# What Is AWS GovCloud (US)?
<a name="whatis"></a>

 AWS GovCloud (US) consist of isolated AWS Regions designed to allow U.S. government agencies and customers move sensitive workloads into [the cloud](https://aws.amazon.com/what-is-cloud-computing/) by addressing their specific regulatory and compliance requirements, including Federal Risk and Authorization Management Program (FedRAMP) High, Department of Defense Security Requirements Guide (DoD SRG) Impact Levels 4 and 5, and Criminal Justice Information Services (CJIS). To assist customers in managing their obligations under U.S. export control regimes such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), AWS GovCloud (US) Regions are logically and physically administered exclusively by AWS personnel that are U.S. citizens only. In this guide, the term AWS GovCloud (US) Regions refer to both AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions.

You can run workloads that contain all categories of Controlled Unclassified Information (CUI) data and government-oriented, publicly available data in AWS GovCloud (US). For a list of compliance frameworks, see [AWS GovCloud (US) Security](https://aws.amazon.com/govcloud-us/security/). AWS GovCloud (US) supports the management of regulated data by offering the following features:
+ Restricting physical and logical administrative access to AWS personnel that are U.S. citizens only.
+ Providing FIPS 140-3 endpoints. (For details on each service, see the [Service Endpoints](using-govcloud-endpoints.md) section.)

Depending on your requirements, you can also run non-government workloads in the AWS GovCloud (US) regions; and use the unique capabilities of these Regions.

**Note**  
 AWS manages physical and logical access controls for the AWS boundary. However, the overall security of your workloads is a shared responsibility, where you are responsible for controlling user access to content in your AWS GovCloud (US) account.

The * AWS GovCloud (US) User Guide* provides details on setting up your AWS GovCloud (US) account, identifies the differences between AWS GovCloud (US) Regions and other AWS Regions, and defines usage guidelines for processing ITAR-regulated data within the AWS GovCloud (US). This guide assumes that you are familiar with [Amazon Web Services (AWS)](https://aws.amazon.com/).

 **Additional resources**:
+ For pricing information, see [AWS GovCloud (US) Pricing](https://aws.amazon.com/govcloud-us/pricing/).
+ For information about the differences between AWS GovCloud (US) Regions and other AWS Regions, see [AWS GovCloud (US) Compared to Standard AWS Regions](govcloud-differences.md).
+ For more information about meeting US Government compliance requirements please, see [AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/).
+ For a list of AWS or AWS GovCloud (US)–related resources, see [Related Resources](govcloud-related-resources.md).

# AWS GovCloud (US) Compared to Standard AWS Regions
<a name="govcloud-differences"></a>

 AWS GovCloud (US) are isolated AWS Regions designed to allow U.S. government agencies and customers to move sensitive workloads into [the cloud](https://aws.amazon.com/what-is-cloud-computing/) by addressing their specific regulatory and compliance requirements, including Federal Risk and Authorization Management Program (FedRAMP) High, Department of Defense Security Requirements Guide (DoD SRG) Impact Level 5, and Criminal Justice Services (CJIS). To assist customers in managing their obligations under U.S. export control regimes such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), AWS GovCloud (US) are logically and physically administered exclusively by U.S. citizens
+  AWS GovCloud (US) uses FIPS 140-3 approved cryptographic modules for all AWS service API endpoints, unless otherwise indicated in the [Service Endpoints](using-govcloud-endpoints.md) section.
+  AWS GovCloud (US) is appropriate for all types of Controlled Unclassified Information (CUI) and unclassified data. For more details, see [Maintaining U.S. International Traffic in Arms Regulations (ITAR) Compliance](govcloud-itar.md).
+ The AWS GovCloud (US) Regions are physically isolated and have logical network isolation from all other AWS Regions.
+  AWS restricts all physical and logical access for those staff supporting AWS GovCloud (US) to US Citizens. AWS allows only vetted U.S. citizens with distinct access controls separate from other AWS Regions to administer AWS GovCloud (US). Any customer data fields that are defined as outside of the ITAR boundary (such as S3 bucket names) are explicitly documented in the service-specific section as not permitted to contain export-controlled data.
+  AWS GovCloud (US) authentication is completely isolated from Amazon.com.

 AWS GovCloud (US) Regions also have high-level differences compared to the standard AWS Regions. The standard AWS practice of using two AWS Regions in a partition remains. In this case, using both AWS AWS GovCloud (US) Regions for architecture is preferred. These differences are important when you evaluate and use AWS GovCloud (US). The following list outlines the differences:

Sign up  
During the sign-up process, each customer is reviewed to determine if they are a U.S. entity (such as a government body, contracting company, or educational organization) where account credentials will be managed by a U.S. Person.

Endpoints  
 AWS GovCloud (US) uses endpoints that are specific to AWS GovCloud (US) and are publicly available from the Internet but are accessible only to AWS GovCloud (US) customers. For a list of these endpoints, see [Service Endpoints](using-govcloud-endpoints.md).

Credentials  
You can access AWS GovCloud (US) only with AWS GovCloud (US) credentials (AWS GovCloud (US) account access key and AWS GovCloud (US) IAM user credentials). You cannot access AWS GovCloud (US) with standard AWS credentials. Likewise, you cannot access standard AWS Regions using AWS GovCloud (US) credentials.

