# Services in AWS GovCloud (US) Regions
The following sections describe the differences between the AWS GovCloud (US) Regions and the standard AWS Region US East (N. Virginia). They include links to documentation and describe the export-controlled content (where you can and can’t enter or process export-controlled data) for each service.
# Application Auto Scaling in AWS GovCloud (US)
Application Auto Scaling is a web service for developers and system administrators who need a solution for automatically scaling their scalable resources for individual AWS services beyond Amazon EC2.
## How Application Auto Scaling differs for AWS GovCloud (US)
+ Application Auto Scaling notifications are not currently supported in the AWS Health Dashboard in the AWS GovCloud (US) Regions.
+ The following resources are not currently supported for Application Auto Scaling in the AWS GovCloud (US-West) Region:
+ Amazon Neptune clusters
+ Spot Fleet requests
+ Custom resources
+ The following resources are not currently supported for Application Auto Scaling in the AWS GovCloud (US-East) Region:
+ Amazon Comprehend document classification and entity recognizer endpoints
+ Amazon Neptune clusters
+ SageMaker AI endpoint variants
+ Spot Fleet requests
+ Custom resources
## Documentation for Application Auto Scaling
For more information about anything in the above list, see the documentation for the specific service at [AWS documentation](https://aws.amazon.com/documentation/).
For information about scaling Amazon EC2 instances in AWS GovCloud (US), see [Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-as.html)in this guide.
For more information about AWS Auto Scaling and Application Auto Scaling, see [AWS Auto Scaling documentation](https://aws.amazon.com/documentation/autoscaling/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Auto Scaling is not permitted to contain export-controlled data.
+ For example, do not enter export-controlled data in the following fields:
+ Scaling policy names
+ Scaling policy configuration
# AWS AppConfig in AWS GovCloud (US)
Use AWS AppConfig, a capability of AWS Systems Manager, to create, manage, and quickly deploy application configurations. You can use AWS AppConfig with applications hosted on Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda, containers, mobile applications, or IoT devices.
## How AWS AppConfig differs for AWS GovCloud (US)
AWS CodePipeline resources are not currently supported for AWS AppConfig in the AWS GovCloud (US-East) Region.
## Documentation for AWS AppConfig
https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html [AWS AppConfig documentation].
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Any AWS AppConfig resource names (Application, Environment, ConfigurationProfile, Deployment Strategy, etc.)
+ Validator JSON Schema
+ Location URIs or Validator ARNs
+ Any AWS AppConfig resource descriptions
# AWS Application Migration Service in AWS GovCloud (US)
AWS Application Migration Service (MGN) is a highly automated lift-and-shift (rehost) solution that simplifies, expedites, and reduces the cost of migrating applications to AWS. It allows companies to lift-and-shift a large number of physical, virtual, or cloud servers without compatibility issues, performance disruption, or long cutover windows. MGN replicates source servers into your AWS account. When you’re ready, it automatically converts and launches your servers on AWS so you can quickly benefit from the cost savings, productivity, resilience, and agility of the Cloud. Once your applications are running on AWS, you can leverage AWS services and capabilities to quickly and easily replatform or refactor those applications – which makes lift-and-shift a fast route to modernization.
## How AWS Application Migration Service differs for AWS GovCloud (US)
The following post-launch actions are not supported by Application Migration Service in AWS GovCloud (US):
+ Third party post-launch actions
+ App2Container for Replatforming
+ Enable Refactor Spaces
## Documentation for AWS Application Migration Service
[Application Migration Service documentation](https://docs.aws.amazon.com/mgn/latest/ug/index.html)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data is entered, stored, or processed by Application Migration Service.
# AWS Artifact in AWS GovCloud (US)
AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use AWS Artifact to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA). With AWS Artifact, you can accept agreements with AWS and designate AWS accounts that can legally process restricted information.
## How AWS Artifact differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Documentation for AWS Artifact
[AWS Artifact documentation](https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Function name
+ Description
+ DLQ data (can be exported through Amazon SNS and Amazon SQS)
+ Memory
+ Timeout
+ Runtime
+ Role name for service principals
+ Aliases
# AWS Auto Scaling in AWS GovCloud (US)
With AWS Auto Scaling, you can quickly discover the scalable AWS resources for your application and set up dynamic scaling. It uses Amazon EC2 Auto Scaling to scale your EC2 instances and Application Auto Scaling to scale resources from other services.The AWS Management Console provides a web interface for AWS Auto Scaling.
## How AWS Auto Scaling differs for AWS GovCloud (US)
+ Predictive scaling is not available in the AWS GovCloud (US) Regions.
+ The following CloudFormation resource is not available in the AWS GovCloud (US) Regions:
+ [AWS::AutoScalingPlans::ScalingPlan](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-as.html)
## Documentation for AWS Auto Scaling
For more information about anything in the above list, see the documentation for the specific service at [AWS documentation](https://aws.amazon.com/documentation/).
For information about scaling Amazon EC2 instances in AWS GovCloud (US), see [Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-as.html) in this guide.
For more information about AWS Auto Scaling and Application Auto Scaling, see [AWS Auto Scaling documentation](https://aws.amazon.com/documentation/autoscaling/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Auto Scaling is not permitted to contain export-controlled data.
+ For example, do not enter export-controlled data in the following fields:
+ Scaling plan names
+ Scaling policy names
+ Scaling policy configurations
# AWS Backint Agent for SAP HANA AWS GovCloud (US) Regions
AWS Backint Agent for SAP HANA (AWS Backint Agent) is an SAP-certified backup and restore application for SAP HANA workloads running on Amazon EC2 instances in the cloud. AWS Backint Agent runs as a standalone application that integrates with your existing workflows to back up your SAP HANA database to Amazon S3 and to restore it using SAP HANA Cockpit, SAP HANA Studio, and SQL commands. AWS Backint Agent supports full, incremental, and differential backup of SAP HANA databases.
## How AWS Backint Agent for SAP HANA differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) Region and the standard AWS Regions.
## Documentation for AWS Backint Agent for SAP HANA
[AWS Backint Agent for SAP HANA documentation](https://docs.aws.amazon.com/sap/latest/sap-hana/aws-backint-agent-what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Backup in AWS GovCloud (US)
AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place. AWS Backup automates and consolidates backup tasks that were previously performed service-by-service, and removes the need to create custom scripts and manual processes. With just a few clicks on the AWS Backup console, you can create backup policies that automate backup schedules and retention management.
## How AWS Backup differs for AWS GovCloud (US)
+ Restore testing is not available.
+ Backup Audit Manager multi-account, multi-Region reporting is not available.
## Documentation for AWS Backup
[AWS Backup documentation](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following AWS Backup fields:
+ Resource tag
+ Plan name
+ Rule name
+ Selection name
+ Vault name
# AWS Batch in AWS GovCloud (US)
AWS Batch enables you to run batch computing workloads on the AWS Cloud. Batch computing is a common way for developers, scientists, and engineers to access large amounts of compute resources, and AWS Batch removes the undifferentiated heavy lifting of configuring and managing the required infrastructure, similar to traditional batch computing software. This service can efficiently provision resources in response to jobs submitted in order to eliminate capacity constraints, reduce compute costs, and deliver results quickly.
## How AWS Batch differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS Batch
[AWS Batch documentation](https://docs.aws.amazon.com/batch/latest/userguide/what-is-batch.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Job Definitions API attributes
+ Job Queues API attributes
+ Compute Environments API attributes
+ Job API attributes
+ Tags
# AWS Certificate Manager in AWS GovCloud (US)
AWS Certificate Manager (ACM) makes it easy to provision, manage, and deploy SSL/TLS certificates on AWS managed resources.
## How AWS Certificate Manager differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS Certificate Manager
[AWS Certificate Manager documentation](https://aws.amazon.com/documentation/acm/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by AWS Certificate Manager. For example, domain names specified for certificates are not permitted to contain export-controlled data. For example, do not enter export-controlled data into the **DomainName** or **SubjectAlternativeNames** fields when requesting a certificate.
# AWS Private Certificate Authority in AWS GovCloud (US)
AWS Private Certificate Authority (AWS Private CA) is a managed private CA service with which you can easily and securely manage your CA infrastructure and your private certificates.
## How AWS Private CA differs for AWS GovCloud (US)
+ To connect to AWS Private CA by using the command line or API, use the following [endpoints](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html):
+ `https://acm-pca.us-gov-west-1.amazonaws.com`
+ `https://acm-pca.us-gov-east-1.amazonaws.com`
## Documentation for AWS Private CA
[AWS Private Certificate Authority documentation](https://docs.aws.amazon.com/acm-pca/latest/userguide/PCAWelcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by AWS Private Certificate Authority. For example, domain names specified for certificates are not permitted to contain export-controlled data. For example, do not enter export-controlled data into the **DomainName** or **SubjectAlternativeNames** fields when requesting a certificate.
# AWS Client VPN in AWS GovCloud (US)
AWS Client VPN is a managed client-based Site-to-Site VPN service that enables you to securely access AWS resources and resources in your on-premises network. With AWS Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
## How Client VPN Differs for AWS GovCloud (US)
+ AWS Client VPN endpoints in AWS GovCloud (US) operate using FIPS 140-3 validated cryptographic modules. Site-to-Site VPN connections created in AWS GovCloud (US) might require a different set of algorithms to establish a tunnel, depending on your client configuration. For more information about FIPS 140-3, see "Cryptographic Module Validation Program" on the NIST Computer Security Resource Center website.
+ Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other AWS Regions, you can use HTTP or HTTPS.
## Documentation for AWS Client VPN
[AWS Client VPN documentation](https://docs.aws.amazon.com/vpn).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Client VPN metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your Client VPN Endpoints.
For example, do not enter export-controlled data into user input fields such as the following:
+ Display Name
+ Topic Policy
+ Topic Delivery Policy
+ Topic ARN
+ Endpoint
# AWS Cloud Control API in AWS GovCloud (US)
AWS Cloud Control API, a set of common application programming interfaces (APIs) that is designed to make it easy for developers to manage their cloud infrastructure in a consistent manner and leverage the latest AWS capabilities faster. Using AWS Cloud Control API, developers can manage the lifecycle of hundreds of AWS resources and over a dozen third-party resources with five consistent APIs instead of using distinct service-specific APIs. With this launch, AWS Partner Network (APN) Partners can now automate how their solutions integrate with existing and future AWS services through a one-time integration, instead of spending weeks of custom development work as new resources become available.
## How AWS Cloud Control API differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) Region and the standard AWS Regions.
## Documentation for AWSCloud Control API
[AWSCloud Control API documentation](https://docs.aws.amazon.com/cloudcontrolapi).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by AWS Cloud Control API. For example, AWS Cloud Control API metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your resources using AWS Cloud Control API.
# AWS Cloud Map in AWS GovCloud (US)
AWS Cloud Map is a fully managed service that you can use to create and maintain a map of the backend services and resources that your applications depend on.
## How AWS Cloud Map differs for AWS GovCloud (US)
+ Public DNS namespaces are not supported in the AWS GovCloud (US) Regions.
## Documentation for AWS Cloud Map
[AWS Cloud Map documentation](https://docs.aws.amazon.com/cloud-map).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Cloud WAN in AWS GovCloud (US)
AWS Cloud WAN is a managed wide-area networking (WAN) service that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments.
## How AWS Cloud WAN differs for AWS GovCloud (US)
+ Direct Connect gateway attachments are not supported.
## Documentation for AWS Cloud WAN
[AWS Cloud WAN documentation](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Cloud WAN gateway metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your global and core networks. This applies to free-text entry fields for Cloud WAN resources, including but not limited to:
+ Resource names
+ Resource descriptions
+ Tag keys and values
# AWS CloudFormation in AWS GovCloud (US)
AWS CloudFormation enables you to create and provision AWS infrastructure deployments predictably and repeatedly. It helps you leverage AWS products such as Amazon EC2, Amazon Elastic Block Store, Amazon SNS, Elastic Load Balancing, and Auto Scaling to build highly reliable, highly scalable, cost-effective applications in the cloud without worrying about creating and configuring the underlying AWS infrastructure. AWS CloudFormation enables you to use a template file to create and delete a collection of resources together as a single unit (a stack).
## How AWS CloudFormation differs for AWS GovCloud (US)
+ KmsKeyID property is not available.
+ CloudFormation doesn’t support the following resources:
+ `AWS::IAM::GroupPolicy`
+ `AWS::IAM::RolePolicy`
+ `AWS::IAM::UserPolicy`
+ `AWS::Organizations::Account`
+ `AWS::RolesAnywhere::TrustAnchor`
**Note**
ResourceTypes for CloudFormation can vary per Region. Ensure the ResourceTypes needed are available in AWS GovCloud (US-West) and AWS GovCloud (US-East) which can be found here within the [Resource Specification table](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-resource-specification.html).
## Documentation for AWS CloudFormation
The following documentation is based on the public AWS documentation. As you read this documentation, you should consider how CloudFormation differs for AWS GovCloud (US) Regions, as described in this topic. Also, some features and new functionality described in this documentation might not be available in the current release of AWS GovCloud (US) Regions. There are other differences, such as links, endpoints, and screenshots.
+ [CloudFormation Documentation](https://docs.aws.amazon.com/cloudformation/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by CloudFormation. For example, CloudFormation metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your CloudFormation templates.
# AWS CloudHSM in AWS GovCloud (US)
AWS CloudHSM offers secure cryptographic key storage for customers by providing managed hardware security modules in the AWS Cloud.
## How AWS CloudHSM differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS CloudHSM
[AWS CloudHSM documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS CloudHSM metadata is not permitted to contain export-controlled data. This includes all configuration data that you enter when creating and maintaining your AWS CloudHSM config. Audit and syslogs should not contain export-controlled data.
## AWS CloudHSM Root Certificate
If you choose to [verify the identity of an HSM](https://docs.aws.amazon.com/cloudhsm/latest/userguide/verify-hsm-identity.html), be sure to use the root certificate for the AWS GovCloud (US) Region rather than the root certificate that is available for commercial Regions. You can download the certificate from [AWS-US-GOV\$1CloudHSM\$1Root\$1G1.zip](https://docs.aws.amazon.com/cloudhsm/latest/userguide/samples/AWS_US_GOV_CloudHSM_Root-G1.zip). Verification is an optional step that you can perform after you [create an HSM](https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-hsm.html). For more information about AWS CloudHSM, see the [AWS CloudHSM User Guide](https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html). For more information about AWS CloudHSM Classic, see the [AWS CloudHSM Classic User Guide](https://docs.aws.amazon.com/cloudhsm/classic/userguide/).
# AWS CloudHSM Classic in AWS GovCloud (US)
AWS CloudHSM Classic helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but additional protection is necessary for some applications and data that are subject to strict contractual or regulatory requirements for managing cryptographic keys.
## How AWS CloudHSM differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS CloudHSM
[AWS CloudHSM Classic documentation](https://docs.aws.amazon.com/cloudhsm/classic/userguide/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS CloudHSM Classic metadata is not permitted to contain export-controlled data. This includes all configuration data that you enter when creating and maintaining your AWS CloudHSM Classic config and partitions. Audit and syslogs should not contain export-controlled data.
# AWS CloudShell in AWS GovCloud (US)
AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. You can run AWS CLI commands against AWS services using your preferred shell (Bash, PowerShell, or Z shell). And you can do this without needing to download or install command line tools.
## How AWS CloudShell differs for AWS GovCloud (US)
Currently, AWS CloudShell does not support Docker in the AWS GovCloud (US) Regions.
## Documentation for AWS CloudShell
[CloudShell documentation](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS CloudTrail in AWS GovCloud (US)
With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.
## How AWS CloudTrail differs for AWS GovCloud (US)
The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:
+ As of November 22, 2021, AWS CloudTrail changed how trails capture global service events. Now, events created by CloudFront, IAM, and AWS STS are recorded in the AWS Region in which they were created, the AWS GovCloud (US-West) Region, us-gov-west-1. This makes CloudTrail's treatment of these services consistent with that of other AWS global services.
To continue receiving global service events outside of AWS GovCloud (US-West), be sure to convert *single-Region trails* using global service events outside of AWS GovCloud (US-West) into *multi-Region trails*. For more information about using the CLI to update or create trails for global service events, see [Using update-trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html).
In contrast, the **Event history** in the CloudTrail console and the ** aws cloudtrail lookup-events ** command will show these events in the Region where they occurred.
+ For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail event log delivery to Amazon S3 is enabled automatically. However, you must set up Amazon SNS notifications. You can turn off logging through the AWS CloudTrail console for the AWS GovCloud (US) Region.
+ If you are using Direct Connect, you must enable CloudTrail in your standard AWS account (not your AWS GovCloud (US) account) and enable logging.
+ The Amazon S3 and Amazon SNS policy statements must refer to the ARN for AWS GovCloud (US) Regions. For more information, see [Amazon Resource Names (ARNs) in GovCloud (US) Regions](using-govcloud-arns.md).
+ The following CloudTrail Lake features are currently not available in the AWS GovCloud (US) Regions:
+ CloudTrail Lake integrations
+ CloudTrail Lake query generation
+ CloudTrail Lake query results summarization
+ CloudTrail Lake event data stores for AWS Config configuration items, AWS Audit Manager evidence, and events outside of AWS.
+ The **Activity summary** widget on the Highlights dashboard.
+ CloudTrail network activity events are only available for AWS KMS, Amazon S3, AWS CloudTrail, and AWS Secrets Manager. You can also log network activity events in Amazon CloudWatch that are sent through the monitoring VPC interface endpoint. For more information, see [Using CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html).
+ CloudTrail enriched events are currently not supported.
+ To enable CloudTrail to write log files to your bucket in AWS GovCloud (US) Regions, you can use the following policy.
**Warning**
If the bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure they are appropriate for the users who will be accessing the bucket.
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws-us-gov:cloudtrail:region:myAccountID:trail/trailName"
}
}
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/[optional] prefix/AWSLogs/myAccountID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws-us-gov:cloudtrail:region:myAccountID:trail/trailName"
}
}
}
]
}
```
For more information, see [Amazon S3 bucket policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html) and [Amazon SNS topic policy for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-permissions-for-sns-notifications.html).
**Note**
This note applies to bucket policies that use a CloudTrail account ID as the Principal. In AWS GovCloud (US) Regions, do not add CloudTrail account IDs of non-isolated Regions to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are in a non-isolated Region, do not add the CloudTrail account ID for AWS GovCloud (US) to your policy templates.
## Documentation for AWS CloudTrail
[AWS CloudTrail documentation](https://aws.amazon.com/documentation/cloudtrail/).
## Services supported within CloudTrail
CloudTrail supports logging for the services supported in the AWS GovCloud (US) Regions that are integrated with CloudTrail. You can find the specifics for each supported service in that service’s guide. For more information, see [AWS service topics for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-list) in the *AWS CloudTrail User Guide*.
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ CloudTrail logs do not contain export-controlled data.
+ CloudTrail configuration data may not contain export-controlled data.
# AWS CodeBuild in AWS GovCloud (US)
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. You can get started quickly by using prepackaged build environments, or you can create custom build environments that use your own build tools. With CodeBuild, you are charged by the minute for the compute resources you use.
## How AWS CodeBuild differs for AWS GovCloud (US)
+ The ARM environment types are not available in the AWS GovCloud (US) Regions.
+ The Linux GPU environment types are not available in the AWS GovCloud (US) Regions.
+ The `2xlarge` compute type is not available in the AWS GovCloud (US) Regions.
+ The ability to pause a running build and then use AWS Systems Manager Session Manager to connect to the build container is not available in the AWS GovCloud (US) Regions.
+ The public builds feature of CodeBuild is not available in the AWS GovCloud (US) Regions.
+ Windows managed and custom images are not available in the AWS GovCloud (US) Regions.
+ Batch Configuration is not available in the AWS GovCloud (US) Regions.
+ Compute Fleets are not available in AWS GovCloud (US) Regions.
## Documentation for AWS CodeBuild
[AWS CodeBuild documentation](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS CodeStar Connections in AWS GovCloud (US)
You can use the connections feature in the Developer Tools console to connect AWS resources to external code repositories. This feature has its own API, the [AWS CodeStar Connections API reference](https://docs.aws.amazon.com/codestar-connections/latest/APIReference/Welcome.html). Each connection is a resource that you can give to AWS services to connect to a third-party repository, such as BitBucket. For example, you can add a connection in CodePipeline so that it starts your pipeline when a code change is made to your third-party code repository. Each connection is named and associated with a unique Amazon Resource Name (ARN) that is used to reference the connection.
## How AWS CodeStar Connections differs for AWS GovCloud (US) Regions
+ AWS CodeStar Connections is only available in the AWS GovCloud (US-East) Region.
+ Since AWS GovCloud (US) operates as isolated Regions, you cannot share or use connections resources with other services outside of the Regions. For example, you cannot use a connection in AWS GovCloud (US-East) with a pipeline in CodePipeline that is not in the AWS GovCloud (US-East) Region.
## Documentation for AWS CodeStar Connections
[AWS CodeStar Connections documentation](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html)
## Export-controlled content
For AWS services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS CodeCommit in AWS GovCloud (US)
AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.
## How AWS CodeCommit differs for AWS GovCloud (US)
+ The old console experience is not available in the AWS GovCloud (US) Regions. The documentation reflects the new console experience.
+ Since AWS GovCloud (US); operates as isolated regions, you cannot share or use CodeCommit repositories and resources with other services outside of the Regions. For example, you cannot use a CodeCommit repository in AWS GovCloud (US-West) as the source for a pipeline in CodePipeline that is not in the AWS GovCloud (US-West) Region.
+ All policy statements must refer to the GovCloud ARNs for the AWS GovCloud (US) Regions. For example, policies for Amazon SNS notifications, CloudWatch Events rules, and trigger resources must use the AWS GovCloud (US) ARNs for those services. For more information, see [Amazon Resource Names (ARNs) in AWS GovCloud](https://docs.aws.amazon.com/govcloud-us/latest/ug-west/using-govcloud-arns.html).
+ All IAM users and service roles must exist in the AWS GovCloud (US) Regions.
## Documentation for AWS CodeCommit
[AWS CodeCommit documentation](https://docs.aws.amazon.com/codecommit/latest/userguide/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Repository name
+ Repository description
+ Branch name
+ Trigger name
+ SNS topic name
+ AWS Lambda topic name
# AWS CodeConnections
You can use the connections feature in the Developer Tools console to connect AWS resources to external code repositories. This feature has its own API, the [AWS CodeConnections API reference](https://docs.aws.amazon.com/codeconnections/latest/APIReference/Welcome.html). Each connection is a resource that you can give to AWS services to connect to a third-party repository, such as BitBucket. For example, you can add a connection in CodePipeline so that it starts your pipeline when a code change is made to your third-party code repository. Each connection is named and associated with a unique Amazon Resource Name (ARN) that is used to reference the connection.
## How AWS CodeConnections Differs for AWS GovCloud (US) Regions
+ AWS CodeConnections is only available in the AWS GovCloud (US-East) Region.
+ Since AWS GovCloud (US) operates as isolated Regions, you cannot share or use connections resources with other services outside of the Regions. For example, you cannot use a connection in AWS GovCloud (US-East) with a pipeline in CodePipeline that is not in the AWS GovCloud (US-East) Region.
## Documentation for AWS CodeConnections
[AWS CodeConnections documentation](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html)
## Export-Controlled Content
For AWS services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS CodeDeploy in AWS GovCloud (US)
AWS CodeDeploy is a deployment service that enables developers to automate the deployment of applications to instances and to update the applications as required.
## How AWS CodeDeploy differs for AWS GovCloud (US)
+ The new AWS CodeDeploy console is not available in the AWS GovCloud (US) Regions
+ Use TLS (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other regions, you can use HTTP or HTTPS.
+ Several procedures in the CodeDeploy User Guide require the customer to substitute the name of a region-specific Amazon S3 bucket or bucket ARN. These procedures are for tasks such as restricting bucket access and downloading installation files, samples, and templates. In AWS GovCloud (US) Regions, the formats for accessing these resources do not follow the same patterns as for other Regions.
+ ECS capacity providers are not supported.
+ Automatically updating outdated instances is not supported.
+ CodeDeploy does not have a VPC endpoint powered by PrivateLink.
## Documentation for AWS CodeDeploy
Use the values presented here to complete CodeDeploy procedures in the AWS GovCloud (US).
### CodeDeploy Amazon S3 resources bucket
Name of the Amazon S3 bucket containing CodeDeploy files:
```
aws-codedeploy-us-gov-west-1
```
### CodeDeploy Amazon S3 bucket ARN
ARN of the Amazon S3 bucket containing CodeDeploy files:
```
arn:aws-us-gov:s3:::aws-codedeploy-us-gov-west-1
```
### wget download command
wget command for downloading the CodeDeploy agent on Linux and Ubuntu instances:
```
wget https://aws-codedeploy-us-gov-west-1.s3-us-gov-west-1.amazonaws.com/latest/install
```
### Sample application locations
Location of sample CodeDeploy applications:
+ Amazon Linux, Red Hat Enterprise Linux, and Ubuntu Server instances:
```
https://s3-us-gov-west-1.amazonaws.com/aws-codedeploy-us-gov-west-1/samples/latest/SampleApp_Linux.zip
```
+ Windows Server instances:
```
https://s3-us-gov-west-1.amazonaws.com/aws-codedeploy-us-gov-west-1/samples/latest/SampleApp_Windows.zip
```
### CloudFormation template location
Location of CloudFormation template for launching Amazon EC2 instance configured for CodeDeploy deployments:
```
https://s3-us-gov-west-1.amazonaws.com/aws-codedeploy-us-gov-west-1/templates/latest/CodeDeploy_SampleCF_Template.json
```
### Downloading CodeDeploy installer and updater (Windows Server)
Links for downloading CodeDeploy installer and updater for Windows Server instances:
+ Installer:
```
https://aws-codedeploy-us-gov-west-1.s3-us-gov-west-1.amazonaws.com/latest/codedeploy-agent.msi
```
+ Updater:
```
https://aws-codedeploy-us-gov-west-1.s3-us-gov-west-1.amazonaws.com/latest/codedeploy-agent-updater.msi
```
For more information about AWS CodeDeploy, see the [AWS CodeDeploy documentation](https://aws.amazon.com/documentation/codedeploy/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ **Application Details:**
+ Name
+ **Deployment Groups:**
+ Deployment group name
+ Service Role name
+ EC2 Auto Scaling group names
+ EC2 instance tag key
+ EC2 instance tag group name
+ On-premise Instances tag key
+ On-premise Instances tag group
+ Load Balancer ALB target group
+ Load Balancer NLB target group
+ Deployment trigger name
+ Deployment trigger SNS Topic
+ Deployment CloudWatch alarms
+ **Deployment Configuration:**
+ Deployment configuration name
+ Deployment description
# AWS CodePipeline in AWS GovCloud (US)
AWS CodePipeline is a continuous delivery service you can use to model, visualize, and automate the steps required to release your software. You can quickly model and configure the different stages of a software release process. CodePipeline automates the steps required to release your software changes continuously.
## How AWS CodePipeline differs for AWS GovCloud (US)
The following actions/provider types are not supported:
+ Custom actions
+ Source Actions. The following actions are only available in AWS GovCloud (US-East):
+ AWS CodeStar Source Connection (Bitbucket Cloud)
+ AWS CodeStar Source Connection (GitHub)
+ AWS CodeStar Source Connection (GitHub Enterprise Server)
+ AWS CodeStar Source Connection (GitLab.com)
+ Build Actions:
+ Jenkins
+ For the CodeBuild action, enabling batch builds is not supported. For the CodeBuild action type, the action configuration does not contain the following parameters : BatchEnabled, CombineArtifacts.
