on a time-synchronized, one-time password algorithm. The user must enter a valid code from the device on a second web page during sign-in.

FIDO2 is an open authentication standard and an extension of FIDO U2F, based on public key cryptography, which enables strong, phishing-resistant authentication. To learn more about the FIDO2 standard, see [FIDO Alliance](https://en.wikipedia.org/wiki/FIDO_Alliance). Based on your security and compliance needs, you can use both FIPS and non-FIPS FIDO security keys. You can also specify what kinds of authenticators your users can register in your IAM policies based on your preferred certification type and level. For more information about FIDO certifications, see [Device certifications](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_fido_supported_configurations.html#id_credentials_mfa_fido_certifications).

The following high-level procedure describes how to set up and use MFA in AWS GovCloud (US) and provides links to related information.

1. MFA devices are supported for IAM users. MFA devices are not supported for the AWS GovCloud (US) account root user. For more information, see [AWS Management Console documentation](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-console.html).

1. Get an MFA device. You can enable only one MFA device per user. The device can be used by the specified user only.
   + A hardware-based token device, supported by AWS, such as [OTP token](https://www.hypersecu.com/awsgovcloud-order). This device has its unique token seeds shared securely with AWS. Token seeds are secret keys generated at the time of token production. Tokens purchased from other sources will not function with IAM.
   + A virtual token device, which is a software application that is compliant with [RFC 6238](https://tools.ietf.org/html/rfc6238), a standards-based, time-based one-time password (TOTP) algorithm. You can install the application on a mobile device, such as a tablet or smartphone. For a list of apps you can use as virtual MFA devices, see the "Virtual MFA Applications" section of the [Multi-Factor Authentication page](https://aws.amazon.com/iam/details/mfa/).
   + A FIDO2 security key creates a new key pair for use with only AWS. FIDO-certified hardware security keys are provided by third-party providers such as Yubico, which include FIPS-validated options like [YubiKey FIPS devices](https://www.yubico.com/products/yubikey-fips/). For a full list, see [FIDO devices supported by AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_fido_supported_configurations.html#id_credentials_mfa_fido_supported_devices). To use a FIDO2 security key, your browser must support FIDO2. For a list, see [Browsers that support FIDO2](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_fido_supported_configurations.html#id_credentials_mfa_fido_browsers).

1. Enable the MFA device. There are two steps to enabling a device. First, you create an MFA device entity in IAM. Second, you associate the MFA device entity with the IAM user. You can perform these tasks in the AWS Management Console, AWS CLI, AWS Tools for Windows PowerShell, or the IAM API.

   For information about enabling MFA devices, see the following topics:
   + Hardware TOTP token: [Enabling a hardware TOTP token (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html) 
   + Virtual MFA device: [Enabling a Virtual Multi-Factor Authentication (MFA) Device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) 
   + FIDO security key: [Enabling a FIDO security key (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_fido.html) 

1. Use the MFA device when you sign in to or access AWS resources.

For more information, see [Using MFA Devices with Your IAM Sign-in Page](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_sign-in-mfa.html) and [Enabling a Virtual Multi-Factor Authentication (MFA) Device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html).

# Signing Up for AWS GovCloud (US) Support
<a name="customer-supp"></a>

 Support is available for the AWS GovCloud (US) Regions. As an AWS GovCloud (US) customer, you can access the Support engineers 24 hours a day by phone, email, and chat. In cases where U.S. citizens are needed, AWS can route cases to U.S. citizen support engineers. All AWS Support engineers in the AWS Region (`aws` partition) can access support cases from the AWS GovCloud (US) Region. Customers use general support resources for basic support cases that do not contain sensitive (that is, export-controlled) data. For more information see [AWS GovCloud (US) Region Support](https://aws.amazon.com/govcloud-us/support/).

**Important**  
Do not enter any export-controlled data in your support cases.

To sign up for AWS Customer Support for the AWS GovCloud (US) Region, go to the customer support [sign-up page](https://aws.amazon.com/premiumsupport/signup/). You sign up for support by using the standard AWS account root user credentials that were used to sign up for your AWS GovCloud (US) account. You can sign up for Business Level support or submit a request for Enterprise Level support by completing the Enterprise Support [form](https://aws.amazon.com/premiumsupport/enterprise/).

**Note**  
Your support options are associated with your standard AWS account, but also apply to your AWS GovCloud (US) account. If you already have support on your standard AWS account, you aren’t required to sign up for support again.

For more information about the differences with AWS Support in the AWS GovCloud (US) Regions, see [AWS Support](govcloud-support.md).