AWS Management Console for the AWS GovCloud (US) Region  
You sign in to the AWS GovCloud (US) console by using an IAM user name and password. This requirement is different from the standard AWS Management Console, where you can sign in using your account credentials (email address and password). You cannot use your AWS GovCloud (US) account access keys to sign in to the AWS GovCloud (US) console. For more information about creating an IAM user, see [Getting Started with AWS GovCloud (US)](getting-set-up.md).

Billing, account activity, and usage reports  
An AWS GovCloud (US) account is always associated to a single standard AWS account for billing and payment purposes. All AWS GovCloud (US) billing is billed or invoiced to the associated standard AWS account. You can view the AWS GovCloud (US) account activity and usage reports through the associated AWS standard account only.

Services  
Services in the AWS GovCloud (US) Regions might have different capabilities compared to services in standard AWS Regions. For detailed information about each service in the AWS GovCloud (US) Regions, see [Using AWS GovCloud (US) Regions](using-govcloud.md).  
For all AWS GovCloud (US) accounts created after December 15, 2014, AWS CloudTrail will be automatically enabled with logging turned on. Amazon SNS notifications, however, must be set up independently. If you prefer not to have CloudTrail enabled, you can use the CloudTrail console in the AWS Management Console for AWS GovCloud (US) to disable it or turn off logging.

Multi-factor authentication  
 AWS GovCloud (US) users can use the same FIDO security tokens or virtual authenticator apps as commercial users. However, if instead opting for a TOTP hardware token for MFA, AWS GovCloud (US) users need to use a special device. This is due to the separate authentication stack. For more information, see the list of AWS GovCloud (US)-supported MFA devices on the [Multi-Factor Authentication](https://aws.amazon.com/iam/details/mfa/) page.

# AWS GovCloud (US) account validation
<a name="validate-accounts"></a>

You can validate your AWS GovCloud (US) account ID from standard Region account by completing the following steps:

1. Login to standard Region account.

1. Click on "Account ID Name" in top right-hand corner of screen.

1. Click on "Account".

1. Scroll down to the "Sign up for AWS AWS GovCloud (US)" button.

1. Click on the "Sign up for AWS AWS GovCloud (US)" button.

A note will be displayed stating the following:

```
Our records show that you already have a GovCloud (US) account. If you lost the password please contact our customer support team. Thank you.
Your account is ready to use.
GovCloud (US) Account ID: XXXXXXXXXXXX (this is the customer's GovCloud account ID)
```

# AWS GovCloud (US) Billing and Payment
<a name="usage-and-payment"></a>

All AWS GovCloud (US) activity, usage, and payments are managed through a standard AWS account. When you sign up for AWS GovCloud (US), your AWS GovCloud (US) account is associated with your standard AWS account. You can associate only one AWS GovCloud (US) account to one standard AWS account. If you require multiple AWS GovCloud (US) accounts, you must create a standard AWS account for each AWS GovCloud (US) account. For more information about Billing and Cost Management, see the [AWS Billing and Cost Management documentation](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).

To view account activity and usage reports for the AWS GovCloud (US) account, you must sign in to the standard AWS account (using credentials from that account). You cannot view usage and activity from the AWS Management Console for the AWS GovCloud (US) Region.

If you use AWS services in other AWS Regions with the standard AWS account, your account activity and usage reports are combined. If you want to separate billing and usage between the two accounts, create a new standard AWS account that you use only to associate with your AWS GovCloud (US) account.

The following diagram outlines the relationship between AWS GovCloud (US) and standard AWS accounts:

![\[Diagram showing AWS GovCloud (US) and AWS Standard accounts with separate services and credential usage.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/relationship.png)


 AWS GovCloud (US) account relationship to standard AWS account

## AWS Cost and Usage Reports
<a name="aws-cost-and-usage-reports"></a>

The AWS Cost and Usage Reports (AWS CUR) contains a comprehensive set of cost and usage data. You can use Cost and Usage Reports to publish your AWS billing reports to an Amazon Simple Storage Service (Amazon S3) bucket that you own. The CURs contains AWS cost and usage data for both commercial and GovCloud partitions.

## Access cost and usage reports in GovCloud partition
<a name="access-cost-and-usage-reports-in-govcloud-partition"></a>

Currently, billing information for GovCloud accounts and regions are only available in the commercial partition. For organizations that require users to exclusively use AWS GovCloud (US) regions, you can copy CURs stored in an Amazon S3 bucket(s) in commercial region(s) into an AWS GovCloud (US) Amazon S3 bucket. See [Move data in and out of AWS GovCloud (US) with Amazon S3.](https://aws.amazon.com/blogs/publicsector/move-data-in-out-aws-govcloud-us-amazon-s3/) 

## Savings plans
<a name="savings-plans"></a>

Savings plans for GovCloud account and regions need to be purchased in the Standard commercial account. These plans purchased in the Standard account apply to usage in GovCloud regions. See [How Amazon Elastic Compute Cloud Differs for AWS GovCloud (US).](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ec2.html) In addition, GovCloud accounts inherit discount sharing configuration from their associated commercial accounts. See [Activating shared Reserved Instances and Savings Plans discount sharing.](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ri-turn-off.html#ri-turn-on-process)