+ Test Actions:
+ Device Farm
+ Jenkins
+ Deploy Actions:
+ OpsWorks
+ Amazon Alexa
+ AWS AppConfig (Supported in CLI, not supported in console)
+ AWS CloudFormation StackSets
+ Invoke Actions:
+ AWS Step Functions
+ Since AWS GovCloud (US) operates as isolated regions, you cannot share or use CodePipeline resources with other services outside of the Regions. For example, you cannot use a CodeCommit repository in AWS GovCloud (US-West) as the source for a pipeline in CodePipeline that is not in the AWS GovCloud (US-West) Region.
+ All policy statements must refer to the GovCloud ARNs for the AWS GovCloud (US) Region. For example, policies for AWS Artifact buckets, CloudWatch Events rules, and trigger resources must use the AWS GovCloud (US) ARNs for those services. For more information, see .
+ All users and service roles must exist in the AWS GovCloud (US) Region.
+ Cross-region actions such as multi-region deployment are not supported.
## Documentation for AWS CodePipeline
[AWS CodePipeline documentation](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Pipeline Name
+ Stage Name
+ Action Name
+ CodeCommit Branch Name
+ GitHub Branch Name
# AWS Compute Optimizer in AWS GovCloud (US)
AWS Compute Optimizer recommends optimal AWS compute resources for your workloads to reduce costs and improve performance. Compute Optimizer uses machine learning to analyze your historical utilization metrics to help you choose the optimal AWS resource configuration.
## How AWS Compute Optimizer differs for AWS GovCloud (US)
Compute Optimizer only supports FIPS enabled endpoints in AWS GovCloud (US). To call Compute Optimizer APIs in AWS GovCloud (US), set the environment variable `AWS_USE_FIPS_ENDPOINT` to `true` for the AWS CLI and SDK.
The following AWS Compute Optimizer features aren’t available in AWS GovCloud (US):
+ Estimated monthly savings, savings opportunity, Reserved Instances (RI) coverage, and RI utilization information for Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon EC2 Auto Scaling groups
+ Savings opportunity summary displayed in the Compute Optimizer dashboard
+ External metrics ingestion
+ Enhanced infrastructure metrics
+ Recommendations for Amazon ECS services on AWS Fargate
+ Recommendations for RDS databases
+ Rightsizing recommendation preferences
+ Recommendations for idle resources
+ Recommendations for EC2 Auto Scaling groups that have mixed instance types, scaling policies, or both
## Documentation for AWS Compute Optimizer
[Compute Optimizer documentation](https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is-compute-optimizer.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Config in AWS GovCloud (US)
AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.
AWS Config and AWS Config Rules are supported in the AWS GovCloud (US) Region.
## How AWS Config differs for AWS GovCloud (US)
The implementation of AWS Config is different for AWS GovCloud (US) in the following ways:
+ For a list of rules supported in AWS GovCloud (US-East), see [List of AWS Config Managed Rules by Region Availability \$1 AWS GovCloud (US-East)](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-east-section-head).
+ For a list of rules supported in AWS GovCloud (US-West), see [List of AWS Config Managed Rules by Region Availability \$1 AWS GovCloud (US-West)](https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html#aws-govcloud-us-west-section-head).
+ AWS Config recording of third-party resources or custom resource types are not supported in AWS GovCloud (US).
+ AWS Systems Manager documents (SSM documents) for AWS Config remediation actions are not supported in AWS GovCloud (US).
## Documentation for AWS Config
[AWS Config documentation](https://aws.amazon.com/documentation/config/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Config metadata is not permitted to contain export-controlled data. This includes the naming and configuration data that you enter when creating and managing your AWS Config settings.
For example, do not enter export-controlled data into user input fields such as the following:
+ Annotations for rule evaluations
+ Resource identifier
+ S3 bucket name
+ SNS topic name
+ Tag key
# AWS Control Tower in AWS GovCloud (US)
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and IAM Identity Center, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
You can utilize AWS Control Tower with workloads that require FedRAMP High categorization level in the AWS GovCloud (US) Regions. AWS Control Tower is [in scope for numerous compliance programs and standards](https://aws.amazon.com/compliance/services-in-scope/), including HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry – Data Security Standard), ISO (International Organization for Standardization), SOC 1, 2, and 3 (System and Organization Controls). To learn more, visit the [AWS Control Tower homepage](https://aws.amazon.com/controltower/) or see the [AWS Control Tower User Guide](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html).
## How AWS Control Tower differs for AWS GovCloud (US)
The following list details the differences for using this service in the AWS GovCloud (US) Regions compared to other AWS Regions:
**Overview of differences**
+ As in the commercial Region, you must use AWS Control Tower with all features enabled for AWS Organizations in AWS GovCloud (US) Regions. However, the consolidated billing feature set is not available in AWS GovCloud (US) Regions.
+ You must meet the U.S. regulatory requirements as described in [Signing Up for AWS GovCloud (US).](https://docs.aws.amazon.com/govcloud-us/latest/ug-west/getting-started-sign-up.html)
+ Organizations that you create in the AWS GovCloud (US) Regions are independent from organizations created in commercial AWS Regions.
+ Creating accounts from within AWS Control Tower operates differently in the AWS GovCloud (US) Regions compared to commercial AWS Regions:
+ You start creating AWS GovCloud (US) accounts by calling the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) action from the management account of the landing zone in the commercial Region. Calling account creation APIs from the AWS GovCloud (US) Regions is not supported.
+ When you call the `CreateGovCloudAccount` API action, you create *two accounts*: a standalone account in the AWS GovCloud (US) Regions, and an associated account in the commercial Region for billing and support purposes. The account in the commercial Region automatically becomes a member of the organization whose credentials made the request. Both accounts are associated with the same email address.
+ After you create the standalone account in the AWS GovCloud (US) Regions, you can invite it to an organization in the AWS GovCloud (US) Regions only.
+ Accounts created in other AWS Regions cannot be members of an organization in the AWS GovCloud (US) Regions.
+ To learn what AWS services are currently available for trusted access with AWS Control Tower, check the list in the AWS Control Tower console from the AWS GovCloud (US) Regions.
For more information about AWS Control Tower, see the [AWS Control Tower Documentation](https://docs.aws.amazon.com/servicecatalog/index.html).
**Feature-level differences**
+ **Inability to create accounts in AWS GovCloud (US) **
AWS Control Tower does not support the ability to create accounts within AWS GovCloud (US). The AWS Organizations **CreateGovCloudAccount** API is available in the Commercial Region (US East (N. Virginia)) only. Therefore, AWS Control Tower cannot programmatically create accounts with Account Factory, nor during Landing Zone setup. This difference affects setup regarding the creation of the Audit account and the Log Archive account.
+ **Must enroll existing AWS GovCloud (US) accounts for Audit and Log Archive**
AWS Control Tower in AWS GovCloud (US) requires you to bring your own, existing Audit and Log Archive accounts during Landing Zone setup. These accounts must exist in your AWS GovCloud (US) organization before you enroll them. AWS Control Tower supports single account enrollment only, for Account Factory.
+ **Changes for Account Factory**
The **Create account** feature in Account Factory is removed in AWS GovCloud (US) Regions. During the **Create account** workflow, you will see an error if the member account does not already exist in AWS GovCloud (US).
+ **Home Region**
You are redirected to the appropriate AWS GovCloud (US) home Region (AWS GovCloud (US-West) or AWS GovCloud (US-East)) when running AWS Control Tower in the AWS GovCloud (US) console.
+ **Verifying an account email address**
An account in the commercial Region and the associated account in the AWS GovCloud (US) Region share an email adress. AWS Control Tower cannot verify account email addresses independently in AWS GovCloud (US) Regions.
+ **Control changes**
Certain controls include functionality that has no effect in AWS GovCloud (US) Regions, based on other underlying differences. No error messages are reported for the differences in control functionality. These controls include:
+ [Disallow cross-region networking for Amazon EC2](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#prevent-cross-region-networking)
+ [Disallow delete actions on Amazon S3 buckets without MFA](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-guardrails.html#disallow-s3-delete-mfa)
+ [Disallow changes to replication configuration for Amazon S3 buckets](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-guardrails.html#disallow-s3-ccr)
+ [Disallow creation of access keys for the root user](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-guardrails.html#disallow-root-access-keys)
+ [Disallow actions as a root user](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-guardrails.html#disallow-root-auser-actions)
+ [Disallow the specified actions except in Regions with status Governed by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-guardrails.html#primary-region-deny-policy)
+ **Marketplace**
The Marketplace link in the left navigation of the AWS Control Tower console is not available in AWS GovCloud (US) Regions.
+ ** Security Hub CSPM controls**
Some controls in the Security Hub CSPM standard named **Service-Managed Standard: AWS Control Tower ** are not supported in AWS GovCloud (US) Regions. For a complete list of these controls by Region, see [Security Hub CSPM](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ash.html).
+ ** AWS Control Tower Account Factory for Terraform (AFT)** cannot be deployed by new AFT customers in AWS GovCloud (US) Regions, because AWS CodeStar Connections is not available to connect to a third-party version control system (VCS):
+ **Resource control policy (RCP) controls** are not available in AWS GovCloud (US) Regions.
+ **Preventive and detective controls that support digital sovereignty**
Preventive and detective controls, including enhanced Region deny capabilities, are available to help meet digital sovereignty requirements. These controls can detect resource changes for data residency, granular access restriction, encryption, and resiliency capabilities. View these controls under a digital sovereignty group in the AWS Control Tower console. For more information, see [Digital sovereignty controls](https://docs.aws.amazon.com/controltower/latest/userguide/digital-sovereignty-controls.html).
+ **OU Region deny control**
The preventive control `CT.MULTISERVICE.PV.1`, commonly called the **OU Region deny** control, is available in AWS GovCloud (US) Regions. It allows you to deny access to any of the AWS GovCloud (US) Regions.
+ **Support for FedRamp Levels 4 and 5**
AWS Control Tower is authorized for Department of Defense Cloud Computing Security Requirements Guide Impact Levels 4 and 5 (DoD SRG IL4 and IL5) in the AWS GovCloud (US-East and US-West) Regions.
This capability builds on the existing FedRamp High categorization level, as well as numerous compliance programs and standards, including HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry – Data Security Standard), ISO (International Organization for Standardization), SOC 1, 2, and 3 (System and Organization for Standardization), SOC 1, 2, and 3 (System and Organization Controls). To learn more, visit the AWS Control Tower homepage or see the [AWS Control Tower User Guide](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html).
+ **Certain API permissions unavailable**
If your workload operates in AWS and AWS GovCloud (US) Regions, you may notice a difference in behavior, for the same policy. The `controltower:EnableGuardrail` and `controltower:DisableGuardrail` permissions don’t exist in AWS GovCloud (US) Regions, and so they won’t have any effect in your policies. Use `controltower:EnableControl` and `controltower:DisableControl` permissions instead to control access to **EnableControl** and **DisableControl** APIs.
## Creating your accounts
AWS Control Tower must be set up in the commercial Region before you can sign in to the AWS Control Tower management account to create AWS Control Tower accounts in AWS GovCloud (US).
When you create an account in the AWS GovCloud (US) Regions from AWS Control Tower, an associated account in the commercial Region is created for billing and support purposes, automatically. The account in the commercial Region and the account in the AWS GovCloud (US) Regions are linked.
The account in the commercial Region is a member of the organization whose credentials made the request, automatically, but the account in the AWS GovCloud (US) Regions is a standalone account until you invite it to an organization in that same Region.
Before creating accounts in the AWS GovCloud (US) Regions from AWS Control Tower, make sure that you meet specific U.S. regulatory requirements as described in [Signing Up for AWS GovCloud (US).](https://docs.aws.amazon.com//govcloud-us/latest/ug-west/getting-started-sign-up.html)
For more information about getting started with AWS GovCloud (US) see [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html).
**To create an account in the AWS GovCloud (US) Regions from AWS Control Tower**
1. From the management account of your organization in the commercial Region, sign in and authenticate to the AWS Control Tower console at [https://console.aws.amazon.com/controltower](https://console.aws.amazon.com/organizations)
1. While signed into your management account in a commercial Region, with AWS CloudShell, or by means of a CLI script, you can call the the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API action.
1. Go to your AWS GovCloud (US) Region and invite the new standalone account to an organization.
**Accounts and roles are created as follows**
+ An account is created in the commercial Region and it automatically is a member of the organization whose credentials made the request.
+ A role is created in the new account in the commercial Region, which the management account in this same Region can assume.
+ The account in the AWS GovCloud (US) Regions is created, and it links to the associated account that was created at the same time in the commercial Region.
+ The account in the AWS GovCloud (US) Regions is a standalone account. It is not yet a member of an organization.
+ The AWS GovCloud (US) account, which is linked to the management account in the commercial Region, can assume the role that is created during setup of that AWS GovCloud (US) account.
## Inviting accounts to an organization
After creating a standalone account in the AWS GovCloud (US) Regions, you can invite it to an organization in the AWS GovCloud (US) Regions. You cannot invite accounts in the AWS GovCloud (US) Regions to organizations in other AWS Regions.
The following diagram shows how account access works, so that you can invite standalone accounts in the AWS GovCloud (US) Regions to an organization in the same Region.
![\[Diagram showing AWS Standard and GovCloud(US) regions with account pairing and IAM role access.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/GovCloud-account-access.png)
**Example: Account 1 invites Account 2 in the AWS GovCloud (US) Regions to an organization**
1. In this example, ** AWS GovCloud (US) Account 1** is the AWS GovCloud (US) account that’s associated with the management account of your organization in the commercial Region. ** AWS GovCloud (US) Account 2** is going to become a member account in the organization of ** AWS GovCloud (US) Account 1**.
+ Sign into ** AWS GovCloud (US) Account 1**. Assume the administrative role of the AWS GovCloud (US) account you just created in the AWS GovCloud (US) Regions.
+ Send an invitation to **Account 2**. Sign out of **Account 1**.
+ Sign into and assume the IAM role that was created in ** AWS GovCloud (US) Account 2**.
+ Accept the invitation.
1. Alternatively, another ** AWS GovCloud (US) Account 2** user can sign into **Account 2** with the IAM user credentials you provided, then view and accept the invitation.
For more information, see the procedure described in [Sending Invitations to AWS Accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html#orgs_manage_accounts_invite-account) in the [AWS Organizations User Guide](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_introduction.html) to invite the account in the AWS GovCloud (US) Regions to the AWS GovCloud (US) organization.
## Setting up your landing zone
Here’s an overview and a recommended sequence of steps for setting up an AWS Control Tower landing zone in AWS GovCloud (US) Regions. It is slightly different than the process for commercial Regions, because of the way you must create accounts.
**AWS Control Tower setup process overview**
1. **In the commercial Region**: Create the two AWS accounts you’ll require in AWS GovCloud (US), which will become log archive and audit accounts for your AWS GovCloud (US) organization.
1. **In the AWS GovCloud (US) home Region**: Create an organization in your AWS GovCloud (US) home Region, or choose which organization and Region you’ll require for your AWS Control Tower landing zone. In AWS GovCloud (US) Regions, you can deploy AWS Control Tower in an existing AWS GovCloud (US) organization.
1. **In the AWS GovCloud (US) home Region**: Invite the two new accounts into your selected AWS GovCloud (US) organization. Go to those accounts and accept the invitations.
1. **In the AWS GovCloud (US) home Region**: Follow the procedure to set up AWS Control Tower in an existing organization. Specify the two existing accounts, which you’ve already created in the first step and just invited to your organization, as your audit and log archive accounts.
1. **In the AWS GovCloud (US) home Region**: Use AWS Control Tower to set up OUs in your landing zone, for your AWS Control Tower workloads in AWS GovCloud (US) Regions. (Use AWS Organizations to set up any other required organizations. AWS Control Tower supports one landing zone per organization.)
1. **In the commercial Region**: Create the necessary member accounts to run your AWS GovCloud (US) Regions workloads.
1. **In the AWS GovCloud (US) home Region**: Invite each account that you created in the previous step into its proper organization and OU, presumably into the organization in which you have already set up the AWS Control Tower landing zone.
After you’ve performed these tasks, it’s a good idea to check the guardrails (also called controls) that are enabled on your OUs, and apply any optional controls that are applicable to your business requirements.
## Documentation for AWS Control Tower
[AWS Control Tower documentation](https://docs.aws.amazon.com/controltower/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Control Tower metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when creating and maintaining your AWS Control Tower landing zone and AWS accounts, including AWS account names and email addresses, or Organizational Unit names.
# AWS Database Migration Service in AWS GovCloud (US)
## How AWS Database Migration Service differs for AWS GovCloud (US)
+ AWS DMS Schema Conversion is not available.
## Documentation for AWS Database Migration Service
[AWS Database Migration Service documentation](https://aws.amazon.com/documentation/dms/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS DataSync in AWS GovCloud (US)
DataSync is a data transfer service that makes it easy for you to automate moving data between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx. DataSync automatically handles many of the tasks related to data transfers that can slow down migrations or burden your IT operations, including running your own instances, handling encryption, managing scripts, network optimization, and data integrity validation. You can use DataSync to transfer data at speeds up to 10 times faster than open-source tools. DataSync uses an on-premises software agent to connect to your existing storage or file systems using the Network File System (NFS) protocol, so you don’t have to write scripts or modify your applications to work with AWS APIs. You can use DataSync to copy data over AWS Direct Connect or internet links to AWS. The service enables one-time data migrations, recurring data processing workflows, and automated replication for data protection and recovery. Deploy the DataSync agent on premises, connect it to a file system or storage array, select Amazon EFS, Amazon S3, or Amazon FSx as your AWS storage, and start moving data. You pay only for the data you copy.
## How AWS DataSync differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS DataSync
[AWS DataSync documentation](https://docs.aws.amazon.com/datasync/latest/userguide/what-is-datasync.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Deep Learning AMIs in AWS GovCloud (US)
AWS Deep Learning AMIs empower machine learning practitioners and researchers with the cutting-edge infrastructure and tools to accelerate deep learning and artificial intelligence in the cloud, at any scale. With just a few clicks, you can launch Amazon EC2 instances pre-installed with the latest popular deep learning frameworks like TensorFlow and PyTorch and leverage these state-of-the-art frameworks to train sophisticated, custom AI models, experiment with groundbreaking new algorithms, and continuously enhance your deep learning skills and techniques.
## How AWS Deep Learning AMIs differs for AWS GovCloud (US)
Only the following DLAMI are available in the GovCloud Regions:
### Base DLAMI
**GPU**
+ **X86**
+ [AWS Deep Learning Base AMI (Amazon Linux 2)](https://aws.amazon.com/releasenotes/aws-deep-learning-base-ami-amazon-linux-2)
### Multi-framework DLAMI
**GPU**
+ **X86**
+ [AWS Deep Learning AMI (Amazon Linux 2)](https://aws.amazon.com/releasenotes/aws-deep-learning-ami-amazon-linux-2)
## Documentation for AWS Deep Learning AMIs
[AWS Deep Learning AMIs documentation](https://aws.amazon.com/documentation/dlami/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Direct Connect in AWS GovCloud (US)
AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit, 10 gigabit, 100 gigabit, or 400 gigabit Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS cloud and Amazon Virtual Private Cloud, bypassing Internet service providers in your network path.
## How Direct Connect differs for AWS GovCloud (US)
+ Using the Direct Connect Gateway connectivity from any Direct Connect location can be established into either or both AWS GovCloud (US) locations. For more information, see https://aws.amazon.com/blogs/publicsector/aws-hybrid-connectivity-sharing-aws-direct-connect-aws-govcloud-us-commercial-regions/
+ Direct Connect Gateway is supported between an AWS GovCloud (US) account and a linked standard/commercial AWS account. From your AWS GovCloud (US) account, you can associate a virtual private gateway with an Direct Connect gateway that exists in the linked commercial/standard AWS account.
+ Direct Connect Partners do not support Hosted connections to AWS GovCloud (US) Account IDs. When ordering connections through an Direct Connect Partner for a hosted connection, use the commercial account ID.
+ To set up an Direct Connect connection to AWS GovCloud (US) Regions, you must use the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com/directconnect/) and the AWS GovCloud (US) credentials associated with your AWS GovCloud (US) account. For instructions about how to provision and configure Direct Connect, see the [AWS Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/).
+ Alternatively, you can set up an Direct Connect connection, in a different Region and connect to AWS GovCloud (US) Regions using a public virtual interface and a VPN connection. For more information, see [Setting up Direct Connect with a VPN Connection](#setup-direct-connect).
+ When you create a public virtual interface on your Direct Connect connection [associated with any standard Region or AWS GovCloud (US) Region](https://aws.amazon.com/directconnect/locations/), a data path to AWS GovCloud (US) is made available. Public virtual interface on an Direct Connect connections associated with an AWS China Region do not have a data path to AWS GovCloud (US).
+ To access your VPC without using an Amazon VPC VPN (for non-export uses), create an Direct Connect private virtual interface in AWS GovCloud (US) Regions (us-gov-west-1) only, or create an Direct Connect gateway and use any Direct Connect connection from any Direct Connect location.
+ An AWS Direct Connect gateway is supported between an AWS GovCloud (US) account and a linked public AWS account. From your AWS GovCloud (US) account, you can associate a virtual private gateway with an AWS Direct Connect gateway that’s in the linked account.
+ Use the Amazon VPC section of the AWS GovCloud (US) console to set up hardware VPN access to AWS GovCloud (US) Regions over a public virtual interface.
+ If you are processing export-controlled workloads, you must configure your Direct Connect connection with a VPN to encrypt data in transit. For detailed instructions about how to create your VPC and VPN, see [Adding a Hardware Virtual Private Gateway to Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_VPN.html) in the Amazon VPC User Guide. For instructions about how to configure your on-premises VPN hardware, see the [AWS Site-to-Site VPN Network Administrator Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html).
## Documentation for Direct Connect
[Direct Connect documentation](https://docs.aws.amazon.com/directconnect/index.html?id=docs_gateway#).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Direct Connect metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when creating and maintaining Direct Connect, such as connection names.
+ Do not enter export-controlled data in the following console fields:
+ Connection Name
+ VIF Name
## Setting up Direct Connect with a VPN Connection
You can create an Direct Connect connection in a different Region and use a VPN on top of the connection to encrypt all data in transit from your AWS GovCloud (US-West) virtual private cloud (VPC) to your own network.
### Step 1: Create a Direct Connect Connection and Virtual Interface
To provision a connection and public virtual interface, follow the steps in the [Getting Started with AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html) with Direct Connect section of the Direct Connect user guide and ensure that you do the following:
+ Submit a connection request at a location in any other supported Region.
+ Create a public virtual interface (not a private virtual interface).
### Step 2: Verify Your Virtual Public Interface
After you have established virtual public interfaces to the AWS GovCloud (US-West) Region, verify your virtual public interface connection to the AWS GovCloud (US-West) Region by running a traceroute from your on-premises router and verifying that the Direct Connect identifier is in the network trace.
### Step 3: Set Up Your VPN Over Your Public Virtual Interface
Create your AWS GovCloud (US-West) VPC and VPN. For detailed instructions on how to create your VPC and VPN, see [Adding a Hardware Virtual Private Gateway to Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_VPN.html) in the Amazon Virtual Private Cloud User Guide. For instructions on how to configure your on-premises VPN hardware, see [Amazon Virtual Private Cloud Network Administrator Guide.](https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html)
# AWS Directory Service in AWS GovCloud (US)
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to your domain, and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.
## How AWS Directory Service differs for AWS GovCloud (US)
The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:
+ Only AWS Managed Microsoft AD and AD Connector directory types are supported by AWS Directory Service.
+ The following directory types are not supported:
+ Simple AD
+ Amazon Cloud Directory
+ The following AWS apps and services are not currently supported by AWS Directory Service:
+ Amazon WorkDocs
+ Amazon WorkMail
+ Amazon Chime
+ AWS Management Console
+ Amazon Connect only in available in AWS GovCloud (US-West).
+ AWS IAM Identity Center
+ The following AWS Managed Microsoft AD features are not currently supported in AWS GovCloud (US):
+ Directory sharing with other AWS accounts
+ AWS Managed Microsoft AD (Hybrid Edition)
+ Only signature version 4 signing is supported.
+ You can use the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/) to interact with AWS Directory Service and other AWS services through the command line. For more information, see [AWS CLI](https://docs.aws.amazon.com/cli/index.html) documentation.
**Note**
If you are using the Amazon Linux AMI, the AWS CLI is already installed and configured.
+ To connect to AWS Directory Service by using the command line or APIs, use the following [endpoints](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html):
+ https://ds-fips.us-gov-west-1.amazonaws.com
+ https://ds.us-gov-west-1.amazonaws.com
+ https://ds-fips.us-gov-east-1.amazonaws.com
+ https://ds.us-gov-east-1.amazonaws.com
+ Automatic DNS forwarding is not enabled by default and must be configured.
+ The Directory Service Data API is not available.
## Documentation for AWS Directory Service
[AWS Directory Service documentation](https://docs.aws.amazon.com/directory-service/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Directory Service metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your AWS Directory Service directory except passwords.
Do not enter export-controlled data in the following console fields:
+ Directory aliases
+ Directory description
+ Directory DNS name
+ Netbios name
+ Manual snapshot name
+ Resource tags
+ Description of schema extensions
# AWS Elastic Beanstalk in AWS GovCloud (US)
With AWS Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and AWS Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.
## How AWS Elastic Beanstalk differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS Elastic Beanstalk
[AWS Elastic Beanstalk documentation](https://aws.amazon.com/documentation/elastic-beanstalk/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ The following AWS Elastic Beanstalk metadata fields:
+ Application Name
+ Environment Name
+ Option Settings
# AWS Elastic Disaster Recovery in AWS GovCloud (US)
AWS Elastic Disaster Recovery minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.
## How AWS Elastic Disaster Recovery differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances for recovery, drill, failback and AWS Elastic Disaster Recovery service resources in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC; otherwise, you must create a VPC before launching instances or setting up the AWS Elastic Disaster Recovery staging area.
+ Use SSL (HTTPS) or Federal Information Processing System (FIPS) protocols when you make calls to the service in the AWS GovCloud (US) Regions (us-gov-west-1, us-gov-east-1). In other AWS Regions, you can use HTTP or HTTPS.
+ Cross-Partition failback features between commercial and AWS GovCloud (US) partitions are not supported. Cross-Region failback features within the AWS GovCloud (US) partition are available between AWS GovCloud (US) Regions (us-gov-west-1 and us-gov-east-1).
+ AWS Elastic Disaster Recovery source servers can only be extended to other GovCloud AWS accounts when using multiple staging accounts.
+ AWS Elastic Disaster Recovery trusted account features are only supported between other GovCloud AWS accounts.
+ The Provisioned IOPS SSD (io2) EBS volume type is not available in the AWS GovCloud (US) Regions.
+ AWS Elastic Disaster Recovery leverages the following AWS services in AWS GovCloud (US). Please refer to the individual service for GovCloud differentiators:
+ [Amazon EC2](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ec2.html)
+ [AWS Key Management Service](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-kms.html)
+ [Amazon EBS](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ebs.html)
+ [Amazon VPC](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-vpc.html)
+ [AWS Direct Connect](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-dc.html)
+ [AWS Site-to-Site VPN](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-vpn.html)
+ [AWS Systems Manager](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ssm.html)
+ [Cloudwatch](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-cw.html)
## Documentation for AWS Elastic Disaster Recovery
[AWS Elastic Disaster Recovery documentation](https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.html).
## Determining if your account has a default Amazon VPC
In AWS GovCloud (US) Regions, you must launch all Amazon EC2 instances in an Amazon Virtual Private Cloud (Amazon VPC). In some cases, your account might have a default VPC, where you launch all your Amazon EC2 instances. If your account doesn’t have a default VPC, you must create a VPC before you can launch Amazon EC2 instances. For more information, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) in the Amazon VPC User Guide.
