Amazon EC2 in AWS GovCloud (US)
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizeable computing capacity—literally, servers in Amazon's data centers—that you use to build and host your software systems.
How Amazon Elastic Compute Cloud differs for AWS GovCloud (US)
-
EC2 Instance Connect will not work in AWS GovCloud (US) if your Linux instance has SELinux enabled in enforcing mode. The process for enabling or disabling SELinux varies across Linux distributions. For information about how to check the status of SELinux on your instance, or to enable or disable SELinux, see the relevant operating system guide for your instance.
-
Reserved Instance resale is not available in the AWS GovCloud (US) Regions.
-
AMI copy and snapshot copy do not support migrating AMIs and snapshots from another AWS Region into AWS GovCloud (US) Regions. For information about how to migrate your AMIs from another AWS Region into AWS GovCloud (US) Regions, see Amazon EC2 VM Import/Export in AWS GovCloud (US).
-
When using the Amazon EC2 AMI tools, AWS GovCloud (US) Regions uses a non-default public key certificate to encrypt AMI manifests. The ec2-bundle-image, ec2-bundle-vol, ec2-migrate-bundle, and ec2-migrate-manifest commands require the
--ec2cert $EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem
option in AWS GovCloud (US) Regions. -
By default, enhanced networking is not enabled on Windows Server 2012 R2 AMIs. For more information, see Enabling Enhanced Networking on Windows Instances in a VPC.
-
In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC; otherwise, you must create a VPC before launching instances. For more information, see Determining if your account has a default Amazon VPC.
-
When you launch an instance in AWS GovCloud (US) Regions using the CLI ec2-run-instances command or API RunInstances action, you must specify the
subnet
parameter. -
Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
-
Use SSL (HTTPS) when generating key pairs using ec2-create-keypair and CreateKeyPair commands.
-
To import your own set of key pairs, follow the directions in Importing Your Own Key Pair to Amazon EC2.
-
When using VM Import:
-
If your account is set up as default VPC, then your default VPC will be the target for your import.
-
If your account is not set up as default VPC, then you will need to specify an Availability Zone and subnet. To specify a subnet to use when you create the import task, use the --subnet
subnet_id
option and –zavailability_zone
option (specifying the Availability Zone corresponding to the subnet ID) with the ec2-import-instance command.
-
-
When using VM Export:
-
The Amazon EC2 instance must have been previously imported using VM Import.
-
The Amazon S3 bucket for the destination image must exist and must have WRITE and READ_ACP permissions granted to the AWS GovCloud (US) account with canonical ID: af913ca13efe7a94b88392711f6cfc8aa07c9d1454d4f190a624b126733a5602.
-
To export an instance, you can use the ec2-create-instance-export-task command. For more information, see Exporting Amazon EC2 Instances.
-
-
Microsoft System Center Virtual Machine Manager (SCVMM) is not yet supported in AWS GovCloud (US) Regions.
-
AWS Management Portal for vCenter
is not compatible with AWS GovCloud (US) Regions. Savings Plans cannot be purchased from AWS GovCloud (US) accounts but can be purchased in any standard account and these plans purchased in the Standard account can apply to usage in AWS GovCloud (US) Regions.
-
The Provisioned IOPS SSD (io2) EBS volume type is not available in the AWS GovCloud (US) Regions.
-
EC2 CPU Optimization is currently API-only in the AWS GovCloud (US) Regions.
The AWS Certificate Manager (ACM) for Nitro Enclaves AMI is not available from the AWS Marketplace. ACM for Nitro Enclaves must be installed from the Amazon Linux Extras repository.
The Nitro Enclaves Developer AMI is not available from the AWS Marketplace.
Spot Instance data feed is not available.
-
Attestation documents used by Nitro Enclaves are signed by the AWS Nitro Attestation Public Key Infrastructure (PKI). You can verify that the attestation documents are signed by the Nitro Attestation PKI. For more information, see Verifying the root of trust in the AWS Nitro Enclaves User Guide.
-
The root certificate for the Nitro Attestation PKI is unique for each partition. The root certificate for the
aws-us-gov
partition is as follows:-----BEGIN CERTIFICATE----- MIICIDCCAaWgAwIBAgIQP+wUYfyWFFRko9PR00zhZzAKBggqhkjOPQQDAzBQMQsw CQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxIjAgBgNV BAMMGWF3cy11cy1nb3Yubml0cm8tZW5jbGF2ZXMwIBcNMjAwOTEwMTIwMzQ2WhgP MjA1MDA5MTAxMzAzNDZaMFAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZBbWF6b24x DDAKBgNVBAsMA0FXUzEiMCAGA1UEAwwZYXdzLXVzLWdvdi5uaXRyby1lbmNsYXZl czB2MBAGByqGSM49AgEGBSuBBAAiA2IABCzkRJcZVx7Sg2yXXkl0Nqj9o1ECZNAh 0L8/90ATZXAaS1rxA1ti1F3wE86PGsh2UiQIYXiMu81l5kO7775gPuLsgYcGMO/J 0t08BHI8s3+JmjxTlA+/UyAqEmj7fD5CbKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUUKIzFk2FAlhihuQexsqOxZ5ZjF0wDgYDVR0PAQH/BAQDAgGGMAoG CCqGSM49BAMDA2kAMGYCMQD9bO9epcf5kMSdsHcyNJXs4bo07wvTIOwnxN41t5eE SDyXtUei++RebAbI9Viap2gCMQC7PVZ6Kpg0+N9k+DDpksoJv7gx6YwCqKsmTfU/ WigyQlpyJUrWapqk0afDA4lef14= -----END CERTIFICATE-----
-
The Nitro Attestation PKI root certificate for the
aws-us-gov
partition has a subject as follows:CN=aws-us-gov.nitro-enclaves, C=US, O=Amazon, OU=AWS
-
-
The
lastLaunchedTime
AMI attribute is not available. -
The CLI function get-console-screenshot is not available.
-
Get instance screenshot is not available in AWS GovCloud (US).
-
When you use the launch instance wizard in the console to launch an instance with an AWS Marketplace AMI, we don’t automatically subscribe you to the AMI in AWS GovCloud (US). (In other AWS Regions we automatically subscribe you.) Instead, when you choose the AMI, choose Subscribe with Marketplace to open the AWS Marketplace website and subscribe there.
-
Amazon EC2 instance topology is not available.
Determining if your account has a default Amazon VPC
In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC, where you launch all your Amazon EC2 instances. If your account doesn't have a default VPC, you must create a VPC before you can launch Amazon EC2 instances. For more information, see What is Amazon VPC? in Amazon VPC User Guide.
If you don't want a default VPC for your AWS GovCloud (US) account, you can delete the default VPC and default subnets. The default VPC and subnets will not be recreated. However, you still need to create a VPC before launching instances.
If you deleted your default VPC, you can create a new one. For more information, see Creating a Default VPC.
If your account doesn't have a default VPC but you want a default VPC, you can submit a
request by completing the AWS GovCloud (US) Contact Us form
Documentation for Amazon EC2
Amazon Elastic Compute Cloud documentation
Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
-
Amazon EC2 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your instances.
-
Do not enter export-controlled data in the following fields:
-
Instance names
-
AMI descriptions
-
Resource tags
-
-
Key pairs created using HTTP.
-
When using VM Import, you may not enter any export-controlled data as part of CLI arguments, paths, or OS disk images. Any data that is export-controlled should be encrypted and placed in partitions other than root and boot.
-
If importing export-controlled images, do not use pre-signed URLs for the CLI argument --manifest-url.