If you don’t want a default VPC for your AWS Elastic Disaster Recovery account in AWS GovCloud (US), you can delete the default VPC and default subnets. The default VPC and subnets will not be recreated. However, you still need to create a VPC before launching instances.
If you deleted your default VPC, you can create a new one. For more information, see [Creating a Default VPC](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-vpc).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon EC2 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your AWS Elastic Disaster Recovery source servers.
+ Do not enter export-controlled data in the following fields:
+ Source server names
+ Key and Value of Tags associated with your resources.
+ Name and Description of Security Groups and Security Group Rules
+ Refer to AWS Elastic Disaster Recovery leveraged AWS services for service-specific export-controlled data fields.
# AWS Elemental MediaConvert in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
AWS Elemental MediaConvert is a file-based video processing service that provides scalable video processing for content owners and distributors with media libraries of any size. MediaConvert offers advanced features that enable premium content experiences.
## How AWS Elemental MediaConvert differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS Elemental MediaConvert
[AWS Elemental MediaConvert documentation](https://docs.aws.amazon.com/mediaconvert/latest/ug/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS End User Messaging in AWS GovCloud (US)
AWS End User Messaging is an AWS service that you can use to engage with you customers across multiple messaging channels. You can use AWS End User Messaging to send push notifications, SMS text messages, and voice messages.
## How AWS End User Messaging differs for AWS GovCloud (US)
AWS End User Messaging SMS and Voice V2 API
+ Text to voice messages are only supported in AWS GovCloud (US-West).
## Documentation for AWS End User Messaging
AWS End User Messaging SMS [documentation](https://docs.aws.amazon.com/sms-voice/latest/userguide/what-is-service.html), AWS End User Messaging SMS and voice v2 API [documentation](https://docs.aws.amazon.com/pinpoint/latest/apireference_smsvoicev2/index.html), and AWS End User Messaging Push [documentation](https://docs.aws.amazon.com/push-notifications/latest/userguide/what-is-service.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Customer user cases
+ Do not enter export-controlled data in the following fields:
+ Registrations
# AWS Fargate in AWS GovCloud (US)
AWS Fargate is a compute engine for Amazon ECS that lets you run containers in production without deploying or managing servers. Fargate lets you focus on designing and building your applications instead of managing the infrastructure that runs them.
## How AWS Fargate differs for AWS GovCloud (US)
+ Amazon EKS on Fargate is not available in AWS GovCloud (US).
## Documentation for AWS Fargate
[Amazon ECS User Guide for AWS Fargate documentation](https://docs.aws.amazon.com/AmazonECS/latest/userguide/Welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Fault Injection Service in AWS GovCloud (US)
AWS Fault Injection Service (AWS FIS) is a managed service that enables you to perform fault injection experiments on your AWS workloads. Fault injection is based on the principles of chaos engineering. These experiments stress an application by creating disruptive events so that you can observe how your application responds. You can then use this information to improve the performance and resiliency of your applications so that they behave as expected.
## How AWS Fault Injection Service differs for AWS GovCloud (US)
+ The AWS FIS Experiment Schedule feature is not available in AWS GovCloud (US).
+ AWS FIS experiment report configuration is not supported in AWS GovCloud (US).
## Documentation for AWS Fault Injection Service
[AWS Fault Injection Service documentation](https://docs.aws.amazon.com/fis/latest/userguide/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
AWS Fault Injection Service metadata is not permitted to contain export-controlled data. This metadata includes:
+ Experiment templates
+ Experiment tags
# AWS Firewall Manager in AWS GovCloud (US)
AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, Network Firewall firewalls, and DNS Firewall rule group associations just once. The service automatically applies the rules and protections across your accounts and resources, even as you add new resources.
## How AWS Firewall Manager differs for AWS GovCloud (US)
+ AWS Marketplace managed rule groups for AWS WAF cannot be used with Firewall Manager security policies in AWS GovCloud (US). Managed rule groups are collections of predefined, ready-to-use rules that AWS and AWS Marketplace sellers write and maintain for you. AWS managed rule groups are provided free of charge with AWS WAF and are available for use in AWS GovCloud (US) with Firewall Manager security policies. AWS Marketplace rule groups are provided for subscription by AWS Marketplace sellers and aren’t available for use in AWS GovCloud (US) with Firewall Manager.
+ Firewall Manager security policies for AWS WAF cannot be enabled on Amazon CloudFront distributions in AWS GovCloud (US).
+ Firewall Manager does not support AWS Shield Advanced or AWS WAF Classic.
## Documentation for AWS Firewall Manager
link: [AWS Firewall Manager documentation](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Firewall Manager metadata is not permitted to contain export-controlled data. For example, do not enter export-controlled data into user input fields such as the following:
+ Firewall Manager policy name
+ Resource Tag/Key values
# AWS Glue in AWS GovCloud (US)
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog. Once cataloged, your data is immediately searchable, queryable, and available for ETL.
## How AWS Glue Differs for AWS GovCloud (US)
| Feature | AWS GovCloud (US-West) | AWS GovCloud (US-East) |
| --- | --- | --- |
| **Version Support** | | |
| [AWS Glue Version 3.0](https://docs.aws.amazon.com/glue/latest/dg/migrating-version-30.html) | Yes | Yes |
| [AWS Glue Version 4.0](https://docs.aws.amazon.com/glue/latest/dg/migrating-version-40.html) | Yes | Yes |
| [AWS Glue Version 5.0](https://docs.aws.amazon.com/glue/latest/dg/migrating-version-50.html) | Yes. However, the following features are not supported: Connection v2 support for DB connectors, Amazon SageMaker AI Unified Studio, Amazon SageMaker AI Lakehouse, and Data Lineage | Yes. However, the following features are not supported: Connection v2 support for DB connectors, Amazon SageMaker AI Unified Studio, Amazon SageMaker AI Lakehouse, and Data Lineage |
| **Workers** | | |
| [G1/G2 workers](https://docs.aws.amazon.com/glue/latest/dg/add-job.html) | Yes | Yes |
| [G4/G8 workers](https://docs.aws.amazon.com/glue/latest/dg/add-job.html) | No | No |
| ** Data Catalog Features** | | |
| [Crawlers](https://docs.aws.amazon.com/glue/latest/dg/add-crawler.html) | Yes | Yes |
| [Transactional Table Optimization](https://docs.aws.amazon.com/glue/latest/dg/populate-otf.html) | No | No |
| [Statistics for performance optimization](https://docs.aws.amazon.com/glue/latest/dg/column-statistics.html) | No | No |
| ** AWS Glue ETL Features** | | |
| [Connectors](https://docs.aws.amazon.com/glue/latest/dg/glue-connections.html) | Yes. However, following connectors are unavailable: Facebook Ads, Google Ads, Google Analytics 4, Google Sheets, Hubspot, Instagram Ads, Intercom, Jira Cloud, Marketo, Oracle NetSuite, SAP OData, Salesforce Marketing Cloud, Salesforce Marketing Cloud Account Engagement, ServiceNow, Slack, Snapchat Ads, Stripe, Zendesk and Zoho CRM | Yes. However, following connectors are unavailable: Facebook Ads, Google Ads, Google Analytics 4, Google Sheets, Hubspot, Instagram Ads, Intercom, Jira Cloud, Marketo, Oracle NetSuite, SAP OData, Salesforce Marketing Cloud, Salesforce Marketing Cloud Account Engagement, ServiceNow, Slack, Snapchat Ads, Stripe, Zendesk and Zoho CRM |
| Connector Marketplace | No | No |
| [Autoscaling](https://docs.aws.amazon.com/glue/latest/dg/auto-scaling.html) | Yes | Yes |
| [Flex Execution](https://aws.amazon.com/blogs/big-data/introducing-aws-glue-flex-jobs-cost-savings-on-etl-workloads/) | No | No |
| [AWS Glue Streaming](https://docs.aws.amazon.com/glue/latest/dg/streaming-chapter.html) | Yes | Yes |
| [AWS Glue Studio](https://docs.aws.amazon.com/glue/latest/dg/author-job-glue.html) | Yes. However, does not support SparkUI | Yes. However, does not support Data Preview, AWS Glue data preparation experience, and SparkUI |
| [AWS Glue DataBrew](https://docs.aws.amazon.com/databrew/latest/dg/what-is.html) | Yes | No |
| [AWS Glue Studio Notebooks](https://docs.aws.amazon.com/glue/latest/dg/notebooks-chapter.html) | No | No |
| [AWS Glue Interactive Sessions](https://docs.aws.amazon.com/glue/latest/dg/interactive-sessions-chapter.html) | Yes | No |
| [Amazon Q Integration](https://docs.aws.amazon.com/glue/latest/dg/q.html) | No | No |
| [AWS Glue Data Quality](https://docs.aws.amazon.com/glue/latest/dg/glue-data-quality.html) | Yes. However, Anomaly detection and Dynamic Rules are not available | Yes. However, Anomaly detection and Dynamic Rules are not available |
| [AWS Glue Sensitive Data Detection](https://docs.aws.amazon.com/glue/latest/dg/detect-PII.html) | Yes | Yes |
| [AWS Glue Workflows](https://docs.aws.amazon.com/glue/latest/dg/orchestrate-using-workflows.html) | Yes | No |
## Documentation for AWS Glue
[AWS Glue documentation](https://docs.aws.amazon.com/glue).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Health in AWS GovCloud (US)
AWS Health provides ongoing visibility into the state of your AWS resources, services, and accounts. The service gives you awareness and remediation guidance for resource performance or availability issues that affect your applications running on AWS. AWS Health provides relevant and timely information to help you manage events in progress. AWS Health also helps to be aware of and to prepare for planned activities. The service delivers alerts and notifications triggered by changes in the health of AWS resources, so that you get near-instant event visibility and guidance to help accelerate troubleshooting.
All customers can use the Health Dashboard, powered by the AWS Health API. The dashboard requires no setup, and it’s ready to use for authenticated AWS users.
Additionally, Support customers who have a Business or Enterprise support plan can use the AWS Health API to integrate with in-house and third-party systems.
## How AWS Health differs for AWS GovCloud (US)
+ The Amazon EventBridge channel doesn’t send public events from the Service Health View of the Health Dashboard.
+ Instead, use the AWS Health API or Service Health View RSS feed to programmatically receive these events. Account specific events are accessible through the EventBridge endpoint.
+ AWS Health notifies you about planned lifecycle events and service changes that can affect resource availability. You won’t see the status on affected resources change in response to resolution.
+ AWS Health may send periodic reminder notifications with an updated list of outstanding resources.
+ The AWS Health API is accessible through a single regional endpoint in `us-gov-west-1`, as opposed to a global endpoint with failover-capable regions behind it.
+ To enhance the reliability of AWS Health notifications, you can set up rules in the dedicated backup regions. The AWS GovCloud (US-West) Region acts as the backup region for AWS GovCloud (US-East) Region, and the AWS GovCloud (US-East) Region acts as the backup region for the AWS GovCloud (US-West) Region. When health events occur, they are automatically sent to both the primary region and its designated backup region. For example, if you’re monitoring events in the AWS GovCloud (US-West) Region, then any health events are delivered to both the AWS GovCloud (US-West) Region and the AWS GovCloud (US-East) Region. This system makes sure you continue receiving health notifications even if your primary region experiences issues. To create a backup rule, follow the procedure for [Configuring an EventBridge rule to send notifications about events in AWS Health](https://docs.aws.amazon.com/health/latest/ug/creating-event-bridge-events-rule-for-aws-health.html).
+ If you want to create an EventBridge integration with high availability, or if you prefer not to use backup functionality and want to add a filter to your backup region rule, see [Creating EventBridge rules for AWS Region coverage](https://docs.aws.amazon.com/health/latest/ug/choosing-a-region.html).
+ If you want to capture events from both AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions but prefer to configure only a single rule, then you can use simplified integration. To receive all Health events from both Regions, you can set up a single rule in either the AWS GovCloud (US-West) Region or the AWS GovCloud (US-East) Region. However, you won’t have high availability configuration.
+ Some AWS Health events are not Region-specific. Events that aren’t specific to a Region are called global events. These include events sent for AWS Identity and Access Management (IAM). To receive global events in AWS GovCloud (US), you must create a rule in the AWS GovCloud (US-West) Region.
## Documentation for AWS Health
[AWS Health documentation](https://docs.aws.amazon.com/health/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS IAM Identity Center in AWS GovCloud (US)
IAM Identity Center is the AWS solution for connecting your workforce users to all of their AWS managed applications and AWS accounts. Users who have access to one or more AWS accounts can sign in to the AWS access portal and access AWS services by using the AWS Management Console or retrieve temporary credentials to access AWS services programmatically. You can connect your existing identity provider or create and manage your users directly in IAM Identity Center. For existing identity providers, automatic provisioning (synchronization) of user and group information from your identity provider into IAM Identity Center is supported.
## How IAM Identity Center differs for AWS GovCloud (US)
The following list details the differences for using this service in the AWS GovCloud (US) Regions compared to other AWS Regions:
+ IAM Identity Center integrates with AWS Organizations to manage access across your AWS accounts, and therefore, IAM Identity Center is subject to any [AWS Organizations GovCloud differences](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-organizations.html).
+ IAM Identity Center supports dual-stack endpoints in AWS GovCloud (US) Regions. You can use either IPv4, IPv6, or dual-stack to access IAM Identity Center services and the AWS access portal.
+ To access the IAM Identity Center administrative console, the Software Development Kit (SDK), or the AWS Command Line Interface (CLI) use the Federal Information Processing Standards (FIPS) endpoints. For a list of all GovCloud AWS FIPS endpoints, see *AWS GovCloud (US)* in [FIPS Endpoints by Service](https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service).
+ The AWS access portal URL has an AWS GovCloud (US) URL pattern of `https://start.us-gov-home.awsapps.com/directory/IdentityStoreId` or `https://start.us-gov-home.awsapps.com/directory/CustomAlias`
You can find this URL on the **Settings** page in the IAM Identity Center console.
+ The new AWS access portal URL format for AWS GovCloud (US) follows the pattern `https://{idcInstanceId}.portal.{region}.app.aws`, similar to the commercial region format.
This new URL format provides a consistent experience across all AWS regions.
+ The Amazon Resource Number (ARN) for your IAM Identity Center instance has an AWS GovCloud (US) pattern of `arn:aws-us-gov:sso:::instance/`
You can find this ARN on the **Settings** page in the IAM Identity Center console.
+ The ARNs for IAM Identity Center permission sets has an AWS GovCloud (US) pattern of `arn:aws-us-gov:sso:::permissionSet//`
You can find these ARNs on the **Permission sets** tab under the ** AWS accounts ** page in the IAM Identity Center console.
+ The email address `no-reply@us-gov-home.awsapps.com` is used for sending email-verification, password reset, and user invitation emails to GovCloud.
The email address `no-reply@.us-gov-home.awsapps.com` is used for sending forgotten password emails.
+ Multi-Region support is presently not available.
+ If you filter access to specific AWS domains by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains to your web-content filtering solution allowlists. Doing so enables you to access your AWS access portal.
+ `start.us-gov-home.awsapps.com`
+ `start.[Region].us-gov-home.awsapps.com`
+ `[IAM-Identity-Center-instance-id].[Region].portal.amazonaws.com`
+ `oidc.[Region].amazonaws.com`
+ `*.sso.amazonaws.com`
+ `*.sso.[Region].amazonaws.com`
+ `*.sso-portal.[Region].amazonaws.com`
+ `aws-access-portal-website-prod-pdt-assets.s3.us-gov-west-1.amazonaws.com`
+ `aws-access-portal-website-prod-osu-assets.s3.us-gov-east-1.amazonaws.com`
+ `s3.us-gov-west-1.amazonaws.com/awsconsole-peregrine-portal-prod-pdt-assets`
+ `s3.us-gov-east-1.amazonaws.com/awsconsole-peregrine-portal-prod-osu-assets`
+ `[Region].signin-fips.amazonaws-us-gov.com`
+ `*.cloudfront.net`
+ `opfcaptcha-prod.s3.amazonaws.com`
+ For dual-stack (IPv4 and IPv6) endpoint access, you must also add the following domains to your web-content filtering solution allowlists:
+ `[idcInstanceId].portal.[Region].app.aws`
+ `portal.sso.[Region].api.aws`
+ `oidc.[Region].api.aws`
+ `oidc-fips.[Region].api.aws`
+ `sso.[Region].api.aws`
+ `scim.[Region].api.aws`
+ `identitystore.[Region].api.aws`
+ `identity-sync.[Region].api.aws`
+ `dual-stack.auth-control.[Region].prod.apps-auth.aws.a2z.com`
+ `pvs-controlplane.[Region].api.aws`
+ `[Region].sso.signin.amazonaws-us-gov.com`
+ `[Region].sso.signin-fips.amazonaws-us-gov.com`
+ `cdn.us-east-1.threat-mitigation.aws.amazon.com`
+ `us-east-1.threat-mitigation.aws.amazon.com`
+ `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com`
+ If you change an AWS account name or email address, and you want your AWS access portal to show the new value, you’ll need to create a case with Support. In the support case, specify the account ID and the AWS Region of your IAM Identity Center instance. Also include a list of account IDs that require a refresh in your AWS access portal.
+ The user background sessions feature appears in the console for AWS GovCloud (US), but this feature cannot be used because user background sessions are only supported for Amazon SageMaker Studio. Although Amazon SageMaker AI is supported in AWS GovCloud (US), Amazon SageMaker Studio, which is its latest web experience for running machine learning (ML) workflows, is not supported in AWS GovCloud (US).
## Documentation for AWS IAM Identity Center
[AWS IAM Identity Center documentation](https://docs.aws.amazon.com/singlesignon/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Your IAM Identity Center Identity Store ID may leave the AWS GovCloud (US) Regions in the normal course of the service offerings.
# AWS Identity and Access Management in AWS GovCloud (US)
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
## How IAM differs for AWS GovCloud (US)
+ You must have an existing standard AWS account to create an AWS GovCloud (US) account. See [AWS GovCloud (US) Sign Up](getting-started-sign-up.md) to learn more. If you have AWS GovCloud (US) sign up issues, contact [AWS Customer Support](https://console.aws.amazon.com/support/home#/case/create?issueType=customer-service&serviceCode=customer-account&categoryCode=aws-govcloud-us-onboarding/).
+ When your AWS GovCloud (US) account is created, you are provided initial access to the [AWS Management Console for AWS GovCloud (US)](https://signin.amazonaws-us-gov.com) by an `Administrator` IAM user or an `OrganizationAccountAccessRole` IAM role, depending on the method used.
You cannot access the AWS Management Console for AWS GovCloud (US) using the [associated standard AWS accountroot user credentials](getting-started-standard-account-linking.md).
+ The AWS GovCloud (US) account root user is created at the same time the AWS GovCloud (US) account is created, but access to this user is not provided by default to AWS GovCloud (US) customers.
+ Sign in to the AWS Management Console for AWS GovCloud (US) as the AWS GovCloud (US) account root user is not supported.
+ AWS GovCloud (US) account root user access keys can be provided at the request of [associated standard AWS account](getting-started-standard-account-linking.md) root user by contacting AWS Customer Support. See [Requesting root access keys for an AWS GovCloud (US) account](govcloud-account-root-user.md#requesting-root-user-keys) to get started.
+ Tasks that require the root user in AWS GovCloud (US) are limited. See [Tasks in AWS GovCloud (US) Regions that require root user access keys](govcloud-account-root-user.md#govcloud-tasks-require-root-user).
+ Since there is no access to the root user, there is no ability to centrally manage such credentials in AWS Organizations. However, you can perform privileged tasks for member accounts in your organization. To learn more about performing some root user tasks using short-term credentials, see [Perform a privileged task on an AWS Organizations member account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user-privileged-task.html).
+ Solution Providers reselling in AWS GovCloud (US) may receive AWS GovCloud (US) account root user access keys to be used for initial access to their account from an AWS business representative.
+ For more information, see [AWS GovCloud (US) account root user](govcloud-account-root-user.md).
+ Access issues for IAM users that are administrators in your AWS GovCloud (US) can be resolved by another administrator in the account.
If all administrators have forgotten or lost access to the AWS GovCloud (US) account, request AWS GovCloud (US) account root user access keys to [Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US)](govcloud-account-root-user.md#restore-root-user-keys). See [Requesting root access keys for an AWS GovCloud (US) account](govcloud-account-root-user.md#requesting-root-user-keys) to get started.
+ There is one IAM control plane for all AWS GovCloud (US) Regions, which is located in the AWS GovCloud (US-West) Region. Each AWS Region has a completely independent instance of the IAM data plane. For more information, see [Resilience in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/disaster-recovery-resiliency.html).
+ In the AWS GovCloud (US) Regions, the IAM dual-stack public endpoint is `https://iam.us-gov.api.aws`. This endpoint supports clients using either IPv4 or IPv6 addresses. For more information, see [Dual-stack endpoint support](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_dual-stack_endpoint_support.html) in the * IAM User Guide*.
+ In the AWS GovCloud (US) Regions, there is no AWS STS global endpoint. AWS provides Regional AWS STS endpoints.
+ When using the IAM or AWS STS service in AWS GovCloud (US), you must use [AWS GovCloud (US)IAM/AWS STS endpoints](using-govcloud-endpoints.md). Use SSL (HTTPS) when you make calls to the IAM or AWS STS service in AWS GovCloud (US) Regions.
+ IAM users that you create in AWS GovCloud (US) are specific to AWS GovCloud (US) and do not exist in other standard AWS Regions.
+ AWS GovCloud (US) supports MFA devices listed in the [Multi-Factor Authentication (MFA) in AWS GovCloud (US)](https://aws.amazon.com/govcloud-us/mfa/) page.
+ You can use these MFA devices with your AWS GovCloud (US) administrator user or any IAM user in your account.
+ You cannot use these MFA devices with your AWS GovCloud (US) account root user.
+ You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.
+ Customers with export-controlled data (e.g. export-controlled technical data) in their environment may consider using IAM roles as part of their export control compliance program. It is the customer’s responsibility to properly architect its AWS GovCloud (US) account if there will be export controlled data in its environment in order to comply with export control laws.
+ When you create policies, use the AWS GovCloud (US) resource ARN prefix. For more information, see [Amazon Resource Names (ARNs) in GovCloud (US) Regions](using-govcloud-arns.md).
+ When you use a SAML provider in AWS GovCloud (US) Regions, use the following URL for the XML document that contains relying party information and certificates: `https://signin.amazonaws-us-gov.com/static/saml-metadata.xml`. For more information, see [Configuring a Relying Party and Adding Claims](https://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-saml-configure-relying-party.html) in *IAM User Guide*.
+ In the AWS GovCloud (US) Regions, there is no AWS STS global endpoint. AWS provides Regional AWS STS endpoints.
+ In the AWS GovCloud (US-West) Region, the AWS STS endpoint only supports request Signature Version 4 (SigV4) by default and can be updated to support both SigV4 and Signature Version 4A (SigV4A). Session tokens supporting the SigV4A algorithm are larger than those supporting SigV4 and match the size of tokens issued by the AWS STS endpoint in the AWS GovCloud (US-East) Region, which already supports SigV4A. Changing this setting might affect existing systems where you temporarily store tokens. For more information, see [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html).
+ Documentation that mentions **Valid only in AWS Regions enabled by default** refers to **Support only SigV4-based signatures on AWS requests** for the AWS STS endpoint in the AWS GovCloud (US-West) Region.
+ Documentation that mentions **All AWS Regions** refers to **Both the SigV4 and SigV4A algorithms** for the AWS STS endpoint in the AWS GovCloud (US-West) Region.
+ IAM Access Analyzer policy generation is not supported in AWS GovCloud (US). To learn more, see [Using AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) in the * IAM User Guide*.
+ IAM Roles Anywhere is now supported in AWS GovCloud (US). To learn more, see [Providing access for non AWS workloads](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_non-aws.html) in the * IAM User Guide*.
+ When configuring SAML Applications for single sign on in AWS GovCloud (US), the SAML Audience and ACS links will be different than those used in the standard Regions.
+ Application ACS URL: https://signin.amazonaws-us-gov.com/saml
+ Application SAML audience: `urn:amazon:webservices:govcloud`
## Documentation for AWS Identity and Access Management
[AWSIAM documentation](https://aws.amazon.com/documentation/iam/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ IAM metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your IAM entities.
+ Do not enter export-controlled data in the following fields:
+ Authentication codes, which are clear-text memcached
+ User names
+ Group names
+ Password policies
+ Policy names
+ Roles and role names
+ Policy documents
# AWS IoT Core in AWS GovCloud (US)
AWS IoT enables secure, bi-directional communication between Internet-connected things (such as sensors, actuators, embedded devices, or smart appliances) and the AWS Cloud over MQTT and HTTP.
## How AWS IoT differs for AWS GovCloud (US)
+ Use of Amazon Cognito Identities to grant permissions to users of your AWS IoT applications, via your own identity provider or other popular identity providers, is not supported.
## Documentation for AWS IoT
[AWS IoT Core documentation](https://aws.amazon.com/documentation/iot/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Message topics and topic filters
+ Thing names
+ Thing types
+ Thing group names
+ Rule definitions (including SQL statements and actions)
# AWS IoT Device Defender in AWS GovCloud (US)
AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices. You can use AWS IoT Device Defender to audit your IoT resources like policies, certificates, IAM roles and Amazon Cognito IDs against security best practices, monitor connected devices to detect abnormal behavior, and mitigate security risks. By using AWS IoT Device Defender, you can enforce consistent security policies across your AWS IoT device fleet and respond quickly when devices are compromised.
## How AWS IoT Device Defender differs for AWS GovCloud (US)
+ Amazon Cognito related checks in Device Defender Audit are not available.
+ Role alias related and key quality related checks in Device Defender Audit are not available.
+ AWS IoT Device Defender ML Detect feature is not available in the AWS GovCloud (US) Regions.
## Documentation for AWS IoT Device Defender
[AWS IoT Device Defender documentation](https://docs.aws.amazon.com/iot/latest/developerguide/device-defender.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Security Profile Name
+ Behavior Name
+ Audit Schedule Name
+ Mitigation Action Name
+ Audit Mitigation Action Task Id
# AWS IoT Device Management in AWS GovCloud (US)
AWS IoT Device Management is a cloud-based device management service that makes it easy for customers to securely manage IoT devices throughout their lifecycle. Customers can use AWS IoT Device Management to onboard device information and configuration, organize their device inventory, monitor their fleet of devices, and remotely manage devices deployed across many locations. This remote management includes over-the-air (OTA) updates to device software.
## How AWS IoT Device Management differs for AWS GovCloud (US)
+ Use of Amazon Cognito Identities to grant permissions to users of your AWS IoT applications, via your own identity provider or other popular identity providers, is not supported. For more information, see [Common Amazon Cognito scenarios](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html#scenario-identity-pool).
+ AWS IoT Device Management Fleet Hub is not available. For more information, see [What is Fleet Hub for AWS IoT Device Management?](https://docs.aws.amazon.com/iot/latest/fleethubuserguide/what-is-aws-iot-monitor.html)
+ FreeRTOS over-the-air (OTA) updates using MQTT-based file delivery via a stream is not supported. For more information, see [OTA Update Manager service](https://docs.aws.amazon.com/freertos/latest/userguide/ota-manager.html) and [MQTT-based file delivery](https://docs.aws.amazon.com/iot/latest/developerguide/mqtt-based-file-delivery.html).
## Documentation for AWS IoT Device Management
[AWS IoT Device Management documentation](https://aws.amazon.com/documentation/iot-device-management).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Message topics and topic filters
+ Thing names
+ Thing types
+ Thing group names
+ Rule definitions (including SQL statements and actions)
# AWS IoT Events in AWS GovCloud (US)
AWS IoT Events enables you to monitor your equipment or device fleets for failures or changes in operation, and to trigger actions when such events occur. AWS IoT Events continuously watches IoT sensor data from devices, processes, applications, and other AWS services to identify significant events so you can take action.
AWS IoT Events is only supported in the AWS GovCloud (US-West) Region.
## How AWS IoT Events differs for AWS GovCloud (US)
+ SSO integration not supported.
+ [Notification action](https://docs.aws.amazon.com/iotevents/latest/apireference/API_NotificationAction.html) is not supported.
## Documentation for AWS IoT Events
[AWS IoT Events documentation](https://docs.aws.amazon.com/iotevents/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Detector Model Name
+ Alarm Model name
+ Input Name
+ Fields in run-time messages used as key-value in Detector Models or Alarm Models
+ MessageId in BatchPutMessage calls
+ SiteWise AssetId and PropertyId that are referenced in AlarmModel rules
# AWS IoT Greengrass Version 1 in ?AWS GovCloud (US)
AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even when not connected to the Internet.
## How AWS IoT Greengrass V1 differs for AWS GovCloud (US)
+ AWS IoT Greengrass Core software v1.9.2 is the minimum supported version.
+ The following minimum versions of the AWS IoT Greengrass Core SDK are supported.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-iotgreengrass.html)
+ The following connectors are supported in AWS GovCloud (US-East):
+ Cloudwatch Metrics, v4
+ Device Defender, v3
+ Docker Application Deployment, v6
+ Kinesis Firehose, v5
+ SNS, v4
+ Modbus-RTU Protocol Adapter, v3
+ Raspberry Pi GPIO, v4
+ Serial Stream, v3
+ The following connectors are supported in AWS GovCloud (US-West):
+ Modbus-RTU Protocol Adapter, v2
+ Raspberry Pi GPIO, v2
+ Serial Stream, v2
+ For over-the-air (OTA) updates, the IAM role used to presign the Amazon S3 URL (that links to the Greengrass software update) must allow access in the appropriate AWS Region.
The following example policy includes the minimum required permissions that must be attached to the role for AWS GovCloud (US-West) Region support.
+ AWS IoT Greengrass operations use three endpoints that have different support for FIPS 140-3.
+ The endpoint for Greengrass control plane operations provides FIPS access only.
+ The endpoint for Greengrass discovery operations does not yet support FIPS. This endpoint provides non-FIPS access only.
+ The endpoint for AWS IoT device operations does not yet support FIPS. This endpoint provides non-FIPS access only.
For more information, see [Service Endpoints](using-govcloud-endpoints.md). Only Amazon Trust Services (ATS) server authentication is supported, so you must use ATS-signed root CA certificates and ATS endpoints. For more information, see [Server Authentication](https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html#server-authentication) in the *AWS IoT Developer Guide*.
+ The default limit for the maximum number of transactions per second (TPS) on the AWS IoT Greengrass API is 10 TPS. For more information, see [AWS IoT Greengrass Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_greengrass) in the * Amazon Web Services General Reference *.
## Documentation for AWS IoT Greengrass
[AWS IoT Greengrass documentation](https://aws.amazon.com/documentation/greengrass).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Message topics and topic filters
+ Customer-defined names and IDs of Greengrass resources:
+ Connectors
+ Cores
+ Devices
+ Functions
+ Groups
+ Loggers
+ Resources (local and machine learning)
+ Subscriptions
# AWS IoT Greengrass Version 2 in AWS GovCloud (US)
AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even when not connected to the Internet.
## How AWS IoT Greengrass V2 differs for AWS GovCloud (US)
+ Secret manager v2.0.5 is the minimum supported version in the AWS GovCloud (US) Regions.
## Documentation for AWS IoT Greengrass V2
[AWS IoT Greengrass documentation](https://docs.aws.amazon.com/greengrass/v2/developerguide/what-is-iot-greengrass.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Message topics and topic filters
+ Customer-defined names and IDs of Greengrass resources:
+ CoreDevices
+ Components
+ Deployments
# AWS IoT SiteWise in AWS GovCloud (US)
AWS IoT SiteWise is a managed service that you can use to collect, model, analyze, and visualize data from industrial equipment at scale. With AWS IoT SiteWise Monitor, you can quickly create web applications for non-technical users to view and analyze your industrial data in real time. With AWS IoT SiteWise gateways, you can view and process your data on your local devices.
AWS IoT SiteWise is only supported in the AWS GovCloud (US-West) Region.
**Note**
The SiteWise Monitor feature will no longer be open to new customers starting November 7, 2025. If you would like to use SiteWise Monitor, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [SiteWise Monitor availability change](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/iotsitewise-monitor-availability-change.html).
## How AWS IoT SiteWise differs for AWS GovCloud (US)
+ The alarm configuration and notification features in AWS IoT SiteWise Monitor portals are currently not supported.
+ Partner data sources on AWS IoT SiteWise gateways are not currently supported.
+ The following endpoints are not supported:
+ The endpoint for the control plane API operations that you use to manage asset models and assets: `model.iotsitewise.region.amazonaws.com`.
+ The endpoint for the control plane API operations that you use to manage tags, storage configurations, and account configurations: `iotsitewise.region.amazonaws.com`.
+ The endpoint for the control plane API operations that you use to manage gateways: `edge.iotsitewise.region.amazonaws.com`.
+ The metadata bulk import and export operations are not available in the AWS GovCloud (US-West) region.
For more information, see [Service Endpoints](using-govcloud-endpoints.md).
## Documentation for AWS IoT SiteWise
[AWS IoT SiteWise documentation](https://docs.aws.amazon.com/iot-sitewise/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Data source names
+ Metric definitions
+ Transform definitions
+ Amazon S3 bucket names for the [exporting data to Amazon S3](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/manage-data-storage.html) feature
+ IAM roles for the [exporting data to Amazon S3](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/manage-data-storage.html) feature
+ AWS KMS keys
# AWS IoT TwinMaker in AWS GovCloud (US)
AWS IoT TwinMaker is used to build operational digital twins of physical and digital systems. AWS IoT TwinMaker creates digital visualizations using measurements and analysis from a variety of real-world sensors, cameras, and enterprise applications to help you keep track of your physical factory, building, or industrial plant.
AWS IoT TwinMaker is available in 6 Classic regions (us-east-1, us-west-2, eu-west-1, ap-southeast-1, eu-central-1, ap-southeast-2). AWS IoT TwinMaker is available in one GovCloud region: us-gov-west-1.
## How AWS IoT TwinMaker differs for AWS GovCloud (US)
The following differences exist between AWS IoT TwinMaker in AWS GovCloud (US) and standard regions:
+ AWS IoT TwinMaker only supports the self-managed Grafana configuration option. Amazon Managed Grafana (AMG) is not available in the AWS GovCloud (US-West).
+ AWS IoT TwinMaker doesn’t support Edge Video feature and Kinesis Video Streams (KVS) connector in AWS GovCloud (US-West).
+ The `com.amazon.iotsitewise.connector.edgevideo` component type is not supported.
+ The `com.amazon.kvs.video` component type is not supported.
+ The metadata bulk import and export operations are not available in the GovCloud PDT (us-gov-west-1) region.
## Documentation for AWS IoT TwinMaker
[AWS IoT TwinMaker documentation](https://docs.aws.amazon.com/iot-twinmaker/landingpage.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Workspace ID
+ ComponentType name
+ Component Name
+ Scene ID
+ Property name
+ Entity name
# AWS Key Management Service in AWS GovCloud (US)
AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.
## How AWS KMS differs for AWS GovCloud (US)
+ External key store proxies in the AWS GovCloud (US) Region must support HTTP/1.1 or later and TLS 1.2 or later with at least one of these cipher suites: TLS\$1AES\$1256\$1GCM\$1SHA384 (TLS 1.3), TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 (TLS 1.2), TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 (TLS 1.2). The AWS GovCloud (US) Region does not support the TLS\$1CHACHA20\$1POLY1305\$1SHA256 cipher suite. For more information, see the open-source [external key store proxy API specification](https://github.com/aws/aws-kms-xksproxy-api-spec/) that AWS KMS publishes.
## Documentation for AWS Key Management Service
[AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS KMS metadata is not permitted to contain export-controlled data. Do not enter export-controlled data in the following fields:
+ Alias
+ Descriptions
+ Key policy documents, including key administrators and key users
+ Resource tags: Key
+ Resource tags: Value
+ The [Encryption Context](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt-context.html) is outside the Export-Controlled Content.
+ AWS KMS generated metadata will not contain export-controlled data:
+ Key ID
+ Key ARN
# AWS Lake Formation in AWS GovCloud (US)
AWS Lake Formation helps you centrally govern, secure, and globally share data for analytics and machine learning. With Lake Formation, you can manage fine-grained access control for your data lake data on Amazon Simple Storage Service (Amazon S3) and its metadata in AWS Glue Data Catalog.
Lake Formation provides its own permissions model that augments the IAM permissions model. Lake Formation permissions model enables fine-grained access to data stored in data lakes through a simple grant or revoke mechanism, much like a relational database management system (RDBMS). Lake Formation permissions are enforced using granular controls at the column, row, and cell-levels across AWS analytics and machine learning services, including Amazon Athena, Quick, Amazon Redshift Spectrum, Amazon EMR, and AWS Glue.
The Lake Formation hybrid access mode for AWS Glue crawler lets you secure and access the cataloged data using both Lake Formation permissions and IAM permissions policies for Amazon S3 and AWS Glue actions. With hybrid access mode, data administrators can onboard Lake Formation permissions selectively and incrementally, focusing on one data lake use case at a time. Lake Formation also allows you to share data internally and externally across multiple AWS accounts, AWS organizations or directly with IAM principals in another account providing fine-grained access to the AWS Glue Data Catalog metadata and underlying data.
## How AWS Lake Formation differs for AWS GovCloud (US)
The AWS GovCloud (US) Region implementation of Lake Formation is unique in the following ways:
+ Granting Lake Formation permissions to Amazon Athena users who authenticate through the JDBC or ODBC driver using a SAML identity provider is not supported.
+ AWS Lake Formation blueprints are available in AWS GovCloud (US-West) only.
+ AWS Lake Formation governed tables are not available.
## Documentation for AWS Lake Formation
[AWS Lake Formation documentation](https://docs.aws.amazon.com/lake-formation/latest/dg/what-is-lake-formation.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Lambda in AWS GovCloud (US)
With AWS Lambda, you can run code without provisioning or managing servers. You pay only for the compute time that you consume—there’s no charge when your code isn’t running. You can run code for virtually any type of application or backend service—all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
## How AWS Lambda differs for AWS GovCloud (US)
+ Schema registry support for Kafka event sources is not available.
+ AWS Lambda Function URLs is not available.
+ Event source mapping (ESM) tags for AWS Lambda is not available.
+ The DocumentDB event sources are not available.
+ Multi-VPC connectivity for Managed Streaming for Apache Kafka event source mappings is not available.
+ JSON log formatting is not available.
+ Lambda integration with Infrastructure Composer is not available.
+ The [Future runtime launch dates](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtimes-future) are not applicable.
+ The Amazon CloudWatch Logs Live Tail integration in the Lambda console is not available.
+ AWS KMS customer managed key encryption for .zip deployment packages is not available.
+ Lambda SnapStart for Python and .NET is not available.
+ CloudWatch Application Signals for Lambda functions is not available.
+ Event source mapping metrics are not available.
+ Provisioned mode for event source mappings is not available.
+ Amazon S3 as a destination for Kinesis, DynamoDB, and async invoke is not available.
+ Monitoring Lambda function logs with Amazon S3 or Firehose is not yet available.
+ AWS Lambda managed layers have different versions in AWS GovCloud (US) Regions compared to commercial Regions. Verify layer availability and versions when migrating functions between Regions.
+ The deprecation schedule for the .NET 6 runtime is different from the schedule provided in the [Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtimes-supported).
Lambda will deprecate the .NET 6 runtime on July 31, 2025. We recommend that you migrate .NET 6 functions to .NET 8, which is now available. Until the deprecation date, Lambda will continue to apply patches to the .NET 6 operating system (OS), but not to the .NET 6 language runtime.
## Documentation for AWS Lambda
[AWS Lambda documentation](https://aws.amazon.com/documentation/lambda/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following console fields:
+ Function name
+ Description
+ DLQ data (can be exported through Amazon SNS and Amazon SQS)
+ Memory
+ Timeout
+ Runtime
+ Role name for service principals
+ Aliases
+ LayerName
+ Layer Description
+ Layer Compatible Architectures
+ Layer Compatible Runtimes
+ EphemeralStorage Size
+ PackageType
+ State
+ StateReason
# AWS License Manager in AWS GovCloud (US)
AWS License Manager makes it easier to manage licenses in AWS and on-premises servers from software vendors such as Microsoft, SAP, Oracle, and IBM. AWS License Manager lets administrators create customized licensing rules that emulate the terms of their licensing agreements, and then enforces these rules when an instance of EC2 gets launched. Administrators can use these rules to limit licensing violations, such as using more licenses than an agreement stipulates or reassigning licenses to different servers on a short-term basis. The rules in AWS License Manager enable you to limit a licensing breach by physically stopping the instance from launching or by notifying administrators about the infringement. Administrators gain control and visibility of all their licenses with the AWS License Manager dashboard and reduce the risk of non-compliance, misreporting, and additional costs due to licensing overages.
AWS License Manager integrates with AWS services to simplify the management of licenses across multiple AWS accounts, IT catalogs, and on-premises, through a single AWS account. License administrators can add rules in AWS Service Catalog, which allows them to create and manage catalogs of IT services that are approved for use on all their AWS accounts. Through seamless integration with AWS Systems Manager and AWS Organizations, administrators can manage licenses across all the AWS accounts in an organization and on-premises environments. AWS Marketplace buyers can also use AWS License Manager to track bring your own license (BYOL) software obtained from the Marketplace and keep a consolidated view of all their licenses.
## How AWS License Manager Differs for AWS GovCloud (US)
+ Sharing licenses between AWS standard accounts and AWS GovCloud (US) accounts is not supported.
## Documentation for AWS License Manager
[AWS License Manager documentation](https://docs.aws.amazon.com/license-manager/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Managed Services - AMS Accelerate in AWS GovCloud (US)
AMS Accelerate is a service for configuring and managing your AWS infrastructure. For more information, see the [service description.](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html)
## How AMS Accelerate differs for AWS GovCloud (US)
Some services available in other AWS Regions are not available or have limitations in AWS GovCloud (US) Regions.
+ Not supported in AWS GovCloud (US) Regions:
+ [Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)
+ [Self-service reporting](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/self-service-reporting.html) - Patch and Backup daily reports are available. All other self-service reports are not available.
+ [Enable AMS to use your own CloudTrail trail](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-onb-trail-choices.html)
+ [Cost optimization with AMS Resource Scheduler](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-resource-scheduler.html)
+ [Customer-provided tags](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-tag-cust-provided.html)
+ [Amazon Route 53 DNS firewall event monitoring in Service Incident Response](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/security-incident-response.html)
+ [Trusted Remediator](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/trusted-remediator.html)
+ [Amazon Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sec-data-protect.html#acc-sec-data-protect-r53)
+ [Monitoring and Incident Management for Amazon EKS](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-what-is-mon-inc-eks.html)
+ [AWS Config periodic recording for the AWS::EC2::Instance resource type](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sec-compliance.html#acc-sec-compliance-reduct-config-spend)
+ [Application aware incident notifications in AMS](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/app-aware-inc-notifications.html)
+ Different in AWS GovCloud (US) Regions:
+ Outbound [Service notifications](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/service-notices.html) are not sent to AWS account primary emails. Reports go to smaller, more targeted lists.
+ Accelerate [Compliance and conformance](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sec-compliance.html) is limited by the AWS Config managed rules available in your AWS Region.
+ Differences in other AWS services. Some examples:
+ Not all [AWS Config in AWS GovCloud (US)](govcloud-config.md) managed rules are available in all Regions. The [Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) lists all managed rules, and the applicable Regions for each rule.
+ GuardDuty: For information about the differences in AWS GovCloud (US) Regions, see [Amazon GuardDuty in AWS GovCloud (US)](govcloud-guardduty.md).
## Documentation for AMS Accelerate
For information, see the [AMS Accelerate documentation](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Resource names
+ Tags
+ Communications between customers and AMS Accelerate, such as service requests and incident reports.
# AWS Management Console for the AWS GovCloud (US) Region
The AWS Management Console is a graphical interface for accessing a wide range of AWS Cloud services and managing compute, storage, and other cloud resources. The console includes the Tag Editor tool for managing metadata that you add to your resources. You can then use those tags to create resource groups to manage your AWS resources collectively.
## How AWS Management Console differs for AWS GovCloud (US)
+ You access the [AWS GovCloud (US) console](https://console.amazonaws-us-gov.com) by using a different URL than the standard AWS Management Console.
+ You can only access the AWS GovCloud (US) console by using an IAM user name and password, not with the GovCloud account root user email address. You cannot enable an MFA device for your AWS GovCloud (US) account root user email, but can enable for IAM users. For information about the AWS GovCloud (US) differences in IAM, see [AWS Identity and Access Management](https://aws.amazon.com/iam/details/mfa/).
+ The console includes only the services that are available in AWS GovCloud (US) Regions. To see a list of the supported services, see [Services in the AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-services.html).
+ You are automatically signed out from the console after 4 hours.
+ Due to the separate authentication stack for AWS GovCloud (US), the hardware MFA devices used with standard AWS Regions are not compatible with AWS GovCloud (US) accounts. AWS GovCloud (US) supports only MFA devices listed in the **Compatibility with AWS GovCloud (US) ** table row on the [Multi-Factor Authentication](https://aws.amazon.com/iam/details/mfa/) page.
+ The console does not permit navigation to any Regions other than AWS GovCloud (US) Regions.
+ You can sign in to the AWS GovCloud (US) console and the standard AWS Management Console concurrently.
+ You cannot automatically create a support ticket from the AWS GovCloud (US) console.
+ Resource Groups, Tag Editor, and AWS Console mobile app are not available.
+ On the Console Navigation the following features are not available: Personal Health Dashboard (PHD) alerts, Language Selector, Feedback.
+ Unified Search only supports service and feature searches.
+ myApplications is unavailable.
+ Multi-session support is unavailable.
+ User Experience Customization is unavailable.
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Your user name is not permitted to contain export-controlled data.
+ All console data fields inherit the export restrictions for the specific service that is being accessed. See each service for details.
# AWS Mainframe Modernization in AWS GovCloud (US)
AWS Mainframe Modernization helps you modernize your mainframe applications to AWS managed runtime environments. It provides tools and resources to help you plan and implement migration and modernization. You can analyze your existing mainframe applications, develop or update them using COBOL or PL/I, and implement an automated pipeline for continuous integration and continuous delivery (CI/CD) of the applications. You can choose between automated refactoring and replatforming patterns, depending on your clients' needs. If you are a consultant helping a client migrate their mainframe workloads, you can use AWS Mainframe Modernization tools for all phases of the migration and modernization journey, from initial planning to post-migration cloud operations.
You can use AWS Mainframe Modernization to help you efficiently create and manage the runtime environment on AWS for your mainframe applications, as well as to manage and monitor your modernized applications.
## How AWS Mainframe Modernization differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Documentation for AWS Mainframe Modernization
[AWS Mainframe Modernization documentation](https://docs.aws.amazon.com/m2/latest/userguide/what-is-m2.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Marketplace in AWS GovCloud (US)
AWS Marketplace is an online store where you can buy or sell software that runs on Amazon Web Services (AWS).
## How AWS Marketplace differs for AWS GovCloud (US)
+ Full catalog of solutions is currently not available for use but we are actively working with AWS Marketplace sellers to offer their solutions.
+ Currently, container products and Amazon Machine Learning products are not supported in AWS GovCloud (US).
+ Launch from the AWS Marketplace website is not supported with your GovCloud AWS account. To launch from the AWS Marketplace website, you must use a commercial AWS account.
+ Integration with Service Catalog is currently not available.
+ To view AWS Marketplace products available for AWS GovCloud (US), select the us-gov-west-1 and/or us-gov-east-1 regions from the AWS Marketplace [All Products](https://aws.amazon.com/marketplace/search?ref_=promo_banner)view.
## Documentation for AWS Marketplace
+ [AWS Marketplace documentation](https://docs.aws.amazon.com/marketplace).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Modular Data Center in AWS GovCloud (US)
AWS MDC is currently available in AWS GovCloud (US-West) only.
AWS MDC is a simple and cost-effective service for defense and intelligence agencies to deploy AWS managed data centers anywhere in the world to run low-latency applications. AWS MDC is self-contained, which means that it’s a physical, environmentally controlled enclosure that holds as many as five racks of AWS Outposts or AWS Snowball Edge devices. It can also be scaled further through deployment of additional modules. AWS MDC reduces the time and resources required to deploy data centers in remote environments with limited infrastructure. Customers can proactively monitor and manage their modular data centers using a management system that comes with every MDC. Each modular data center is equipped with Building Management System (BMS) sensors to monitor the environmental conditions of the MDC, including temperature, humidity, ventilation, HVAC performance, and power quality. The BMS also monitors safety systems, such as smoke detection, fire alarm, and the Access Control System (ACS) / Intrusion Detection System (IDS).
## How AWS Modular Data Center differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS suggests that customers do not enter export-controlled information in the AWS MDC order consultation form use case field.
# AWS Network Firewall in AWS GovCloud (US)
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you created in Amazon Virtual Private Cloud (Amazon VPC).
## How AWS Network Firewall differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) Region and the standard AWS Regions.
## Documentation for AWS Network Firewall
[AWSNetwork Firewall documentation](https://docs.aws.amazon.com/network-firewall).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Organizations in AWS GovCloud (US)
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.
## How AWS Organizations differs for AWS GovCloud (US)
+ You must use AWS Organizations with all features enabled. The consolidated billing feature set is not available in this Region.
+ You must meet the U.S. regulatory requirements as described in [Signing Up for AWS GovCloud (US).](https://docs.aws.amazon.com/govcloud-us/latest/ug-west/getting-started-sign-up.html)
+ Creating accounts from within AWS Organizations operates differently in the AWS GovCloud (US) Regions compared to commercial AWS Regions:
+ You start creating AWS GovCloud (US) accounts by calling the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) action from the management account of the organization in the commercial Region. Calling account creation APIs from the AWS GovCloud (US) Regions is not supported.
+ When you call the CreateGovCloudAccount API action, you create two accounts: a standalone account in the AWS GovCloud (US) Regions, and an associated account in the commercial Region for billing and support purposes. The account in the commercial Region is automatically a member of the organization whose credentials made the request. Both accounts are associated with the same email address.
+ After creating the standalone account in the AWS GovCloud (US) Regions, you can invite it to an organization in the AWS GovCloud (US) Regions only.
+ Accounts created in other AWS Regions cannot be members of an organization in the AWS GovCloud (US) Regions.
+ Organizations that you create in the AWS GovCloud (US) Regions are independent from organizations created in commercial AWS Regions.
+ The [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API action is not available from the AWS GovCloud (US) Regions.
+ To sign in to the AWS Organizations console in the AWS GovCloud (US) Regions, you must be signed in from a AWS GovCloud (US) account.
+ To learn what AWS services are currently available for trusted access with AWS Organizations, check the list in the AWS Organizations console from the AWS GovCloud (US) Regions.
+ The following Organizations API operations work only when you specify the AWS GovCloud (US-West) Region:
+ [DeletePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeletePolicy.html)
+ [DisablePolicyType](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisablePolicyType.html)
+ [EnablePolicyType](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html)
+ Any operation that references the organization root, such as [ListRoots](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html).
+ Organization policies – You can use only the following policy types in an AWS GovCloud (US) organization:
+ [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
+ [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html)
+ [Tag policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html)
**Note**
As a rule, you can create tag policies that reference only those resource types whose services are supported in the AWS GovCloud (US) Regions. However, you can use the following additional resource types in a tag policy even though the associated service is not yet supported in the AWS GovCloud (US) Regions:
+ `chime:meeting`
+ `codepipeline:pipeline`
Tag policy compliance reporting works only in the AWS GovCloud (US-West) Region.
The following tagging API operations work only when you specify the AWS GovCloud (US-West) Region:
+ [DescribeReportCreation](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_DescribeReportCreation.html)
+ [GetComplianceSummary](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetComplianceSummary.html)
+ [GetResources](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_GetResources.html)
+ [StartReportCreation](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/API_StartReportCreation.html)
+ You can’t create or use [backup policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html), [chat application policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_chatbot.html), or [AI services opt-out policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html).
## Creating Your Account
When you create accounts in the AWS GovCloud (US) Regions from AWS Organizations, an associated account in the commercial Region is automatically created for billing and support purposes. The account in the commercial Region and the account in the AWS GovCloud (US) Regions are linked. The account in the commercial Region is automatically a member of the organization whose credentials made the request, but the account in the AWS GovCloud (US) Regions is a standalone account until you invite it to an organization in that same Region.
Before creating accounts in the AWS GovCloud (US) Regions from AWS Organizations, make sure that you meet specific U.S. regulatory requirements as described in [Signing Up for AWS GovCloud.](https://docs.aws.amazon.com/govcloud-us/latest/ug-west/getting-started-sign-up.html)
**To create an account in the AWS GovCloud (US) Regions from AWS Organizations**
1. From the management account of your organization in the commercial Region, sign in to the Organizations console at https://console.aws.amazon.com/organizations
1. From the Command Line Interface (CLI), Call the [CreateGovCloudAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html) API action.
**Accounts and roles are created as follows**
+ An account is created in the commercial Region and it is automatically a member of the organization whose credentials made the request.
+ A role is created in the new account in the commercial Region that the management account in this same Region can assume.
+ The account in the AWS GovCloud (US) Regions is created and it links to the associated account that was created at the same time in the commercial Region.
+ The account in the AWS GovCloud (US) Regions is a standalone account and is not yet a member of an organization.
+ A role is created in the AWS GovCloud (US) account that the AWS GovCloud (US) account that is linked to the management account in the commercial Region can assume.
## Inviting Accounts to an Organization
After creating a standalone account in the AWS GovCloud (US) Regions, you can invite it to organizations in the AWS GovCloud (US) Regions. You cannot invite accounts in the AWS GovCloud (US) Regions to organizations in other AWS Regions.
The following diagram explains account access works so that you can invite standalone accounts in the AWS GovCloud (US) Regions to an organization in the same Region.
![\[Diagram showing AWS Standard and GovCloud(US) regions with account pairing and IAM role access.\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/images/GovCloud-account-access.png)
**To invite an account in the AWS GovCloud (US) Regions to an Organization**
1. From the AWS GovCloud (US) account that’s associated with the management account of your organization in the commercial Region, assume the role of the AWS GovCloud (US) account you just created in the AWS GovCloud (US) Regions.
In the above example, start from AWS GovCloud (US) Account 1 and assume the role that was created in AWS GovCloud (US) Account 2.
1. Follow the procedure described in [Sending Invitations to AWS Accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html#orgs_manage_accounts_invite-account) in the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) to invite the account in the AWS GovCloud (US) Regions to the organization.
**To access the new account in the AWS GovCloud (US) Regions**
1. Sign in to the GovCloud account that is mapped to your commercial organization’s management account.
1. Assume the role into the newly-created AWS GovCloud (US) management account.
The role is automatically created when you create the account. By default, the role is named ** ` OrganizationAccountAccessRole ` ** but you can change it using the `RoleName` parameter when you call the `CreateGovCloudAccount` operation.
## Documentation for AWS Organizations
[AWS Organizations documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Outposts in AWS GovCloud (US)
AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. By providing local access to AWS managed infrastructure, AWS Outposts enables customers to build and run applications on premises using the same programming interfaces as in AWS Regions, while using local compute and storage resources for lower latency and local data processing needs. Both AWS Outposts racks and servers are available in the AWS GovCloud (US) Region.
## How AWS Outposts differs for AWS GovCloud (US)
+ Application Load Balancer is not supported.
+ Amazon RDS is not supported.
+ Amazon EMR is not supported.
+ ElastiCache is not supported.
+ Route 53 resolver is not supported.
## Documentation for AWS Outposts
[AWS Outposts documentation](https://docs.aws.amazon.com//outposts/?id=docs_gateway).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Outposts metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when setting up and maintaining your topics.
For example, do not enter export-controlled data in the following fields:
+ Outpost Name
+ Outpost Description
+ Site Address
+ Site Name
+ Site Description
+ Site Notes
# AWS ParallelCluster in AWS GovCloud (US)
AWS ParallelCluster is an AWS-supported open source cluster management tool that helps you to deploy and manage High Performance Computing (HPC) clusters in the AWS cloud. Built on the open source CfnCluster project, AWS ParallelCluster enables you to quickly build an HPC compute environment in AWS. It automatically sets up the required compute resources and shared filesystem. You can use AWS ParallelCluster with a variety of batch schedulers, such as AWS Batch, SGE, Torque, and Slurm. AWS ParallelCluster facilitates quick start proof of concept deployments and production deployments. You can also build higher level workflows, such as a genomics portal that automates an entire DNA sequencing workflow, on top of AWS ParallelCluster.
## How AWS ParallelCluster differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Documentation for AWS ParallelCluster
[AWS ParallelCluster documentation](https://docs.aws.amazon.com/parallelcluster/latest/ug/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Parallel Computing Service (AWS PCS) in AWS GovCloud (US)
AWS Parallel Computing Service (AWS PCS) is a managed service that makes it easier to run and scale high performance computing (HPC) workloads, and build scientific and engineering models on AWS using Slurm. Use AWS PCS to build compute clusters that integrate best in class AWS compute, storage, networking, and visualization. Run simulations or build scientific and engineering models. Streamline and simplify your cluster operations using built-in management and observability capabilities. Empower your users to focus on research and innovation by enabling them to run their applications and jobs in a familiar environment.
## How AWS PCS differs for AWS GovCloud (US)
+ Accounting isn’t supported.
+ Amazon EC2 Capacity Blocks for ML aren’t supported.
## Documentation for AWS PCS
[AWS PCS documentation](https://docs.aws.amazon.com/pcs).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Resilience Hub in AWS GovCloud (US)
AWS Resilience Hub gives you a central place to define, validate, and track the resiliency of your AWS application. AWS Resilience Hub helps you to protect your applications from disruptions, and reduce recovery costs to optimize business continuity to help meet compliance and regulatory requirements.
## How AWS Resilience Hub differs for AWS GovCloud (US)
The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:
+ The assessment summary generated by large language models (LLMs) on Amazon Bedrock is not supported, therefore, the following API attributes are not supported in the AWS GovCloud (US) Regions:
+ `AssessmentRiskRecommendation`
+ `AssessmentSummary`
+ When you are using AWS Resilience Hub from AWS GovCloud (US) Regions, you can’t import resources that are located in non-AWS GovCloud (US) Regions.
+ When you are using AWS Resilience Hub from AWS standard Regions, you can’t import resources that are located in AWS GovCloud (US) Regions.
## Documentation for AWS Resilience Hub
+ [AWS Resilience Hub User Guide](https://docs.aws.amazon.com/resilience-hub/latest/userguide/what-is.html).
+ [AWS Resilience Hub API Guide](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/Welcome.html).
# AWS Resource Access Manager in AWS GovCloud (US)
AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. Many organizations use multiple accounts to create administrative or billing isolation, and to limit the impact of errors. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.
## How AWS Resource Access Manager differs for AWS GovCloud (US)
+ Sharing of Amazon Aurora DB clusters is not supported in AWS GovCloud (US) Regions.
+ Sharing of AWS CodeBuild projects is not supported in AWS GovCloud (US) Regions.
+ Sharing AWS CodeBuild Report groups is not supported in AWS GovCloud (US) Regions.
+ Sharing of AWS App Mesh Meshes is not supported in AWS GovCloud (US) Regions.
## Documentation for AWS Resource Access Manager
[AWS Resource Access Manager documentation](https://docs.aws.amazon.com/ram).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Resource Share name cannot contain export-controlled data.
# AWS Resource Groups in AWS GovCloud (US)
In AWS, a resource is an entity that you can work with. Examples include an Amazon EC2 instance, an AWS CloudFormation stack, or an Amazon S3 bucket. If you work with multiple resources, you might find it useful to manage them as a group rather than move from one AWS service to another for each task. AWS Resource Groups make it easier to manage and automate tasks on large numbers of resources at one time. You can use resource groups to organize your AWS resources. A resource group is a collection of AWS resources that are all in the same AWS region, and that match criteria provided in a query. In Resource Groups, there are two types of queries on which you can build a group: tag-based and AWS CloudFormation stack-based queries. Resource Groups feature permissions are at the account level. In Resource Groups, the only available resource is a group. Groups have unique Amazon Resource Names (ARNs) associated with them.
## How AWS Resource Groups differs for AWS GovCloud (US)
The following list details the differences for using this service in the AWS GovCloud (US-West) Region compared to other AWS Regions:
+ [Group lifecycle events](https://docs.aws.amazon.com/ARG/latest/userguide/monitor-groups.html) are not supported.
## Documentation for AWS Resource Groups
[AWS Resource Groups documentation](https://docs.aws.amazon.com/ARG).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Name
# AWS SDK for SAP ABAP in AWS GovCloud (US)
AWS SDK for SAP ABAP provides an interface to the services offered by AWS in the ABAP language. Using the SDK, you can implement ABAP BADIs, reports, transactions, OData services, and other ABAP artifacts on AWS services.
## How AWS SDK for SAP ABAP differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Documentation for AWS SDK for SAP ABAP
[AWS SDK for SAP ABAP documentation](https://docs.aws.amazon.com/sdk-for-sapabap/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for AWS SDK for SAP ABAP.
+ The services used with the SDK can handle the export-controlled content differently. For more information, see [Services in AWS GovCloud (US) Regions](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-services.html).
# AWS Secrets Manager in AWS GovCloud (US)
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.
## How AWS Secrets Manager differs for AWS GovCloud (US)
+ Managed External Secrets are not supported.
## Documentation for AWS Secrets Manager
[AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Security Hub in AWS GovCloud (US)
AWS Security Hub is a unified cloud security solution that prioritizes your critical security issues and helps you respond at scale. Security Hub detects security issues by automatically correlating and enriching security signals from multiple sources, such as posture management (AWS Security Hub CSPM), vulnerability management (Amazon Inspector), sensitive data (AWS Macie), and threat detection (Amazon GuardDuty). This enables security teams to prioritize active risks in their cloud environments through automated analyses and contextual insights. Through intuitive visualizations, Security Hub transforms complex security signals into actionable insights, which enables you to make informed decisions about your security quickly. Security Hub also includes automated response workflows to help you remediate risks, improve team productivity, and minimize operational disruptions.
## How Security Hub differs for AWS GovCloud (US)
**Integrations**
Integrations with third-party products are not supported in the AWS GovCloud (US) Region. For more information about integrations in other AWS Regions, see [Integrations with AWS services and third-party products](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-integrations.html) in the * AWS Security Hub User Guide*.
**Automation Rules**
Automation rules for integrations are not supported in the AWS GovCloud (US) Region. Automation rules allow you to automatically update finding fields based on specified criteria. For more information about automation rules in other AWS Regions, see [Automating response and remediation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-automation-rules.html) in the * Security Hub User Guide*.
**Cost Estimator**
The Security Hub cost estimator is not available in the AWS GovCloud (US) Region. The cost estimator is a console feature that provides cost estimates for security capabilities across your AWS environment, comparing individual service pricing (GuardDuty, Amazon Inspector, Security Hub CSPM) against Security Hub's simplified pricing plans. It uses AWS Cost Explorer data to auto-populate usage information for management, delegated administrator, member, and standalone accounts. For more information about the cost estimator in other AWS Regions, see Cost estimator in the AWS Security Hub\$1 User Guide.
**Security Hub Extended Plan**
The Security Hub Extended plan is not available in the AWS GovCloud (US) Region. The Extended plan enables customers to protect their enterprise estate across cloud, endpoint, network, identity, data, email, and browser through an integrated security operations experience centered in Security Hub. With the Extended plan, customers can subscribe to partner solutions with flexible pay-as-you-go pricing through AWS Marketplace, with no upfront investments or long-term commitments required.
** AWS Security Hub CSPM and Amazon Inspector**
Security Hub leverages findings from AWS Security Hub CSPM (Cloud Security Posture Management) and Amazon Inspector. For information about the availability of these features in AWS GovCloud (US) Region, see the following:
+ ** AWS Security Hub CSPM ** - For information about AWS Security Hub CSPM feature differences in AWS GovCloud (US) Region, including controls, see [AWS Security Hub CSPM in AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ash.html) in the * AWS GovCloud (US) User Guide*.
+ ** Amazon Inspector ** - For information about Amazon Inspector feature differences in AWS GovCloud (US) Region, see [Amazon Inspector in AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-inspector.html) in the * AWS GovCloud (US) User Guide*.
## Documentation for Security Hub
[AWS Security Hub documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Security Hub CSPM in AWS GovCloud (US)
AWS Security Hub CSPM provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
## How Security Hub CSPM differs for AWS GovCloud (US)
**Product integrations**
Not all [integrations with AWS Services and third-party partners](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html) are available in the AWS GovCloud (US) Region.
For a list of the supported integrations in the AWS GovCloud (US) Region, see [Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-integration-support-govcloud).
**Controls**
Not all security controls are supported in the AWS GovCloud (US) Region. For details, see the following lists in the * AWS Security Hub CSPM User Guide*.
+ [Controls that are not supported in AWS GovCloud (US-East)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-control-support-govuseast1)
+ [Controls that are not supported in AWS GovCloud (US-West)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-control-support-govuswest1)
**Cross-Region aggregation**
[Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) is supported with limitations in AWS GovCloud (US). In AWS GovCloud (US), cross-Region aggregation is supported only for findings, finding updates, and insights across AWS GovCloud (US). Specifically, you can only aggregate findings, finding updates, and insights between AWS GovCloud (US-East) and AWS GovCloud (US-West).
## Documentation for Security Hub CSPM
[AWS Security Hub CSPM documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Service Catalog in AWS GovCloud (US)
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
## How Service Catalog differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Copy Product is only supported within AWS GovCloud (US) Regions in the GovCloud partition.
+ Stack Sets are not currently supported in AWS GovCloud (US) Regions.
## Documentation for Service Catalog
[AWS Service Catalog documentation](https://docs.aws.amazon.com/servicecatalog/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by AWS Service Catalog. For example, AWS Service Catalog metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your Products, Actions, and Tag Options.
# AWS Serverless Application Repository in AWS GovCloud (US)
The AWS Serverless Application Repository is a managed repository for serverless applications. It enables teams, organizations, and individual developers to find, deploy, publish, share, store, and easily assemble serverless architectures.
## How AWS Serverless Application Repository differs for AWS GovCloud (US)
+ Applications that are publicly shared in other AWS Regions are not automatically available in AWS GovCloud (US) Regions. To make applications available in AWS GovCloud (US) Regions, you must publish and share them independently of other AWS Regions.
## Documentation for AWS Serverless Application Repository
[AWS Serverless Application Repository documentation](https://docs.aws.amazon.com/serverlessrepo/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Server Migration Service in AWS GovCloud (US)
**Important**
**Product update**
On March 31, 2022, AWS discontinued AWS Server Migration Service (AWS SMS). We recommend [AWS Application Migration Service](https://docs.aws.amazon.com//govcloud-us/latest/UserGuide/govcloud-mgn.html) as the primary migration service for lift-and-shift migrations in AWS GovCloud (US).
AWS Server Migration Service (AWS SMS) combines data collection tools with automated server replication to speed the migration of on-premises servers to AWS.
To use the Server Migration Connector with AWS GovCloud (US) Regions, follow these steps on your Server Migration Connector VM. The following procedure permanently converts your connector virtual appliance to an AWS GovCloud (US) connector.
1. Install the Server Migration Connector as described in [Getting Started with AWS Server Migration Service](http://docs.aws.amazon.com/server-migration-service/latest/userguide/SMS_setup.html).
1. Open the connector’s virtual machine console and log in as `ec2-user` with the password `ec2pass`. Supply a new password if prompted.
1. Run the following command:
```
sudo enable-govcloud
```
1. In a web browser, access the connector VM at its IP address (`https://ip-address-of-connector/`).
In the setup wizard, under **AWS Region**, the AWS GovCloud (US) Regions should now be the Regions listed.
## How AWS Server Migration Service differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for AWS Server Migration Service
[AWS SMS User Guide](https://docs.aws.amazon.com/server-migration-service/latest/userguide/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Virtual machine metadata is not permitted to contain export-controlled data. For example, text displayed outside of a virtual machine console in vSphere Client, SCVMM, or Hyper-V Manager is not permitted to contain export-controlled data.
+ Do not enter export-controlled data in the following fields:
+ VM names or paths
+ Virtual machine disk file paths
+ IP addresses or host names of VMs, ESXi hosts, vCenter, Hyper-V hosts, or SCVMM
+ User name of any service account or Active Directory user created for Service Migration Connector to log into vCenter, SCVMM, or Hyper-V
+ Do not enter export-controlled data into the root or boot partition of any virtual machine being imported using the AWS Server Migration Service
# AWS Signer in AWS GovCloud (US)
AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code. Organizations validate code against a digital signature to confirm that the code is unaltered and from a trusted publisher. With AWS Signer, your security administrators have a single place to define your signing environment, including what AWS Identity and Access Management (IAM) role can sign code and in what Regions. AWS Signer manages the code-signing certificate’s public and private keys, and enables central management of the code-signing lifecycle. Integration with [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) helps you track who is generating code signatures and to meet your compliance requirements.
## How AWS Signer differs for AWS GovCloud (US)
The following differences exist between AWS Signer in AWS GovCloud (US) and standard regions:
+ AWS Signer only supports the container image signing feature (platform id: `Notation-OCI-SHA384-ECDSA`) and Lambda Zip signing feature (platform id: `AWSLambda-SHA384-ECDSA`) with AWS Signer APIs, the AWS CLI, and the console.
+ AWS Signer automatically uses the GovCloud partition specific root certificate when signing.
+ Signature revocation is only valid within the same AWS partition that an artifact was signed in. The [GetRevocationStatus API](https://docs.aws.amazon.com/signer/latest/api/API_GetRevocationStatus.html) will not return the revocation information for any signatures or profiles that were revoked in other partitions.
+ If you’re signing container images, you must complete the following steps:
1. You must use the AWS GovCloud specific root certificate when verifying container images signed in the GovCloud Region. You can install the GovCloud root certificate either using the AWS Signer plugin for Notation, which includes the GovCloud root certificate, or by directly downloading the [GovCloud root certificate](https://d2hvyiie56hcat.cloudfront.net/aws-us-gov-signer-notation-root.cert). For more information, see [Prerequisites for signing container images](https://d2hvyiie56hcat.cloudfront.net/image-signing-prerequisites.cert).
1. In your trust policy, you must set `signingAuthority` to `aws-us-gov-signer-ts`. For example:
```
{
"version":"1.0",
"trustPolicies":[
{
"name":"aws-signer-tp",
"registryScopes":[
"*"
],
"signatureVerification":{
"level":"strict"
},
"trustStores":[
"signingAuthority:aws-us-gov-signer-ts"
],
"trustedIdentities":[
"arn:aws:signer:region:111122223333:/signing-profiles/ecr_signing_profile",
"arn:aws:signer:region:111122223333:/signing-profiles/ecr_signing_profile2"
]
}
]
}
```
For more information about setting up trust policies for image verification, see [Verify an image locally after signing](https://docs.aws.amazon.com/signer/latest/developerguide/image-verification.html).
## Documentation for AWS Signer
[AWS Signer documentation](https://docs.aws.amazon.com/signer/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS SimSpace Weaver in AWS GovCloud (US)
AWS SimSpace Weaver is a service that you can use to build and run large-scale spatial simulations in the AWS Cloud. For example, you can create crowd simulations, large real-world environments, and immersive and interactive experiences.
With SimSpace Weaver, you can distribute simulation workloads across multiple Amazon Elastic Compute Cloud (Amazon EC2) instances. SimSpace Weaver deploys the underlying AWS infrastructure for you, and handles the simulation data management and network communication between the Amazon EC2 instances running your simulation.
## How AWS SimSpace Weaver differs for AWS GovCloud (US)
This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.
## Documentation for AWS SimSpace Weaver
[SimSpace Weaver documentation](https://docs.aws.amazon.com/simspaceweaver).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Simulation name
+ Log destination resource name
+ Domain name
+ Schema file path
+ App binary name
+ App binary file path
+ Resource tags
# AWS Site-to-Site VPN in AWS GovCloud (US)
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC).
## How Site-to-Site VPN differs for AWS GovCloud (US)
+ AWS Site-to-Site VPN integration with Global Accelerator (Accelerated VPN Connections) is not available in the AWS GovCloud (US) Region.
+ The AWS Site-to-Site VPN endpoints in AWS GovCloud (US) operate using FIPS 140-3 validated cryptographic modules. Correspondingly, VPN connections created in GovCloud require a different set of algorithms to establish a tunnel. For more information about FIPS 140-3, see "Cryptographic Module Validation Program" on the NIST Computer Security Resource Center website.
+ Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other AWS Regions, you can use HTTP or HTTPS..
## Documentation for AWS Site-to-Site VPN
[Site-to-Site VPN documentation](https://docs.aws.amazon.com/vpn).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Site-to-Site VPN metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your Site-to-Site VPNs.
For example, do not enter export-controlled data into user input fields such as the following:
+ Display Name
+ Topic Policy
+ Topic Delivery Policy
+ Topic ARN
+ Endpoint
# AWS Snow Family in AWS GovCloud (US)
AWS Snow Family is a service for customers who want to transport terabytes or petabytes of data to and from AWS, or who want to access the storage and compute power of the AWS Cloud locally and cost effectively in places where connecting to the internet might not be an option.
## How AWS Snow Family differs for AWS GovCloud (US)
+ Users can only select AWS GovCloud (US) Regions as the import or export destination Region. The AWS GovCloud (US) Region selection is available only when signed in to AWS GovCloud (US).
+ AWS Snowball Edge Device Management service is not available.
+ AWS Snow Family Large Data Migration Manager is not available.
+ Amazon EKS Anywhere on Snow is not available.
## Documentation for AWS Snow Family
[AWS Snow Family documentation](https://aws.amazon.com/documentation/snowball/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Snow Family metadata is not permitted to contain export-controlled data. This includes the naming and configuration data that you enter when creating and managing your Snow Family import or export job. For example, do not enter export-controlled data into user input fields describing your job, such as import job name, Amazon S3 bucket name, or Amazon SNS topic name. Snow Family generated metadata will not contain export-controlled data.
# AWS Step Functions in AWS GovCloud (US)
AWS Step Functions makes it easy to coordinate the components of distributed applications as a series of steps in a visual workflow. You can quickly build and run state machines to execute the steps of your application in a reliable and scalable fashion.
## How AWS Step Functions differs for AWS GovCloud (US)
+ US Commercial Regions supports FIPS and Non-FIPS endpoints.
+ US GovCloud East supports FIPS and Non-FIPS endpoints.
+ US GovCloud West only supports FIPS endpoints.
+ US Commercial Regions only supports AWS PrivateLink for Non-FIPS endpoints.
+ US GovCloud East Region only supports AWS PrivateLink for FIPS endpoints.
+ US GovCloud West Region only supports AWS PrivateLink for FIPS endpoints.
+ Support to call HTTPS APIs is not available.
## Documentation for AWS Step Functions
[AWS Step Functions documentation](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Storage Gateway in AWS GovCloud (US)
AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and the AWS storage infrastructure in the cloud.
## How AWS Storage Gateway differs for AWS GovCloud (US)
+ A file gateway created inside AWS GovCloud (US) cannot connect to a bucket outside of the AWS GovCloud (US) Regions.
+ A file gateway created outside of AWS GovCloud (US) cannot connect to a bucket inside AWS GovCloud (US).
+ TLS-enabled endpoint are available.
+ [AWS Storage Gateway Hardware Appliance](https://docs.aws.amazon.com/storagegateway/latest/userguide/HardwareAppliance.html) is not supported for use with the AWS Storage Gateway service running in the AWS GovCloud (US) Region.
## Documentation for AWS Storage Gateway
[AWS Storage Gateway documentation](https://docs.aws.amazon.com/storagegateway/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Storage Gateway metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your gateway in AWS Storage Gateway, including but not limited to:
+ Storage Gateway name
+ Tape barcode
+ The name of the iSCSI initiator configured for CHAP
Do not enter export-controlled data into the following console fields:
+ Resource tag: Key
+ Resource tag: Value
## AWS Storage Gateway AMI Information
The following table lists the available AWS Storage Gateway AMIs in the AWS GovCloud (US) Regions.
| Gateway Type | AMI ID |
| --- | --- |
| File Gateway | ami-0b5d2a6a us-gov-west-1 |
# AWS Support
AWS Support offers a range of support plans that provide access to tools and technical help to support the success and operational health of your AWS solutions. For more information, see [Signing Up for AWS GovCloud (US)AWS Support](customer-supp.md).
To create a new case, sign in to the AWS GovCloud (US) Region [Support Center](https://console.amazonaws-us-gov.com/support/) with your AWS GovCloud (US) credentials.
**Important**
Do not enter any export-controlled data in your support cases.
## How AWS Support differs for AWS GovCloud (US)
+ [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) is available in AWS GovCloud (US), but some AWS Trusted Advisor checks and features are not available.
+ The Service Health Dashboard for the AWS GovCloud (US) Region can be found at http://status.aws.amazon.com/govcloud.
+ The AWS GovCloud (US) Regions do not have a dedicated forum area.
+ The endpoint to access AWS Support is https://support.us-gov-west-1.amazonaws.com.
+ AWS Partner-Led Support is available in all AWS Regions however Diagnostic Tools and case management are not available in AWS GovCloud (US) Regions.
+ Changing the severity level of existing support cases isn’t supported.
## Documentation for AWS Support
See the following topics:
+ [AWS Support User Guide](https://docs.aws.amazon.com/awssupport/latest/user/)
+ [AWS Support API Reference](https://docs.aws.amazon.com/awssupport/latest/APIReference/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Support engineers in the AWS Region (`aws` partition) can access support cases from the AWS GovCloud (US) Region.
+ Do not enter any export-controlled data in your support cases.
# AWS Systems Manager in AWS GovCloud (US)
Use AWS Systems Manager to organize, monitor, and automate management tasks on your AWS resources.
## How AWS Systems Manager differs for AWS GovCloud (US)
The implementation of Systems Manager is different for the AWS GovCloud (US) Regions in the following ways:
+ The following Systems Manager capabilities are not yet available for the AWS GovCloud (US) Regions:
+ Change Manager
+ Incident Manager
+ The following Systems Manager features are not yet available for the AWS GovCloud (US) Regions:
+ In the [Distributor](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html) tool, third-party packages are not available.
+ In the [Application Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/application-manager.html) tool, integration with AWS Cost Explorer functionality is not available.
+ In the [Explorer](https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer.html) tool, delegated administrator support for Explorer is not available.
+ In the [OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) tool, [markdown support](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-creating-OpsItems-console.html) is not available in the **OpsItem** description field in the console.
+ In the [Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html) tool, support for Quick Setup patch policy configurations is not available.
+ In the [Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html) tool, support for AWS Organizations is not available.
+ In the [State Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html) tool, support for viewing association histories is not available.
+ Amazon Elastic Compute Cloud resource scheduling is not available.
Other differences:
+ Some Automation runbooks and SSM Command documents are not available for the AWS GovCloud (US) Regions.
+ SSM Agent for AWS GovCloud (US) can be downloaded from the following locations:
```
https://amazon-ssm-us-gov-east-1.s3.us-gov-east-1.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe
```
```
https://amazon-ssm-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe
```
## Documentation for AWS Systems Manager
[AWS Systems Manager documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ The following AWS Systems Manager metadata fields are not permitted to contain export-controlled data:
+ Document names
+ Parameter Store parameter names
+ Patch group names (that is, the value of the Patch Group tag)
# AWS Transfer Family in AWS GovCloud (US)
AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (Amazon EFS) file systems over the following protocols:
+ Secure Shell (SSH) File Transfer Protocol (SFTP) (AWS Transfer for SFTP).
+ File Transfer Protocol Secure (FTPS) (AWS Transfer for FTPS).
+ File Transfer Protocol (FTP) (AWS Transfer for FTP).
+ Applicability Statement 2 (AS2).
## How AWS Transfer Family differs for AWS GovCloud (US)
+ PUBLIC and VPC\$1ENDPOINT endpoint types are not supported. Only VPC endpoint type is supported, for both internal and internet facing access. For more information, see [Creating a server in a virtual private cloud](https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html)in the *AWS Transfer Family User Guide*.
+ If you are providing your end users access to your endpoint using a custom hostname, you need to map your endpoint’s IP addresses to the custom domain using Amazon Route 53 or any DNS provider. If you use a hostname registered with Route 53, there are some DNS limitations. For more information about using Route 53 for GovCloud endpoints, see [Setting Up Amazon Route 53 with Your AWS GovCloud (US) Resources](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/migrating-route53-hostedzone.html).
+ For Transfer Family web apps, you can enable FIPS during configuration. To do so, select the **FIPS Enabled endpoint** checkbox on the **Configure web app** screen.
## Documentation for AWS Transfer Family
[AWS Transfer Family documentation](https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS Transfer Family metadata is not permitted to contain export-controlled data.
# AWS Trusted Advisor in AWS GovCloud (US)
An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment, Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.
## How AWS Trusted Advisor Differs for AWS GovCloud (US)
+ Email notifications for Trusted Advisor check summaries aren’t supported in the AWS GovCloud (US) Regions.
+ The organizational view feature is currently not supported in the AWS GovCloud (US) Regions.
+ For a list of supported checks in the AWS GovCloud (US) Regions, see [Supported Trusted Advisor checks](#supported-ta-checks). You can also sign in to the [Trusted Advisor console](https://console.aws.amazon.com/trustedadvisor).
+ Email notifications for Trusted Advisor Priority recommendation summaries aren’t supported in the AWS GovCloud (US) Regions.
+ Not all checks are automatically refreshed. For checks not automatically refreshed, customers can manually refresh via the Console or API.
### Supported Trusted Advisor checks
The following tables list the Trusted Advisor checks that are available in the AWS GovCloud (US) Regions and the required support level.
#### Cost optimization
The following table lists the Trusted Advisor checks for cost optimization that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon EC2 Instances Stopped | Business and Enterprise |
| Amazon ECR Repository Without Lifecycle Policy Configured | Business and Enterprise |
| AWS Account Not Part of AWS Organizations | Business and Enterprise |
| Amazon RDS Idle DB Instances | Business and Enterprise |
| Amazon S3 Bucket Lifecycle Policy Configured | Business and Enterprise |
| Amazon S3 version enabled buckets without lifecycle policies configured | Business and Enterprise |
| Idle Load Balancers | Business and Enterprise |
| Low Utilization Amazon EC2 Instances | Business and Enterprise |
| Unassociated Elastic IP Addresses | Business and Enterprise |
| Underutilized Amazon EBS Volumes | Business and Enterprise |
#### Fault tolerance
The following table lists the Trusted Advisor checks for fault tolerance that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon Aurora DB Instance Accessibility | Business and Enterprise |
| Amazon DynamoDB Table Not Included in Backup Plan | Business and Enterprise |
| Amazon EBS Not Included in AWS Backup Plan | Business and Enterprise |
| Amazon EBS Snapshots | Business and Enterprise |
| Amazon EC2 Auto Scaling Group does not have ELB Health check Enabled | Business and Enterprise |
| Amazon EC2 Availability Zone Balance | Business and Enterprise |
| Amazon EC2 Detailed Monitoring Not Enabled | Business and Enterprise |
| Amazon ECS service using a single AZ | Business and Enterprise |
| Amazon ECS Multi-AZ placement strategy | Business and Enterprise |
| Amazon ElastiCache Multi-AZ Clusters | Business and Enterprise |
| Amazon ElastiCache Redis clusters Automatic Backup | Business and Enterprise |
| AWS Lambda Functions without a dead-letter queue configured | Business and Enterprise |
| Amazon MemoryDB Multi-AZ Clusters | Business and Enterprise |
| Amazon Redshift cluster automated snapshots | Business and Enterprise |
| Amazon RDS not in AWS Backup Plan | Business and Enterprise |
| Amazon RDS Backups | Business and Enterprise |
| Amazon RDS DB Instance Enhanced Monitoring Not Enabled | Business and Enterprise |
| Amazon RDS Multi-AZ | Business and Enterprise |
| Amazon RDS Multi-AZ Standby Instance Not Enabled | Business and Enterprise |
| Amazon S3 Bucket Logging | Business and Enterprise |
| Amazon S3 Bucket Replication Not Enabled | Business and Enterprise |
| Amazon S3 Bucket Versioning | Business and Enterprise |
| Auto Scaling Group Resources | Business and Enterprise |
| AWS Site-to-Site VPN has at least one Tunnel in DOWN Status | Business and Enterprise |
| Auto Scaling Group Health Check | Business and Enterprise |
| ELB Connection Draining | Business and Enterprise |
| ELB Cross-Zone Load Balancing | Business and Enterprise |
| Load Balancer Optimization | Business and Enterprise |
| VPN Tunnel Redundancy | Business and Enterprise |
| ActiveMQ Availability Zone Redundancy | Business and Enterprise |
| RabbitMQ Availability Zone Redundancy | Business and Enterprise |
#### Operational Excellence
The following table lists the Trusted Advisor checks for operational excellence that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon API Gateway Not Logging Execution Logs | Business and Enterprise |
| Amazon API Gateway REST APIs Without X-Ray Tracing Enabled | Business and Enterprise |
| Amazon EC2 Instance Not Managed by AWS Systems Manager | Business and Enterprise |
| Amazon ECR Repository With Tag Immutability Disabled | Business and Enterprise |
| Amazon ECS clusters with Container Insights disabled | Business and Enterprise |
| Amazon S3 does not have Event Notifications enabled | Business and Enterprise |
| Amazon VPC Without Flow Logs | Business and Enterprise |
| CloudFormation Stack Notification | Business and Enterprise |
| AWS CloudTrail data events logging for objects in an S3 bucket | Business and Enterprise |
| AWS CodeBuild Project Logging | Business and Enterprise |
| AWS Elastic Beanstalk Enhanced Health Reporting Is Not Configured | Business and Enterprise |
| AWS Elastic Beanstalk with Managed Platform Updates disabled | Business and Enterprise |
| AWS Fargate platform version is not latest | Business and Enterprise |
| AWS Systems Manager State Manager Association in Non-compliant Status | Business and Enterprise |
| Application Load Balancers and Classic Load Balancers Without Access Logs Enabled | Business and Enterprise |
| CloudTrail trails is not configured with Amazon CloudWatch Logs | Business and Enterprise |
| Elastic Load Balancing Deletion Protection Not Enabled for Load Balancers | Business and Enterprise |
| RDS Cluster Deletion Protection Check | Business and Enterprise |
| RDS DB Instance Automatic Minor Version Upgrade Check | Business and Enterprise |
#### Performance
The following table lists the Trusted Advisor checks for performance that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon DynamoDB Auto Scaling Not Enabled | Business and Enterprise |
| Amazon EBS Optimization Not Enabled | Business and Enterprise |
| Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration | Business and Enterprise |
| Amazon EC2 to EBS Throughput Optimization | Business and Enterprise |
| Amazon EC2 Virtualization Type is Paravirtual | Business and Enterprise |
| High Utilization Amazon EC2 Instances | Business and Enterprise |
| Large Number of EC2 Security Group Rules Applied to an Instance | Business and Enterprise |
| Large Number of Rules in an EC2 Security Group | Business and Enterprise |
| Overutilized Amazon EBS Magnetic Volumes | Business and Enterprise |
| AWS Lambda Functions without Concurrency Limit configured | Business and Enterprise |
#### Security
The following table lists the Trusted Advisor checks for security that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon CloudWatch Log Group retention period less than 365 days | All support levels |
| Amazon EBS Public Snapshots | All support levels |
| Amazon RDS Security Group Access Risk | Business and Enterprise |
| Amazon RDS Public Snapshots | All support levels |
| Amazon S3 Bucket Permissions | All support levels |
| AWS Backup Vault Without Resource-Based Policy to Prevent Deletion of Recovery Points | Business and Enterprise |
| AWS CloudTrail Logging | Business and Enterprise |
| ELB Security Groups | Business and Enterprise |
| ELB Listener Security | Business and Enterprise |
| IAM Access Key Rotation | All support levels |
| IAM Use | All support levels |
| IAM Password Policy | Business and Enterprise |
| Security Groups – Specific Ports Unrestricted | All support levels |
| Security Groups – Unrestricted Access | Business and Enterprise |
#### Service quotas
The following table lists the checks for Trusted Advisor service quotas, formerly known as limits, that are available in the AWS GovCloud (US) Regions.
****
| Check | Support level |
| --- | --- |
| Amazon DynamoDB Throughput | All support levels |
| Auto Scaling Groups | All support levels |
| Auto Scaling Launch Configurations | All support levels |
| CloudFormation Stacks | All support levels |
| DynamoDB Read Capacity | All support levels |
| DynamoDB Write Capacity | All support levels |
| EBS Active Snapshots | All support levels |
| EBS Cold HDD (sc1) Volume Storage | All support levels |
| EBS General Purpose SSD (gp2) Volume Storage | All support levels |
| EBS General Purpose SSD (gp3) Volume Storage | All support levels |
| EBS Magnetic (standard) Volume Storage | All support levels |
| EBS Provisioned IOPS (SSD) Volume Aggregate IOPS | All support levels |
| EBS Provisioned IOPS SSD (io1) Volume Storage | All support levels |
| EBS Throughput Optimized HDD (st1) Volume Storage | All support levels |
| EC2 Reserved Instance Leases | All support levels |
| ELB Classic Load Balancers | All support levels |
| ELB Network Load Balancers | All support levels |
| ELB Application Load Balancers | All support levels |
| IAM Group | All support levels |
| IAM Instance Profiles | All support levels |
| IAM Policies | All support levels |
| IAM Roles | All support levels |
| IAM Server Certificates | All support levels |
| IAM Users | All support levels |
| Kinesis Shards per Region | All support levels |
| RDS Cluster Parameter Groups | All support levels |
| RDS Cluster Roles | All support levels |
| RDS Clusters | All support levels |
| RDS DB Instances | All support levels |
| RDS DB Parameter Groups | All support levels |
| RDS DB Security Groups | All support levels |
| RDS DB Manual Snapshots | All support levels |
| RDS Event Subscriptions | All support levels |
| RDS Max Auths per Security Group | All support levels |
| RDS Option Groups | All support levels |
| RDS Read Replicas per Master | All support levels |
| RDS Reserved Instances | All support levels |
| RDS Subnet Groups | All support levels |
| RDS Subnets per Subnet Group | All support levels |
| RDS Total Storage Quota | All support levels |
| VPC | All support levels |
| VPC Elastic IP Address | All support levels |
| VPC Internet Gateways | All support levels |
## Documentation for AWS Trusted Advisor
See the following topics:
+ [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) in the *AWS Support User Guide*
+ For more information about Trusted Advisor features, see [AWS Trusted Advisor](https://aws.amazon.com/premiumsupport/trustedadvisor/).
+ For a complete list of Trusted Advisor checks, see the [AWS Trusted Advisor best practice checklist](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# AWS Verified Access in AWS GovCloud (US)
AWS Verified Access provides secure access to corporate applications without a VPN connection. It evaluates each request in real time and determines whether the user has access to the application.
## How AWS Verified Access differs for AWS GovCloud (US)
+ Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other AWS Regions, you can use HTTP or HTTPS.
## Documentation for AWS Verified Access
[Verified Access documentation](https://docs.aws.amazon.com/verified-access/landingpage.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Any metadata that you provide when setting up and maintaining your Verified Access resources, including all configuration data that you enter.
# AWS WAF in AWS GovCloud (US)
AWS WAF is a web application firewall that lets you monitor web requests that are forwarded to resources, such as AWS API Gateway and AWS Application Load Balancers. You can also use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values in the requests.
For list of services that AWS WAF supports, please visit the [service page](https://aws.amazon.com/waf).
## How AWS WAF Differs for AWS GovCloud (US)
AWS WAF for AWS GovCloud (US) doesn’t support the following functionality:
+ Managed rule groups that are provided for subscription by AWS Marketplace third party sellers are not available for use in AWS GovCloud (US). The only managed rule groups that are available in AWS GovCloud (US) are the AWS managed rule groups that are provided with AWS WAF. For more information about managed rule groups in AWS WAF, see [Managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html) in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
## Documentation for AWS WAF
[AWS WAF documentation](https://aws.amazon.com/documentation/waf/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by AWS WAF. For example, AWS WAF metadata is not permitted to contain export-controlled data.
For example, do not enter export-controlled data in the following fields:
+ Web ACL name
+ CloudWatch metric name
+ Condition
+ Rule name
+ String filters and regex pattern set
# AWS Well-Architected Tool in AWS GovCloud (US)
AWS Well-Architected Tool (AWS WA Tool) is a service in the cloud that provides a consistent process for measuring your architecture using AWS best practices. AWS WA Tool helps you throughout the product lifecycle by:
+ Assisting with documenting the decisions that you make
+ Providing recommendations for improving your workload based on best practices
+ Guiding you in making your workloads more reliable, secure, efficient, and cost-effective
You can use AWS WA Tool to document and measure your workload using the best practices from the AWS Well-Architected Framework. These best practices were developed by AWS Solutions Architects based on their years of experience building solutions across a wide variety of businesses. The framework provides a consistent approach for measuring architectures and provides guidance for implementing designs that scale with your needs over time.
## How AWS Well-Architected Tool differs for AWS GovCloud (US)
** AWS Service Catalog AppRegistry integration with Well-Architected using service-managed attribute groups** – The ability to reference Well-Architected metadata in AppRegistry using service-managed attribute groups is not available in AWS GovCloud (US) Regions.
**Profiles** – Profiles is not available in AWS GovCloud (US) Regions.
+ Jira \$1 – The AWS Well-Architected Tool Connector for Jira is not available in AWS GovCloud (US) Regions.
## Documentation for AWS Well-Architected Tool
[AWS WA Tool documentation](https://docs.aws.amazon.com/wellarchitected/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ AWS account IDs associated with workload
+ Workload name
+ Milestone name
+ Review owner
# AWS WickrGov in AWS GovCloud (US)
AWS WickrGov is an end-to-end encrypted service that helps organizations collaborate across messaging, calling, file sharing, and screen sharing. Users of AWS WickrGov can also federate with other AWS WickrGov users outside their network.
## How AWS WickrGov differs for AWS GovCloud (US)
+ WickrGov is only available in the AWS GovCloud (US-West) Region.
+ The AWS GovCloud (US) Federation allows communication between WickrGov networks in the AWS GovCloud (US-West) Region and commercial networks in other Regions.
+ Client name will appear changed to AWS WickrGov and utilizes a new AWS WickrGov logo with blue background and white slashes.
+ AWS WickrGov Desktop, Android, and iOS apps are tailored for AWS GovCloud (US) users. When AWS GovCloud (US) users engage in conversations with commercial users (Wickr Enterprise, AWS Wickr, Guest users), they will see the following unclassified warnings displayed:
+ A U tag in the room list. (U tag refers to unclassified)
+ An unclassified acknowledgment on the message screen in every conversation.
+ An unclassified banner on top of the conversation.
+ AWS WickrGov offers a premium free trial option that allows up to 50 users and last for three months.
## Documentation for AWS WickrGov
[AWS WickrGov documentation](https://docs.aws.amazon.com/wickr/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Email addresses of provisioned users within a network leave the AWS GovCloud (US) Regions in the normal course of service use. Do not enter export-controlled information into the email field when provisioning users.
+ Network names are visible to the AWS WickrGov service team as part of normal service function. Do not enter export-controlled or sensitive information into the network name field when creating a network.
+ When an AWS WickrGov network in AWS GovCloud (US) and an AWS Wickr network in an AWS commercial Region are federated, communications may be stored in either federated network’s data retention module if configured.
# AWS X-Ray in AWS GovCloud (US)
AWS X-Ray is a service that collects data about requests that your application serves, and provides tools you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization. For any traced request to your application, you can see detailed information not only about the request and response, but also about calls that your application makes to downstream AWS resources, microservices, databases and HTTP web APIs.
## How AWS X-Ray differs for AWS GovCloud (US)
+ Versions 3.1.0 or above of AWS X-Ray Daemon should be used.
## Documentation for AWS X-Ray
[AWS X-Ray documentation](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon API Gateway in AWS GovCloud (US)
Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale. Create an API to access data, business logic, or functionality from your back-end services, such as applications running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.
## How Amazon API Gateway differs for AWS GovCloud (US)
+ The `TLS_1_0` security policy for Regional APIs is not supported.
+ Portals are not supported.
+ Amazon API Gateway edge-optimized API and edge-optimized custom domain name are not supported.
+ The Amazon Route 53 Hosted Zone ID for the regional endpoint in the AWS GovCloud (US-West) Region is Z1K6XKP9SAGWDV. The Amazon Route 53 Hosted Zone ID for the regional endpoint in the AWS GovCloud (US-East) Region is Z3SE9ATJYCRCZJ.
+ HTTP API private integrations aren’t supported in AWS GovCloud (US-East).
+ HTTP API private integrations with AWS Cloud Map aren’t supported in AWS GovCloud (US-West).
+ All API Gateway APIs created in GovCloud Regions are FIPS-compliant by default.
+ API Gateway mTLS endpoints do not currently support ECDSA server certificates.
+ `TLS-CHACHA20-POLY1305-SHA256` is not supported.
The following region-specific API Gateway account IDs are automatically added to your Amazon VPC endpoint service as AllowedPrincipals for private integrations in AWS GovCloud (US):
****
| Region | Account ID |
| --- | --- |
| us-gov-west-1 us-gov-east-1 | 291049978687 044865953448 |
## Documentation for Amazon API Gateway
[Amazon API Gateway documentation](https://aws.amazon.com/documentation/apigateway/).
## Export-Controlled Content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ API Gateway’s configuration metadata is not permitted to contain export-controlled data\$1, including:
+ API Name
+ API Description
+ Authorizer Name
However customers can send export-controlled data through the customers’ deployed APIs, with the caveat that downstream systems need to be compliant (for example, caching cannot be enabled on the API for any export-controlled data).
# Amazon WorkSpaces Applications in AWS GovCloud (US)
Amazon AppStream 2.0 is a fully managed application streaming service that provides users with instant access to their desktop applications from anywhere. AppStream 2.0 manages the AWS resources required to host and run your applications, scales automatically, and provides access to your users on demand. AppStream 2.0 provides users access to the applications they need on the device of their choice, with a responsive, fluid user experience that is indistinguishable from natively installed applications.
## How Amazon WorkSpaces Applications differs for AWS GovCloud (US)
+ The Graphics Design and Graphics Pro instance types are not supported in the AWS GovCloud (US-East) Region.
+ The Windows Server 2012 image is not supported in the AWS GovCloud (US-East) Region.
+ Copying WorkSpaces Applications images from the AWS GovCloud (US) Regions to other AWS Regions is not supported.
+ The WorkSpaces Applications user pool is not supported.
+ The following CloudFormation resources are not available in AWS GovCloud (US):
+ [AWS::AppStream::User](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appstream-user.html)
+ [AWS::AppStream::StackUserAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appstream-stackuserassociation.html)
+ The following AppStream 2.0 API actions are not supported in AWS GovCloud (US):
+ [BatchAssociateUserStack](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_BatchAssociateUserStack.html)
+ [BatchDisassociateUserStack](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_BatchDisassociateUserStack.html)
+ [DescribeUserStackAssociations](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DescribeUserStackAssociations.html), when USERPOOL is specified for the AuthenticationType parameter. USERPOOL is the only supported value for this parameter.
+ [CreateUser](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_CreateUser.html)
+ [DeleteUser](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DeleteUser.html)
+ [DescribeUsers](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DescribeUsers.html)
+ [DisableUser](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DisableUser.html)
+ [EnableUser](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_EnableUser.html)
## Documentation for Amazon WorkSpaces Applications
[Amazon WorkSpaces Applications documentation](https://docs.aws.amazon.com/appstream2).
[Configure the Relay State of Your Federation](https://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-relay-state).
[Instance type pricing and availability by region can be found here.](https://aws.amazon.com/appstream2/pricing/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon AppStream 2.0 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining WorkSpaces Applications image builders, images, fleets, and stacks.
+ Do not enter export-controlled data in the following console fields or when using the WorkSpaces Applications API actions or AWS Command Line Interface (AWS CLI) commands:
+ Names and descriptions for Amazon AppStream 2.0 image builders, images, fleets and stacks.
+ Resource tags.
+ If importing export-controlled images, do not use pre-signed URLs for the CLI argument.
# Amazon Athena in AWS GovCloud (US)
Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. With a few actions in the AWS Management Console, you can point Athena at your data stored in Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds. Athena is serverless, so there is no infrastructure to set up or manage, and you pay only for the queries you run. Athena scales automatically—executing queries in parallel—so results are fast, even with large datasets and complex queries.
## How Athena differs for AWS GovCloud (US)
+ Granting AWS Lake Formation permissions to Amazon Athena users who authenticate through the JDBC or ODBC driver using a SAML identity provider is not supported.
## Documentation for Amazon Athena
[Amazon Athena documentation](https://docs.aws.amazon.com/athena/latest/ug/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Athena metadata is not permitted to contain export-controlled data. This metadata includes:
+ Database Name
+ Table Name
+ Partitions
+ Query Names
+ Query Strings
# Amazon Aurora with MySQL and PostgreSQL compatibility in AWS GovCloud (US)
Amazon Aurora (Aurora) is a fully managed relational database engine that’s compatible with MySQL and PostgreSQL. You already know how MySQL and PostgreSQL combine the speed and reliability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases. The code, tools, and applications you use today with your existing MySQL and PostgreSQL databases can be used with Aurora. With some workloads, Aurora can deliver up to five times the throughput of MySQL and up to three times the throughput of PostgreSQL without requiring changes to most of your existing applications.
## How Amazon Aurora differs for AWS GovCloud (US)
+ Publishing [Amazon Aurora MySQL Logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/AuroraMySQL.Integrating.CloudWatch.html) to Amazon CloudWatch Logs is not supported.
+ Creation of [cross-Region read replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/AuroraMySQL.Replication.CrossRegion.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn’t supported.
+ Aurora PostgresSQL cross-Region read replicas is not available in AWS GovCloud (US) Regions.
+ Copying of [DB Snapshots](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn’t supported.
+ Instance types and engine versions might vary in the AWS GovCloud (US) Regions. To determine instance and engine availability, see the [RDS Management Console](https://console.aws.amazon.com/rds/) or CLI tools.
+ Database activity streams are not supported in AWS GovCloud (US).
+ Intermediate SSL certificates must be used to connect to the AWS GovCloud (US) Regions using SSL. For more information related to Intermediate certificates, see [Using SSL/TLS to Encrypt a Connection](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html).
+ [Backtracking](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/AuroraMySQL.Managing.Backtrack.html) is not available.
+ [Aurora Serverless v1](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) is not available.
+ [Aurora MySQL binlog replication](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Replication.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn’t supported.
+ Since the AWS GovCloud (US) Regions use a unique certificate authority (CA), update your DB clusters for the AWS GovCloud (US) Regions to use the Region-specific certificate identified by `rds-ca-rsa4096-g1` in [DescribeCertificates](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeCertificates.html) calls as soon as possible. The remaining instructions described in the [Rotating your SSL/TLS certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) topic are the same, except for the certificate identifier.
+ Scaling to 0 capacity with Amazon Aurora Serverless v2 is not available in AWS GovCloud (US) Regions.
+ Zero-ETL integration with SageMaker Lakehouse isn’t available.
The following Amazon Aurora editions are supported in AWS GovCloud (US) Regions:
+ Amazon Aurora MySQL-compatible edition
+ Amazon Aurora PostgreSQL-compatible edition
## Documentation for Amazon Aurora
For more information about Amazon Aurora, see the [Amazon Aurora documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon RDS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon RDS instances except the master password.
+ Do not enter export-controlled data in the following fields:
+ Database Cluster Identifier
+ Database instance identifier
+ Master user name
+ Database name
+ Database snapshot name
+ Database security group name
+ Database security group description
+ Database cluster parameter group name
+ Database cluster parameter group description
+ Database subnet group name
+ Database subnet group description
+ Event subscription name
+ Resource tags
If you are processing export-controlled data with Amazon RDS, follow these guidelines in order to maintain export compliance:
+ When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon RDS Master Password.
+ After you create your database, change the master password of your Amazon RDS instance by directly using the database client.
+ You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon RDS.
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ For example, if you’re running an application server on an Amazon EC2 instance that connects to an Amazon RDS database instance, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that might be outside of the AWS GovCloud (US-West) Region.
To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the *Amazon VPC User Guide*.
+ For each database instance that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US-West) Region or other export-controlled environments to export-controlled database instances.
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Bedrock in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) and AWS GovCloud (US-East).
Amazon Bedrock provides a broad set of capabilities you need to build generative AI applications, simplifying development while maintaining privacy and security. You can easily experiment with Foundation Models (FMs) and privately customize them. Since Amazon Bedrock is serverless, you don’t have to manage any infrastructure, and you can securely integrate and deploy generative AI capabilities into your applications.
## How Amazon Bedrock differs for AWS GovCloud (US)
+ Model availability for all regions, including AWS GovCloud (US), is available at [Model support by AWS Region](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html).
+ The following models have FedRAMP and IL4/5 authorization
+ All Titan Models
+ Claude Sonnet 4.5
+ Claude 3.7 Sonnet
+ Claude 3.5 Sonnet v1
+ Claude 3 Haiku
+ Llama 3 8B
+ Llama 3 70B
+ Feature support for all regions, including AWS GovCloud (US), is available at [Feature support by AWS Region](https://docs.aws.amazon.com/bedrock/latest/userguide/features-regions.html).
+ Bedrock Data Automation is currently available in AWS GovCloud (US-West).
## Documentation for Amazon Bedrock
[Amazon Bedrock documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
The following customer-defined metadata may leave the AWS GovCloud (US) Regions only when the customer asks AWS to investigate a reported issue:
+ Custom model metadata
+ Provisioned throughput metadata for the no-commit option
Amazon Bedrock model evaluation metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating an Amazon Bedrock model evaluation job, such as the following:
+ Inference configuration
+ Evaluation configuration
+ IAM role Amazon Resource Names
+ Amazon S3 bucket names and object prefixes
+ Resource tags
# Amazon Chime SDK in AWS GovCloud (US)
With the Amazon Chime SDK, you can quickly add voice, video, and screen sharing into your websites and mobile applications. Built-in machine learning provides noise and echo reduction to improve audio quality, and background replacement and blur to help improve visual privacy. Innovate faster by using the Amazon Chime SDK communication building blocks for secure customer communications that scale up or down to meet demand.
## How Amazon Chime SDK differs for AWS GovCloud (US)
+ WebRTC media sessions (meetings-chime)
+ Sessions can be hosted in AWS GovCloud (US) Regions only
+ The nearest AWS Region can be discovered via https://nearest-us-gov-media-region.l.chime.aws
+ Live transcription only uses Amazon Transcribe in the AWS GovCloud (US-West) Region
+ Live transcription does not support Amazon Transcribe Medical
+ The following Amazon Chime SDK features are not supported:
+ Media Pipelines (media-pipelines-chime)
+ PSTN Audio (service.chime)
+ SIP Trunking (service.chime)
+ Messaging (messaging-chime)
+ Identity (identity-chime)
+ Console
+ Amazon Chime SDK in AWS GovCloud (US) is in a separate AWS partition from other AWS Regions. Therefore, it does not support cross-partition integration with other AWS services, such as Amazon CloudWatch, Amazon EventBridge, Amazon Simple Notification Service, Amazon Simple Queue Service and Amazon Transcribe.
## Documentation for Amazon Chime SDK
[Amazon Chime SDK documentation](https://docs.aws.amazon.com/chime-sdk/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
Amazon Chime SDK metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter or parameters that you supply in API requests.
Do not enter export-controlled data in the following fields:
+ External Meeting Id
+ External User Id
+ Tags
# Amazon Cloud Directory in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Cloud Directory is a high-performance, serverless, hierarchical data store. Cloud Directory is a highly scalable multi-tenant service that makes it easy for customers to organize and manage all their multi-dimensional data such as users, groups, locations, and devices and the rich relationships between them. Amazon Cloud Directory automatically scales to hundreds of millions of objects and provides an extensible schema that can be shared with multiple applications. As a serverless data store, Cloud Directory eliminates time-consuming and expensive administrative tasks, such as scaling infrastructure and managing servers. Cloud Directory is targeted for use cases such as human resources applications, course catalogs, device registry and network topology. Additionally, customer applications that need fine-grained permissions (Authorization) are well suited to leverage capabilities in Cloud Directory.
## How Amazon Cloud Directory differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for Amazon Cloud Directory
[Amazon Cloud Directory documentation](https://aws.amazon.com/documentation/clouddirectory/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Cloud Directory metadata is not permitted to contain export-controlled data. This metadata includes configuration data that you enter when creating and maintaining your Cloud Directory.
+ Do not enter export-controlled data in the following fields:
+ Schema name
+ Directory name
# Amazon CloudWatch in AWS GovCloud (US)
Use CloudWatch Events to send system events from AWS resources to AWS Lambda functions, Amazon SNS topics, streams in Amazon Kinesis, and other target types.
## How Amazon CloudWatch differs for AWS GovCloud (US)
+ Transaction Search is not available.
+ The GetMetricWidgetImage API is not available.
+ [Dashboard sharing](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html) is not available.
+ You cannot create CloudWatch alarms for Trusted Advisor metrics in AWS GovCloud (US).
+ Amazon CloudWatch cross-account observability is not available in AWS GovCloud (US).
## Documentation for Amazon CloudWatch
[Amazon CloudWatch documentation](https://aws.amazon.com/documentation/cloudwatch/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Alarm Name and Description
+ Alarm configuration
+ Alarm tags
+ Metric Name
+ Metric Namespace
+ Metric Dimensions
# Amazon CloudWatch Events in AWS GovCloud (US)
Use CloudWatch Events to send system events from AWS resources to AWS Lambda functions, Amazon SNS topics, streams in Amazon Kinesis, and other target types.
## How Amazon CloudWatch Events differs for AWS GovCloud (US)
+ Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
## Documentation for Amazon CloudWatch Events
[Amazon CloudWatch Events documentation](https://aws.amazon.com/documentation/cloudwatch/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data may be entered, stored, or processed by CloudWatch Events. For example, CloudWatch Events metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your CloudWatch Events alarms.
For example, do not enter export-controlled data in the following fields:
+ Rule names
+ Rule descriptions
+ Event patterns
+ Data input to APIs
# Amazon CloudWatch Logs in AWS GovCloud (US)
Use CloudWatch Logs to monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, or other sources.
## How Amazon CloudWatch Logs differs for AWS GovCloud (US)
+ Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
+ The Live Tail feature is not available.
+ The `logGroupNamePattern` parameter is not supported for use in the describe-log-groups AWS CLI command or the DescribeLogGroups API.
## Documentation for Amazon CloudWatch Logs
[Amazon CloudWatch Logs documentation](https://aws.amazon.com/documentation/cloudwatch/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ CloudWatch Log Group Names
+ CloudWatch Log Stream Names
+ Log group tags
# Amazon Cognito in AWS GovCloud (US)
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.
## How Amazon Cognito differs for AWS GovCloud (US)
Below listed are the differences between the AWS GovCloud (US) and the standard AWS Regions.
+ Amazon Pinpoint integration with user pools isn’t suported in AWS GovCloud (US).
+ Amazon Cognito in AWS GovCloud (US) uses FIPS endpoints only.
+ The API service endpoints are `cognito-idp-fips.us-gov-west-1.amazonaws.com` and `cognito-idp-fips.us-gov-east-1.amazonaws.com`. For more information about FIPS in AWS, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
+ Hosted UI endpoints have a URL path in the format `0.auth-fips.us-gov-west-1.amazoncognito.com` or `1.auth-fips.us-gov-east-1.amazoncognito.com`.
+ Custom domains for user pools aren’t supported in AWS GovCloud (US).
+ Identity pools might be unable to assume IAM roles in AWS GovCloud (US-East) when the length of your role name plus role session name are longer than 24 characters. This length doesn’t include the path. For best results in this Region, use roles with name lengths of no greater than 20 characters and session name lengths of no greater than four characters.
+ Amazon Cognito Sync isn’t available in AWS GovCloud (US) Regions.
The IAM roles that you assign to users with Amazon Cognito identity pools must have a trust policy that allows Amazon Cognito to generate temporary sessions. In AWS GovCloud (US), your trust policies must grant `AssumeRoleWithWebIdentity` permission to the `cognito-identity-us-gov.amazonaws.com` service principal. The following example trust policy allows the identity pool `us-gov-west-1:12345678-corner-cafe-123456790ab` to grant IAM credentials to unauthenticated guest users.
For AWS GovCloud (US-East), replace `cognito-identity-us-gov.amazonaws.com` with `cognito-identity.us-gov-east-1.amazonaws.com`.
## Documentation for Amazon Cognito
[Amazon Cognito documentation](https://docs.aws.amazon.com/cognito/?id=docs_gateway).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Cognito metadata may be moved or stored outside of the AWS GovCloud (US) Region, or, in rare cases, accessed by certain AWS support personnel and system administrators who are not U.S. citizens.
For example, user pool domains, custom attribute names, resource server identifiers and custom scopes may be included as part of the public Cognito sign-in and sign-up functionality.
# Amazon Comprehend in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Comprehend uses natural language processing (NLP) to extract insights about the content of documents without the need of any special preprocessing. Amazon Comprehend processes any text files in UTF-8 format. It develops insights by recognizing the entities, key phrases, language, sentiments, and other common elements in a document. Use Amazon Comprehend to create new products based on understanding the structure of documents. With Amazon Comprehend you can search social networking feeds for mentions of products, scan an entire document repository for key phrases, or determine the topics contained in a set of documents. To extract insights from clinical documents such as doctor’s notes or clinical trial reports, use Amazon Comprehend Medical.
## How Amazon Comprehend differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Comprehend
[Amazon Comprehend documentation](https://aws.amazon.com/documentation/comprehend/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Comprehend Medical in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Comprehend Medical detects useful information in unstructured clinical text. As much as 75 percent of all health record data is found in unstructured text such as physician’s notes, discharge summaries, test results, and case notes. Amazon Comprehend Medical uses Natural Language Processing (NLP) models to sort through enormous quantities of data for valuable information gained through advances in machine learning.
## How Amazon Comprehend Medical differs for AWS GovCloud (US)
Below listed are the differences between the AWS GovCloud (US) and the standard AWS Regions.
Differences in Quotas/Limits:
| Resource | Default |
| --- | --- |
| Transactions per second (TPS) for the `DetectEntities-v2` and `DetectEntities` operations | 2 |
| Transactions per second (TPS) for the `DetectPHI` operation | 5 |
| Transactions per second (TPS) for the `StartEntitiesDetectionV2Job`, `StartPHIDetectionJob`, `StopEntitiesDetectionV2Job`, `StopPHIDetectionJob`, `ListEntitiesDetectionV2Jobs`, `ListPHIDetectionJobs`, `DescribeEntitiesDetectionV2Job`, and `DescribePHIDetectionJob` operations | 2 |
## Documentation for Amazon Comprehend Medical
[Amazon Comprehend Medical documentation](https://docs.aws.amazon.com/comprehend/latest/dg/comprehend-medical.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Connect in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Connect is an easy to use omnichannel cloud contact center that helps you provide superior customer service at a lower cost. It provides a seamless experience across voice and chat for your customers and agents. This includes one set of tools for skills-based routing, powerful real-time and historical analytics, and intuitive management tools – all with pay-as-you-go pricing, which means Amazon Connect simplifies contact center operations, improves agent efficiency, and lowers costs. You can set up a contact center in minutes that can scale to support millions of customers from the office or as a virtual contact center.
## How Amazon Connect differs for AWS GovCloud (US)
Amazon Connect in AWS GovCloud (US) differs from other commercial Regions in the following ways:
+ Amazon Connect instances in AWS GovCloud (US) use the domain **\$1.govcloud.connect.aws**
+ It supports only the [latest Contact Control Panel](https://docs.aws.amazon.com/connect/latest/adminguide/upgrade-to-latest-ccp.html) (CCP) for both voice and chat contacts for agents. The earlier CCP is not supported.
+ It supports only the latest contact search experience, as described in [What’s new in contact search](https://docs.aws.amazon.com/connect/latest/adminguide/contact-search.html#new-contact-search-experience).
+ Amazon Connect in AWS GovCloud (US) is in a separate partition from all commercial Regions. Therefore it does not support cross-partition integration with other AWS services – such as Amazon Lex, Amazon Lambda, Amazon Kinesis, Amazon S3, Amazon CloudWatch, amongst others – that are available in commercial Regions.
+ The following Amazon Connect features are not supported.
+ Amazon Connect Customer Profiles
+ Amazon Q in Connect
+ Amazon Connect Voice ID
+ Amazon Connect Live Media Streaming
+ Amazon Connect Chat integration with Apple Business Chat
+ Amazon Connect Cases
+ Amazon Connect Outbound Campaigns
+ Granular access controls for real-time metrics
+ Amazon Connect Contact Lens GenAI features and the [ListRealTimeContactAnalysisSegments](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-contact-lens_ListRealtimeContactAnalysisSegments.html) API
## Documentation for Amazon Connect
[Amazon Connect documentation](https://docs.aws.amazon.com/connect/latest/adminguide/what-is-amazon-connect.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Connect instance and resource configuration metadata is not permitted to contain export-controlled data. This metadata includes all configuration data (for example, name, alias, description, tags) that you enter when creating and maintaining your Amazon Connect instance and resources within an instance, such as users, queues, routing profiles, contact flows, or scheduled report names.
# Amazon Detective in AWS GovCloud (US)
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
## How Detective differs for AWS GovCloud (US)
+ In GovCloud Regions, Detective does not validate the email address for member accounts, and does not send invitation emails to member accounts.
+ When accounts are terminated in AWS, Detective cannot automatically remove them from the behavior graph.
## Documentation for Amazon Detective
[Detective documentation](https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. This metadata includes all configuration data in console fields, descriptions, resource names, and tagging information. AWS suggests customers do not enter export-controlled information in those fields.
# Amazon DocumentDB (with MongoDB compatibility) in AWS GovCloud (US)
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data.
Amazon DocumentDB is a non-relational database service designed from the ground-up to give you the performance, scalability, and availability you need when operating mission-critical MongoDB workloads at scale. In Amazon DocumentDB, the storage and compute are decoupled, allowing each to scale independently. You can increase the read capacity to millions of requests per second by adding up to 15 low latency read replicas in minutes, regardless of the size of your data.
## How Amazon DocumentDB differs for AWS GovCloud (US)
+ Copying [cluster snapshots](https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-copy_cluster_snapshot.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other Regions is not supported.
## Documentation for Amazon DocumentDB
[Amazon DocumentDB documentation](https://docs.aws.amazon.com/documentdb/latest/developerguide/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon DocumentDB metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon DocumentDB cluster except the master password.
Do not enter export-controlled data in the following fields:
+ Cluster Identifier
+ Instance identifier
+ Master user name
+ Database name
+ Snapshot name
+ Security group name
+ Security group description
+ Cluster parameter group name
+ Cluster parameter group description
+ Subnet group name
+ Subnet group description
+ Resource tags
If you are processing export-controlled data with Amazon DocumentDB, follow these guidelines in order to maintain export compliance:
+ When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon DocumentDB Master Password.
+ After you create your cluster, change the master password of your Amazon DocumentDB cluster by directly using the AWS Management Console or AWS CLI.
+ You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon DocumentDB.
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ For example, if you’re running an application server on an Amazon EC2 instance that connects to an Amazon DocumentDB cluster, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that might be outside of the AWS GovCloud (US-West) Region.
To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide*.
+ For each database instance that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the cluster, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US-West) Region or other export-controlled environments to export-controlled clusters.
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon DynamoDB in AWS GovCloud (US)
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. You can use Amazon DynamoDB to create a database table that can store and retrieve any amount of data, and serve any level of request traffic. Amazon DynamoDB automatically spreads the data and traffic for the table over a sufficient number of servers to handle the request capacity specified by the customer and the amount of data stored, while maintaining consistent and fast performance.
## How Amazon DynamoDB differs for AWS GovCloud (US)
+ **Export Table** is not available in the DynamoDB console.
+ [DynamoDB Accelerator(DAX)](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.html) and [Global tables multi-Region strong consistency (MRSC)](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/V2globaltables_HowItWorks.html#V2globaltables_HowItWorks.consistency-modes) are not available.
+ [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) is not supported for DynamoDB.
## Documentation for Amazon DynamoDB
[Amazon DynamoDB documentation](http://aws.amazon.com/documentation/dynamodb/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ DynamoDB metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your DynamoDB tables, such as table names, hash attribute names, and range attribute names.
+ Do not enter export-controlled data in the following fields:
+ Table names
+ Hash attribute names
+ Range attribute names
+ Resource tags
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon EBS in AWS GovCloud (US)
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance that is in the same Availability Zone. EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist independently from the life of the instance. With Amazon EBS, you pay only for what you use.
## How Amazon Elastic Block Store differs for AWS GovCloud (US)
+ The [copy snapshot commands](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html) can be used, but only allow you to copy snapshots available to your account within AWS GovCloud (US) Regions. If you specify a source or destination Region to copy to or from, the commands will return an error.
+ Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
+ Amazon EBS Multi-Attach is not available.
## Documentation for Amazon Elastic Block Store
For more information related to EBS Data LifeCycle Manager (DLM), see [Amazon EBS Snapshot Lifecyle](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html).
For Amazon EBS User Guide, see [Amazon Elastic Block Store documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon EBS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon EBS volumes.
+ Do not enter export-controlled data in the following fields:
+ Volume names
+ Snapshot names
+ Image names
+ Image descriptions
# Amazon EC2 in AWS GovCloud (US)
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizeable computing capacity—literally, servers in Amazon’s data centers—that you use to build and host your software systems.
## How Amazon Elastic Compute Cloud differs for AWS GovCloud (US)
The implementation of Amazon EC2 is different for AWS GovCloud (US) in the following ways:
**General differences**
+ Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
+ Use SSL (HTTPS) when generating key pairs using [ec2-create-keypair](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-CreateKeyPair.html) and [CreateKeyPair](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html) commands.
+ To import your own set of key pairs, follow the instructions in [Create a key pair using a third-party tool and import the public key to Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html#how-to-generate-your-own-key-and-import-it-to-aws).
**Billing and purchasing differences**
+ Reserved Instance resale is not supported.
+ Savings Plans can’t be purchased from AWS GovCloud (US) accounts, but can be purchased in any standard account and applied to usage in AWS GovCloud (US) Regions.
+ Spot Instance data feed is not supported.
+ When you use the launch instance wizard in the console to launch an instance using an AWS Marketplace AMI, we don’t automatically subscribe you to the AMI as we do in other AWS Regions. Instead, when you choose the AMI, choose **Subscribe with Marketplace** to open the AWS Marketplace to subscribe.
+ The AWS Certificate Manager (ACM) for Nitro Enclaves AMI is not available from the AWS Marketplace. ACM for Nitro Enclaves must be installed from the Amazon Linux Extras repository.
+ The Nitro Enclaves Developer AMI is not available from the AWS Marketplace.
**Image differences**
+ AMI copy and snapshot copy do not support migrating AMIs and snapshots from another AWS Region into AWS GovCloud (US) Regions. For information about how to migrate your AMIs from another AWS Region into AWS GovCloud (US) Regions, see [How VM Import/Export Differs for AWS GovCloud (US)](#govcloud-vmie-diffs).
+ When using the [Amazon EC2 AMI tools](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ami-tools.html), AWS GovCloud (US) Regions uses a non-default public key certificate to encrypt AMI manifests. The [ec2-bundle-image](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/CLTRG-ami-bundle-image.html), [ec2-bundle-vol](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/CLTRG-ami-bundle-vol.html), [ec2-migrate-bundle](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/CLTRG-ami-migrate-bundle.html), and [ec2-migrate-manifest](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/CLTRG-ami-migrate-manifest.html) commands require the `--ec2cert $EC2_AMITOOL_HOME/etc/ec2/amitools/cert-ec2-gov.pem` option in AWS GovCloud (US) Regions.
+ The `lastLaunchedTime` AMI attribute is not supported.
**Instance differences**
+ The get-console-screenshot CLI command is not supported.
+ Get instance screenshot is not supported.
+ On-Demand Instance hibernation is not supported.
+ [EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) will not work if your Linux instance has SELinux enabled in enforcing mode. The process for enabling or disabling SELinux varies across Linux distributions. For information about how to check the status of SELinux on your instance, or to enable or disable SELinux, see the relevant operating system guide for your instance.
+ EC2 CPU Optimization is currently API-only.
+ [Attestation documents](https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html) used by Nitro Enclaves are signed by the AWS Nitro Attestation Public Key Infrastructure (PKI). You can verify that the attestation documents are signed by the Nitro Attestation PKI. For more information, see [Verifying the root of trust](https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html) in the * AWS Nitro Enclaves User Guide*.
+ The root certificate for the Nitro Attestation PKI is unique for each [partition](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html). The root certificate for the `aws-us-gov` partition is as follows:
```
-----BEGIN CERTIFICATE-----
MIICIDCCAaWgAwIBAgIQP+wUYfyWFFRko9PR00zhZzAKBggqhkjOPQQDAzBQMQsw
CQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxIjAgBgNV
BAMMGWF3cy11cy1nb3Yubml0cm8tZW5jbGF2ZXMwIBcNMjAwOTEwMTIwMzQ2WhgP
MjA1MDA5MTAxMzAzNDZaMFAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZBbWF6b24x
DDAKBgNVBAsMA0FXUzEiMCAGA1UEAwwZYXdzLXVzLWdvdi5uaXRyby1lbmNsYXZl
czB2MBAGByqGSM49AgEGBSuBBAAiA2IABCzkRJcZVx7Sg2yXXkl0Nqj9o1ECZNAh
0L8/90ATZXAaS1rxA1ti1F3wE86PGsh2UiQIYXiMu81l5kO7775gPuLsgYcGMO/J
0t08BHI8s3+JmjxTlA+/UyAqEmj7fD5CbKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUUKIzFk2FAlhihuQexsqOxZ5ZjF0wDgYDVR0PAQH/BAQDAgGGMAoG
CCqGSM49BAMDA2kAMGYCMQD9bO9epcf5kMSdsHcyNJXs4bo07wvTIOwnxN41t5eE
SDyXtUei++RebAbI9Viap2gCMQC7PVZ6Kpg0+N9k+DDpksoJv7gx6YwCqKsmTfU/
WigyQlpyJUrWapqk0afDA4lef14=
-----END CERTIFICATE-----
```
+ The Nitro Attestation PKI root certificate for the `aws-us-gov` partition has a subject as follows:
`CN=aws-us-gov.nitro-enclaves, C=US, O=Amazon, OU=AWS`
**Networking differences**
+ When you launch an instance using the [ec2-run-instances](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RunInstances.html) CLI command or [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API operation, you must specify the `subnet` parameter.
+ By default, enhanced networking is not enabled on Windows Server 2012 R2 AMIs. For more information, see [Optimize network performance on EC2 Windows instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-os.html).
## How VM Import/Export Differs for AWS GovCloud (US)
VM Import/Export is different for AWS GovCloud (US) in the following ways:
+ When using VM Import:
+ If your account is set up as default VPC, then your default VPC will be the target for your import.
+ If your account is not set up as default VPC, then you will need to specify an Availability Zone and subnet. To specify a subnet to use when you create the import task, use the `--subnet 0` option and `–z 1` option (specifying the Availability Zone corresponding to the subnet ID) with the [ec2-import-instance](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ImportInstance.html) command.
+ When using VM Export:
+ The Amazon EC2 instance must have been previously imported using VM Import.
+ The Amazon S3 bucket for the destination image must exist and must have WRITE and READ\$1ACP permissions granted to the AWS GovCloud (US) account with canonical ID: af913ca13efe7a94b88392711f6cfc8aa07c9d1454d4f190a624b126733a5602.
+ To export an instance, you can use the [ec2-create-instance-export-task](https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-CreateInstanceExportTask.html) command. For more information, see [Exporting an instance as a VM using VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html).
## Determining if your account has a default VPC
Your account might have a default VPC. If your account doesn’t have a default VPC, you must create a VPC before you can launch EC2 instances. For more information, see [Virtual private clouds for your EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html) in the *Amazon EC2 User Guide*.
If you don’t want a default VPC for your AWS GovCloud (US) account, you can delete the default VPC and default subnets. The default VPC and subnets will not be recreated. However, you still need to create a VPC before launching instances.
If you deleted your default VPC, you can create a new one. For more information, see [Create a default VPC](https://docs.aws.amazon.com/vpc/latest/userguide/work-with-default-vpc.html#create-default-vpc) in the *Amazon VPC User Guide*.
If your account doesn’t have a default VPC but you want a default VPC, you can submit a request by completing the [AWS GovCloud (US) – Contact Us](https://aws.amazon.com/govcloud-us/contact/) form. In the form, include your AWS GovCloud (US-West) account ID and indicate that you want to enable your account for a default VPC.
## Documentation for Amazon EC2
The following documentation is based on the public AWS documentation. As you read this documentation, you should consider how Amazon EC2 differs for AWS GovCloud (US) Regions, as described in this topic. Also, some features and new functionality described in this documentation might not be available in the current release of AWS GovCloud (US) Regions. There are other differences, such as links, endpoints, and screenshots.
[Amazon Elastic Compute Cloud documentation](https://docs.aws.amazon.com/ec2/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon EC2 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your instances.
+ Do not enter export-controlled data in the following fields:
+ Instance names
+ AMI descriptions
+ Resource tags
+ Key pairs created using HTTP.
+ When using VM Import, you may not enter any export-controlled data as part of CLI arguments, paths, or OS disk images. Any data that is export-controlled should be encrypted and placed in partitions other than root and boot.
+ If importing export-controlled images, do not use pre-signed URLs for the CLI argument `0`.
# Amazon EC2 Auto Scaling in AWS GovCloud (US)
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size.
## How Amazon EC2 Auto Scaling differs for AWS GovCloud (US)
+ Amazon EC2 provides other restrictions. For more information, see [Amazon Elastic Compute Cloud documentation.](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ec2.html)
+ You can access Amazon EC2 Auto Scaling using the Amazon EC2 Auto Scaling API and command line interface (CLI) as well as the Amazon EC2 console.
+ Target tracking using high resolution metrics is not available in AWS GovCloud (US).
## Documentation for Amazon EC2 Auto Scaling
[Amazon EC2 Auto Scaling documentation](https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Auto Scaling is not permitted to contain export-controlled data.
+ For example, do not enter export-controlled data in the following fields:
+ Capacity group tag names
+ Capacity group tag name values
+ Capacity group names
+ Amazon EC2 Security Group names
+ Scaling policies
+ Launch notifications
+ Notification topics
+ Policy documents
# Amazon EC2 Image Builder in AWS GovCloud (US)
Amazon Elastic Compute Cloud Image Builder is a fully managed AWS service that makes it easier to automate the creation, management and deployment of customized, secure and up-to-date “golden” server images that are pre-installed and pre-configured with software and settings to meet specific IT standards. You can use the AWS Management Console, AWS CLI or APIs to create “golden” images in your AWS account. The images you build are created in your account and you can configure them for operating system patches on an ongoing basis.
## How Amazon EC2 Image Builder differs for AWS GovCloud (US)
The implementation of Amazon EC2 Image Builder is different for AWS GovCloud (US) Regions in the following ways:
+ Image Builder doesn’t support macOS images.
The following Image Builder features are not supported in AWS GovCloud (US) Regions:
+ Image lifecycle policies
+ AWS Marketplace Software components
+ ISO disk file import
## Documentation for Amazon EC2 Image Builder
For more information about Amazon EC2 Image Builder, see the [Amazon EC2 Image Builder documentation](https://docs.aws.amazon.com/imagebuilder/latest/userguide).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ EC2 Image Builder metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your images, components, image recipes, distribution configurations and infrastructure configurations.
Do not enter export-controlled data in the following console fields:
+ Names
+ Description
+ Resource tags
# Amazon ECR in AWS GovCloud (US)
Amazon Elastic Container Registry (Amazon ECR) is a fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
## How Amazon Elastic Container Registry differs for AWS GovCloud (US)
+ [Amazon ECR Dual-layer server-side encryption with AWS KMS (DSSE-KMS)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) is available.
+ [Amazon ECR pull through cache rules](https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html) aren’t supported.
+ [Amazon ECR public registries](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html) aren’t supported.
+ The [Amazon ECR Public Gallery](https://docs.aws.amazon.com/AmazonECR/latest/public/public-gallery.html) isn’t hosted in AWS GovCloud (US). However, if external internet access is available, you should be able to reach and pull container images from the gallery.
## Documentation for Amazon Elastic Container Registry
[Amazon Elastic Container Registry documentation](https://aws.amazon.com/documentation/ecr/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following fields:
+ Repository name
+ Image tag
+ Image manifest
+ Lifecycle policy
+ Repository policy
# Amazon ECS in AWS GovCloud (US)
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances.
## How Amazon Elastic Container Service differs for AWS GovCloud (US)
+ The Amazon ECS-optimized AMI variant of the Bottlerocket operating system is not available when launching Amazon ECS container instances.
+ Attaching Amazon EBS volumes to Amazon ECS tasks is not supported.
## Documentation for Amazon Elastic Container Service
[Amazon Elastic Container Service documentation](https://aws.amazon.com/documentation/ecs/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following fields:
+ Cluster name
+ Service name
+ Attribute name
+ Attribute value
+ Task definitions
+ Task group
+ Task overrides
+ Task started by
+ Placement constraints
# Amazon Elastic File System in AWS GovCloud (US)
Amazon EFS provides file storage for use with Amazon EC2 instances. The service is designed to be highly scalable, highly available, and highly durable. The service manages all the file storage infrastructure for you, meaning that you can avoid the complexity of deploying, patching, and maintaining complex file system configurations.
## How Amazon Elastic File System differs for AWS GovCloud (US)
+ Cross-account replication is not supported.
## Documentation for Amazon Elastic File System
[Amazon Elastic File System documentation](https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data into the following fields:
+ Resource Tags
# Amazon Elastic Kubernetes Service in AWS GovCloud (US)
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to stand up or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
## How Amazon EKS differs for AWS GovCloud (US)
+ [Amazon EKS on Fargate](https://docs.aws.amazon.com/eks/latest/userguide/fargate.html) isn’t available.
+ [Amazon Managed Service for Prometheus](https://docs.aws.amazon.com/eks/latest/userguide/prometheus.html) isn’t available.
+ The Mountpoint for Amazon S3 CSI driver isn’t available as an Amazon EKS add-on and self-managed installation isn’t officially supported.
+ Amazon EKS Anywhere isn’t available.
+ Amazon EKS Hybrid Nodes isn’t available.
## Documentation for Amazon EKS
[Amazon EKS documentation](https://docs.aws.amazon.com/eks/).
Amazon Application Recovery Controller’s (ARC) Zonal Shift in Amazon EKS is supported. For more information, see [Learn about Amazon Application Recovery Controller’s (ARC) Zonal Shift in Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/zone-shift.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following fields:
+ Cluster name
+ Fargate profile name
+ Node group name
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon ElastiCache in AWS GovCloud (US)
Amazon ElastiCache makes it easy to set up, manage, and scale distributed in-memory cache environments in the AWS Cloud. It provides a high performance, resizable, and cost-effective in-memory cache, while removing complexity associated with deploying and managing a distributed cache environment. ElastiCache works with the Valkey, Memcached and Redis OSS engines. To see which works best for you, see the Comparing Valkey, Memcached, and Redis OSS self-designed caches topic in the ElastiCache user guide.
## How Amazon ElastiCache differs for AWS GovCloud (US)
+ All ElastiCache instances must be launched in an Amazon VPC.
+ ElastiCache clusters have a preferred weekly maintenance window. For information about the time blocks, see [Cache Engine Version Management](https://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/VersionManagement.MaintenanceWindow.html).
+ The r6gd node type and data-tiering are not available in AWS GovCloud (US).
## Documentation for Amazon ElastiCache
[Amazon ElastiCache documentation](http://docs.aws.amazon.com/elasticache/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Unencrypted data stored in a cache cluster may not contain export-controlled data.
+ ElastiCache metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your ElastiCache clusters.
+ Do not enter export-controlled data in the following fields:
+ Cluster instance identifier
+ Cluster name
+ Cluster snapshot name
+ Cluster security group name
+ Cluster security group description
+ Cluster parameter group name
+ Cluster parameter group description
+ Cluster subnet group name
+ Cluster subnet group description
+ Replication group name
+ Replication group description
If you are processing export-controlled data with ElastiCache, follow these guidelines in order to maintain export compliance:
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ For example, if you’re running an application server on an Amazon EC2 instance that connects to an ElastiCache cluster, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that could possibly be outside of AWS GovCloud (US) Regions
+ To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the Amazon VPC User Guide.
+ For each cluster that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from AWS GovCloud (US) Regions or other export-controlled environments to export-controlled clusters.
ElastiCache requires the use of the SSL (HTTPS) endpoint for service API calls. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon EMR in AWS GovCloud (US)
Amazon EMR is a cloud big data platform for running large-scale distributed data processing jobs, interactive SQL queries, and machine learning (ML) applications using open-source analytics frameworks such as Apache Spark, Apache Hive, and Presto.
For information related to Release history, refer to [Amazon EMR Release Information](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-whatsnew-history.html).
## How Amazon EMR differs for AWS GovCloud (US)
+ MapR distributions are currently not supported.
+ In AWS GovCloud (US) Regions, you launch all Amazon EMR job flows in Amazon Virtual Private Cloud (Amazon VPC). For information about configuring an Amazon VPC that can run a job flow, see [Set up a VPC to host clusters](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-host-job-flows.html).
+ Launching a job flow with debugging is not currently supported.
+ Auto-termination for idle clusters using an auto-termination policy is not available.
+ Shuffle-optimized disks in Amazon EMR Serverless are not available.
+ Amazon EMR on EKS on Fargate is not available.
+ Amazon EMR with AWS Lake Formation is not available.
## Documentation for Amazon EMR
[Amazon EMR documentation](https://aws.amazon.com/documentation/elastic-mapreduce/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon EMR metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your job flows.
+ Do not enter export-controlled data in Amazon EMR when doing the following:
+ Naming a job flow
+ Specifying a file location
+ Naming a bootstrap action
+ Providing arguments
+ Resource tags
+ (Amazon EMR metadata and logs are not permitted to contain export-controlled data.) If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon EventBridge in AWS GovCloud (US)
Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, and AWS services and routes that data to targets such as AWS Lambda. You can set up routing rules to determine where to send your data to build application architectures that react in real time to all of your data sources. EventBridge allows you to build event driven architectures, which are loosely coupled and distributed.
## How Amazon EventBridge differs for AWS GovCloud (US)
+ Use SSL (HTTPS) when you make calls to the service in AWS GovCloud (US) Regions. In other AWS Regions, you can use HTTP or HTTPS.
+ Amazon API Gateway is not supported as an event bus target.
+ API destinations are not supported.
+ EventBridge Pipes is not supported.
## Documentation for Amazon EventBridge
[Amazon EventBridge documentation](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon FSx in AWS GovCloud (US)
Amazon FSx makes it easy and cost effective to launch and run popular file systems. With Amazon FSx, you can leverage the rich feature sets and fast performance of widely-used open source and commercially-licensed file systems, while avoiding time-consuming administrative tasks like hardware provisioning, software configuration, patching, and backups. It provides cost-efficient capacity and high levels of reliability, and it integrates with other AWS services so that you can manage and use the file systems in cloud-native ways. Amazon FSx let you choose between three widely-used file systems: NetApp ONTAP, Windows File Server, and Lustre.
## How Amazon FSx differs for AWS GovCloud (US)
+ Amazon FSx for Lustre Persistent\$12 is not available.
+ For Amazon FSx for OpenZFS, the following features aren’t available:
+ Single-AZ 2 deployment type
+ Amazon S3 access points
+ Amazon File Cache is not available for Amazon FSx.
## Documentation for Amazon FSx
[Amazon FSx documentation](https://docs.aws.amazon.com/fsx/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Resource Tags.
+ ClientRequestTokens.
+ FSx for Windows File Server file system configuration fields:
+ Self-managed Active Directory user names
+ Self-managed Active Directory domain names
+ Self-managed Active Directory organizational unit distinguished names
+ DNS aliases
+ FSx for Lustre file system configuration fields:
+ S3 import and export data paths
# Amazon GuardDuty in AWS GovCloud (US)
Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.
## How Amazon GuardDuty differs for AWS GovCloud (US) Regions
The following list indicates the differences in the feature availability in AWS GovCloud (US) Regions:
+ When using [Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html) (including EKS Runtime Monitoring), make the following changes in the AWS GovCloud (US) Regions:
1. **For both Amazon EC2 and Amazon EKS **– In the prerequisite step for creating an Amazon VPC endpoint manually, the **Service name** in the AWS GovCloud (US) Region should be `com.amazonaws..guardduty-data-fips`.
Replace with your Region. This must be the same Region as your Amazon EC2 instance (or Amazon EKS cluster) that belongs to your AWS account ID.
1. With the initial release of Runtime Monitoring, GuardDuty starts the support with the following security agent versions:
+ Amazon EKS - v1.11.1
+ Amazon EC2 - v1.8.0
+ Fargate-Amazon ECS - v1.8.0
For more information, see [GuardDuty security agent release versions](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-agent-release-history.html).
1. **For Amazon EC2 **– When managing the security agent manually using [Method 2 - Using Linux Package Managers](https://docs.aws.amazon.com/guardduty/latest/ug/installing-gdu-security-agent-ec2-manually.html), use the following AWS account IDs and Regions for both RPM installation and Debian installation:
+ AWS GovCloud (US-East) (`us-gov-east-1`) – 383115532789
+ AWS GovCloud (US-West) (`us-gov-west-1`) – 383110348953
1. **For Amazon EKS and Fargate-Amazon ECS resources**– For [Amazon ECR repository hosting GuardDuty agent](https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-ecr-repository-gdu-agent.html), use the following ECR repository for your Amazon EKS and Fargate-Amazon ECS resources:
+ ** Amazon ECR repository for EKS resources:**
AWS GovCloud (US-East) - `151742754352.dkr.ecr.us-gov-east-1.amazonaws.com`
AWS GovCloud (US-West) - `013241004608.dkr.ecr.us-gov-west-1.amazonaws.com`
+ ** Amazon ECR repository for Fargate-ECS resources:**
AWS GovCloud (US-East) - `383115532789.dkr.ecr.us-gov-east-1.amazonaws.com/aws-guardduty-agent-fargate`
AWS GovCloud (US-West) - `383110348953.dkr.ecr.us-gov-west-1.amazonaws.com/aws-guardduty-agent-fargate`
+ The entity lists capability in [Customizing threat detection with entity lists and IP address lists](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) is not supported in AWS GovCloud (US) Regions. GuardDuty continues to support IP address lists.
+ The [Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html) coverage for EKS clusters supports detecting multi-stage attacks through available EKS Protection finding types (EKS audit log monitoring) and AWS API activity in AWS GovCloud (US) Regions.
+ The following [EKS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) (EKS audit log monitoring) finding types are not available in the AWS GovCloud (US) Regions:
+ [CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credaccess-kubernetes-anomalousbehavior-secretsaccessed)
+ [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolebindingcreated)
+ [Execution:Kubernetes/AnomalousBehavior.ExecInPod](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-anomalousbehvaior-execinprod)
+ [PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1PrivilegedContainer](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer)
+ [Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed\$1ContainerWithSensitiveMount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount)
+ [Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#exec-kubernetes-anomalousbehavior-workloaddeployed)
+ [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated)
+ [Discovery:Kubernetes/AnomalousBehavior.PermissionChecked](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated)
+ In [Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html), the support for scanning instances with `productCode` as `marketplace` is not supported. GuardDuty will skip the malware scan for such instances and log the skip reason as `UNSUPPORTED_PRODUCT_CODE_TYPE`.
+ In [Malware Protection for Backup](https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection-backup.html), the scanning of EC2 and EBS Recovery points is not supported. In these cases GuardDuty will not perform a scan on the input recovery point resource.
+ Cross-region data transfer is not supported in AWS GovCloud (US) Regions.
+ Member accounts invitation notifications through AWS Health Dashboard and email are not supported in AWS GovCloud (US) Regions.
+ In AWS GovCloud (US) Regions, AWS doesn’t use or store Customer Content processed by Amazon GuardDuty to develop and improve the service or technologies of AWS or its affiliates. Opt-out policies are currently not applicable to these Regions.
+ The [additional filterable fields](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria) for suppression rules and filters are not available in AWS GovCloud (US) Regions. You can continue to use the console-supported fields.
+ The following IAM finding types are not supported in the AWS GovCloud (US) Regions:
+ \$1https---docs-aws-amazon-com-guardduty-latest-ug-guardduty\$1finding-types-html-credentialaccess-iam-compromisedcredentials\$1[CredentialAccess:IAMUser/CompromisedCredentials]
## Documentation for Amazon GuardDuty
[Amazon GuardDuty documentation](https://aws.amazon.com/documentation/guardduty/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon Inspector Classic in AWS GovCloud (US)
Amazon Inspector is a security vulnerability assessment service that helps improve the security and compliance of your AWS resources. Amazon Inspector automatically assesses resources for vulnerabilities or deviations from best practices, and then produces a detailed list of security findings prioritized by level of severity. Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security standards and vulnerability definitions that are regularly updated by AWS security researchers.
## How Amazon Inspector Classic differs for AWS GovCloud (US)
+ Network Assessment rules package is not deployed in AWS GovCloud (US) Regions.
## Documentation for Amazon Inspector Classic
[Amazon Inspector Classic documentation](https://docs.aws.amazon.com/inspector/v1/userguide/inspector_introduction.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Inspector in AWS GovCloud (US)
Amazon Inspector is a security vulnerability assessment service that helps improve the security and compliance of your AWS resources. Amazon Inspector automatically assesses resources for vulnerabilities or deviations from best practices, and then produces a detailed list of security findings prioritized by level of severity. Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security standards and vulnerability definitions that are regularly updated by AWS security researchers.
**Note**
The Amazon Inspector plugin for [Linux deep inspection](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#deep-inspection) is not FIPS compliant.
## How Amazon Inspector differs for AWS GovCloud (US)
+ Lambda code scanning is not available.
## Documentation for Amazon Inspector
[Amazon Inspector documentation](https://docs.aws.amazon.com/inspector).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon Kendra in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Kendra is an intelligent search service powered by machine learning. Amazon Kendra reimagines enterprise search for your websites and applications so your employees and customers can easily find the content they are looking for, even when it is scattered across multiple locations and content repositories within your organization.
## How Amazon Kendra differs for AWS GovCloud (US)
+ Amazon Kendra in AWS GovCloud (US) only supports connectors for S3, Sharepoint (Online, 2013 and 2016), Confluence (server and cloud) and custom data source connector. Other data sources are not currently supported.
+ IAM Identity Center Integration is not supported.
+ Experience Builder is not supported.
## Documentation for Amazon Kendra
[Amazon Kendra documentation](https://docs.aws.amazon.com/kendra/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon Keyspaces (for Apache Cassandra) in AWS GovCloud (US)
Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available, and managed Apache Cassandra–compatible database service. With Amazon Keyspaces, you don’t have to provision, patch, or manage servers, and you don’t have to install, maintain, or operate software.
Amazon Keyspaces is serverless, so you pay for only the resources that you use, and the service automatically scales tables up and down in response to application traffic. You can build applications that serve thousands of requests per second with virtually unlimited throughput and storage.
## How Amazon Keyspaces differs for AWS GovCloud (US)
+ Amazon Keyspaces Multi-Region replication is not supported.
+ Amazon Keyspaces integration with CloudFormation is not supported.
This section describes the Amazon Keyspaces quotas and default values in AWS GovCloud (US) Regions that differ from Amazon Keyspaces [quotas](https://docs.aws.amazon.com/keyspaces/latest/devguide/quotas.html) in other AWS Regions.
****
| Quota | Description | Amazon Keyspaces default |
| --- | --- | --- |
| Max read throughput per second | The maximum read throughput per second—read request units (RRUs) or read capacity units (RCUs)—that can be allocated to a table per Region. This default value is adjustable in the [AWS Service Quotas](https://console.aws.amazon.com/servicequotas/home#!/services/cassandra/quotas) console. | 10,000 |
| Max write throughput per second | The maximum write throughput per second—write request units (WRUs) or write capacity units (WCUs)—that can be allocated to a table per Region. This default value is adjustable in the [AWS Service Quotas](https://console.aws.amazon.com/servicequotas/home#!/services/cassandra/quotas) console. | 10,000 |
For more information about quotas in AWS GovCloud (US) Regions, see [Service Quotas](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-servicequotas.html) in the [AWS GovCloud (US) User Guide](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/).
## Documentation for Amazon Keyspaces
[Amazon Keyspaces documentation](https://docs.aws.amazon.com/keyspaces/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Keyspaces metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your Amazon Keyspaces resources such as keyspaces and tables, for example resource names and tags.
+ Do not enter export-controlled data in the following fields:
+ Keyspace names
+ Table names
+ Resource tags
# Amazon Managed Service for Apache Flink in AWS GovCloud (US)
Amazon Kinesis Data Analytics is the easiest way to analyze streaming data, gain actionable insights, and respond to your business and customer needs in real time. Amazon Kinesis Data Analytics reduces the complexity of building, managing, and integrating streaming applications with other AWS services. SQL users can easily query streaming data or build entire streaming applications using templates and an interactive SQL editor. Java developers can quickly build sophisticated streaming applications using open source Java libraries and AWS integrations to transform and analyze data in real-time.
Amazon Managed Service for Apache Flink takes care of everything required to run your real-time applications continuously and scales automatically to match the volume and throughput of your incoming data. With Amazon Managed Service for Apache Flink, you only pay for the resources your streaming applications consume. There is no minimum fee or setup cost.
## How Amazon Managed Service for Apache Flink differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) Region and the standard AWS Regions.
## Documentation for Amazon Managed Service for Apache Flink
[Amazon Managed Service for Apache Flink documentation](https://aws.amazon.com/kinesis/data-analytics/resources/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Application names
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Data Firehose in AWS GovCloud (US)
Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, and Splunk. Kinesis Data Firehose is part of the Kinesis streaming data platform, along with Kinesis Data Streams, Kinesis Video Streams, and Amazon Kinesis Data Analytics. With Kinesis Data Firehose, you don’t need to write applications or manage resources. You configure your data producers to send data to Kinesis Data Firehose, and it automatically delivers the data to the destination that you specified. You can also configure Kinesis Data Firehose to transform your data before delivering it.
## How Amazon Data Firehose differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for Amazon Data Firehose
[Amazon Data Firehose documentation](https://aws.amazon.com/documentation/kinesis/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following fields:
+ Stream names
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Kinesis Data Streams in AWS GovCloud (US)
Amazon Kinesis makes it easy to collect, process, and analyze video and data streams in real time.
## How Amazon Kinesis Data Streams differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for Amazon Kinesis Data Streams
[Amazon Kinesis Data Streams documentation](https://aws.amazon.com/documentation/kinesis/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Do not enter export-controlled data in the following fields:
+ Stream names
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Kinesis Video Streams in AWS GovCloud (US)
Amazon Kinesis Video Streams makes it easy to securely stream video from connected devices to AWS for analytics, machine learning (ML), playback, and other processing. Kinesis Video Streams automatically provisions and elastically scales all the infrastructure needed to ingest streaming video data from millions of devices. It durably stores, encrypts, and indexes video data in your streams, and allows you to access your data through easy-to-use APIs. Kinesis Video Streams enables you to playback video for live and on-demand viewing, and quickly build applications that take advantage of computer vision and video analytics through integration with Amazon Rekognition Video, and libraries for ML frameworks such as Apache MxNet, TensorFlow, and OpenCV.
## How Amazon Kinesis Video Streams differs for AWS GovCloud (US)
The following features are not yet supported in AWS GovCloud (US):
+ WebRTC Ingestion and Storage
+ Kinesis Video Streams Edge Agent
+ Kinesis Video Streams Multiviewer
The following features are not supported in AWS GovCloud (US):
+ Unencrypted STUN and TURN connections
In addition, the Amazon SNS `Publish` action has a default quota of 300 messages per second in the AWS GovCloud (US-East) and AWS GovCloud (US-West) regions. When notifications are enabled, one message is published per fragment per stream. If you need a higher quota limit for your account, request through the Service Quotas console.
## Documentation for Amazon Kinesis Video Streams
[Kinesis Video Streams documentation](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/what-is-kinesis-video.html).
[Kinesis Video Streams with WebRTC documentation](https://docs.aws.amazon.com/kinesisvideostreams-webrtc-dg/latest/devguide/webrtc-ingestion.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon Lex in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Lex is an AWS service for building conversational interfaces for applications using voice and text. With Amazon Lex, the same conversational engine that powers Amazon Alexa is now available to any developer, enabling you to build sophisticated, natural language chatbots into your new and existing applications. Amazon Lex provides the deep functionality and flexibility of natural language understanding (NLU) and automatic speech recognition (ASR) so you can build highly engaging user experiences with lifelike, conversational interactions, and create new categories of products.
## How Amazon Lex differs for AWS GovCloud (US)
+ Amazon Lex V2 and Amazon Lex V1 are available in AWS GovCloud (US).
+ Amazon Lex does not support channels, which enable bots to integrate with messaging platforms such as Facebook, Slack, and Twilio.
+ The Amazon Lex console does not show utterances or missed utterances. The GetUtterancesView API action is not supported.
+ The supported languages include only en-US and es-US.
+ Amazon Lex does not support conversation logs, which store interactions to help you review the bot’s performance and troubleshoot.
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Lex
[Amazon Lex documentation](https://docs.aws.amazon.com/lex/latest/dg/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ The following customer-defined metadata may leave the AWS GovCloud (US) Regions only when the customer asks AWS to investigate a reported issue:
+ Bot definitions
+ Intent definitions
+ Slot definitions
+ Session attributes that customers use for the Get customer input block in the Amazon Connect console, such as `x-amz-lex:start-silence-threshold-ms` or ` x-amz-lex:end-silence-threshold-ms`. For all session attributes, see [Contact block: Get customer input](https://docs.aws.amazon.com/connect/latest/adminguide/get-customer-input.html) in the Amazon Connect Administrator Guide.
# Amazon Location Service in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only, because Amazon Cognito is not available in AWS GovCloud (US-East).
Amazon Location Service lets you securely add location data to your application. Amazon Location provides access to location-based functionality and data providers through AWS resources. Amazon Location offers five types of AWS resources, depending on the type of functionality you need. Use the different resources together to create a full location-based application.
## How Amazon Location Service differs for AWS GovCloud (US)
+ [Granting access to resources using API keys](https://docs.aws.amazon.com/location/latest/developerguide/using-apikeys.html) is not supported.
## Documentation for Amazon Location Service
[Amazon Location documentation](https://docs.aws.amazon.com/location/index.html).
## Export-controlled content
For AWS services architected within the AWS GovCloud (US) Regions, the following list explains which components of data may leave or remain within the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations.
+ When you use the following [geolocation data providers](https://aws.amazon.com/location/data-providers/), you transmit request parameters (such as location searches) from Amazon Location features (Maps, Places, and Routes) to the geolocation provider for processing, which may be outside of the AWS Region in which your request was made.
+ Esri
+ Here
+ GrabMaps
+ The exception is requests to the Open Data geolocation provider, which are processed by AWS in the AWS Region in which your request was made.
+ Request parameters transmitted by using Amazon Location features Trackers and Geofences are processed by AWS in the AWS Region in which your request was made.
# Amazon Managed Blockchain in AWS GovCloud (US)
Amazon Managed Blockchain is a fully managed service for creating and managing blockchain networks and network resources using open-source frameworks. Blockchain allows you to build applications where multiple parties can securely and transparently run transactions and share data without the need for a trusted, central authority.
You can use Managed Blockchain to create scalable blockchain resources and networks quickly and efficiently using the AWS Management Console, the AWS CLI, or the Managed Blockchain SDK.
**Note**
Only the Hyperledger Fabric framework on Amazon Managed Blockchain is currently supported in the AWS GovCloud (US-West) Region.
## How Hyperledger Fabric on Amazon Managed Blockchain differs for AWS GovCloud (US)
+ This service does not support AWS CloudFormation for Members and Peers creation.
## Documentation for Hyperledger Fabric on Amazon Managed Blockchain
[Hyperledger Fabric on Managed Blockchain documentation](https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/what-is-managed-blockchain.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# How Amazon Managed Grafana differs in AWS GovCloud (US) Regions
This topic describes the functionality of Amazon Managed Grafana in the AWS GovCloud (US) Regions.
Amazon Managed Grafana is a fully managed and secure data visualization service that you can use to instantly query, correlate, and visualize operational metrics, logs, and traces from multiple sources. Amazon Managed Grafana makes it easy to deploy, operate, and scale Grafana, a widely deployed data visualization tool that is popular for its extensible data support.
## Service Differences
The following differences apply to Amazon Managed Grafana in AWS GovCloud (US) Regions:
+ Enterprise Plugins are not supported.
+ Customer Managed Keys are not supported.
+ Dual-stack functionality is not supported.
+ CloudFormation is not supported.
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
## Documentation References
+ [Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/) documentation
+ [AWS Developer Tools](https://docs.aws.amazon.com/{developer-tools-url}) in AWS GovCloud (US) Regions
+ [Service endpoints](https://docs.aws.amazon.com/{service-endpoints-url}) for AWS GovCloud (US) Regions
# Amazon Managed Service for Prometheus in AWS GovCloud (US)
Amazon Managed Service for Prometheus is a serverless, Prometheus-compatible monitoring service for container metrics that makes it easier to securely monitor container environments at scale. With Amazon Managed Service for Prometheus, you can use the same open-source Prometheus data model and query language that you use today to monitor the performance of your containerized workloads, and also enjoy improved scalability, availability, and security without having to manage the underlying infrastructure.
## How Amazon Managed Service for Prometheus differs for AWS GovCloud (US)
The Amazon Managed Service for Prometheus Collector is not available in AWS GovCloud (US). For more information, see [AWS managed collectors](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-collector.html) in the * Amazon Managed Service for Prometheus User Guide*.
## Documentation for Amazon Managed Service for Prometheus
[Amazon Managed Service for Prometheus documentation](https://docs.aws.amazon.com/prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon Managed Streaming for Apache Kafka (MSK) in AWS GovCloud (US)
Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. Amazon MSK provides the control-plane operations, such as those for creating, updating, and deleting clusters. It lets you use Apache Kafka data-plane operations, such as those for producing and consuming data. It runs open-source versions of Apache Kafka. This means existing applications, tooling, and plugins from partners and the Apache Kafka community are supported without requiring changes to application code.
## How Managed Streaming for Apache Kafka differs for AWS GovCloud (US)
+ Firehose isn’t available as a destination for broker logs in AWS GovCloud (US).
+ Amazon Managed Streaming for Apache Kafka (MSK) Serverless is not available in AWS GovCloud (US).
## Documentation for Managed Streaming for Apache Kafka
[Amazon Managed Streaming for Apache Kafka (MSK) documentation](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon MemoryDB in AWS GovCloud (US)
Amazon MemoryDB makes it easy to set up, manage, and scale distributed in-memory cache environments in the AWS Cloud. It provides a high performance, resizable, and cost-effective in-memory cache, while removing complexity associated with deploying and managing a distributed cache environment. MemoryDB works with the Valkey and Redis OSS engines.
## How Amazon MemoryDB differs for AWS GovCloud (US)
+ All MemoryDB instances must be launched in an Amazon VPC.
+ MemoryDB clusters have a preferred weekly maintenance window. For information about the time blocks, see [Cache Engine Version Management](http://aws.amazon.com/VersionManagement.MaintenanceWindow.html).
+ The r6gd node type and data-tiering are not available in AWS GovCloud (US).
## Documentation for Amazon MemoryDB
[Amazon MemoryDB documentation](http://docs.aws.amazon.com/memorydb/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Unencrypted data stored in a cache cluster may not contain export-controlled data.
+ MemoryDB metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your MemoryDB clusters.
+ Do not enter export-controlled data in the following fields:
+ Cluster instance identifier
+ Cluster name
+ Cluster snapshot name
+ Cluster security group name
+ Cluster security group description
+ Cluster parameter group name
+ Cluster parameter group description
+ Cluster subnet group name
+ Cluster subnet group description
+ Replication group name
+ Replication group description
If you are processing export-controlled data with MemoryDB, follow these guidelines in order to maintain export compliance:
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ For example, if you’re running an application server on an Amazon EC2 instance that connects to an MemoryDB cluster, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that could possibly be outside of AWS GovCloud (US) Regions
+ To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the Amazon VPC User Guide.
+ For each cluster that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from AWS GovCloud (US) Regions or other export-controlled environments to export-controlled clusters.
MemoryDB requires the use of the SSL (HTTPS) endpoint for service API calls. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon MQ in AWS GovCloud (US)
Amazon MQ is a managed message broker service that makes it easy to migrate to a message broker in the cloud. A *message broker* allows software applications and components to communicate using various programming languages, operating systems, and formal messaging protocols. Currently, Amazon MQ supports [Apache ActiveMQ](http://activemq.apache.org/) and [RabbitMQ](https://www.rabbitmq.com/) engine types.
Amazon MQ works with your existing applications and services without the need to manage, operate, or maintain your own messaging system.
## How Amazon MQ differs for AWS GovCloud (US)
Amazon MQ in AWS GovCloud (US) differs from its counterpart in commercial Regions in the following key ways:
+ The AWS Free Tier is not available in GovCloud, meaning users cannot access the free resources offered in commercial Regions.
+ Amazon MQ in GovCloud Regions does not support cross-Region data replication.
+ The instance types supported by Amazon MQ in GovCloud differ from those in commercial Regions. Users should consult the Amazon MQ pricing page for the specific instance types available in their Region.
+ Amazon MQ does not support CRDR in AWS GovCloud (US) regions.
## Documentation for Amazon MQ
[Amazon MQ documentation](https://docs.aws.amazon.com/amazon-mq).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon MQ metadata is not permitted to contain export-controlled data. For example, do not enter export-controlled data into user input fields such as the following:
+ Broker name
+ Configuration name
+ Resource tag/key value pairs
# Amazon Neptune in AWS GovCloud (US)
Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Neptune is a purpose-built, high-performance graph database engine. This engine is optimized for storing billions of relationships and querying the graph with milliseconds latency. Neptune supports the popular graph query languages Apache TinkerPop Gremlin and W3C’s SPARQL, enabling you to build queries that efficiently navigate highly connected datasets. Neptune powers graph use cases such as recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security.
## How Amazon Neptune differs for AWS GovCloud (US)
+ Neptune workbench with Jupyter notebooks is not available.
+ Neptune Serverless is not available.
## Documentation for Amazon Neptune
[Amazon Neptune documentation](https://docs.aws.amazon.com/neptune/latest/userguide/intro.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon OpenSearch Service in AWS GovCloud (US)
Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch, a popular open-source search and analytics engine. OpenSearch Service also offers security options, high availability, data durability, and direct access to the OpenSearch API.
## How Amazon OpenSearch Service differs for AWS GovCloud (US)
+ Amazon Cognito authentication for OpenSearch Dashboards is not supported in the AWS GovCloud (US-East) Region.
+ OpenSearch ingestion is not available in AWS GovCloud (US).
## Documentation for Amazon OpenSearch Service
[Amazon OpenSearch Service documentation](https://docs.aws.amazon.com/opensearch-service/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon OpenSearch Service metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you specify when creating and maintaining your OpenSearch clusters and indices, such as index names, alias names, tags, snapshot names, and repository names.
+ Do not enter export-controlled data in the following fields:
+ Domain name
+ Index names
+ Type names
+ Document IDs
+ Snapshot names
+ Resource tags
+ Repository names
+ Alias names
+ CloudWatch log group names
# Amazon Pinpoint in AWS GovCloud (US)
**Important**
**End of support notice:** On October 30, 2026, AWS will end support for Amazon Pinpoint. After October 30, 2026, you will no longer be able to access the Amazon Pinpoint console or Amazon Pinpoint resources (endpoints, segments, campaigns, journeys, and analytics). For more information, see [Amazon Pinpoint end of support](https://docs.aws.amazon.com/console/pinpoint/migration-guide). **Note:** APIs related to SMS, voice, mobile push, OTP, and phone number validate are not impacted by this change and are supported by AWS End User Messaging.
Amazon Pinpoint is an AWS service that you can use to engage with you customers across multiple messaging channels. You can use Amazon Pinpoint to send push notifications, emails, SMS text messages, and voice messages.
The Amazon Pinpoint API is currently available in AWS GovCloud (US-West).
## How Amazon Pinpoint differs for AWS GovCloud (US)
+ Amazon Pinpoint API
+ You can’t use the SendMessages operation in the Amazon Pinpoint API to send voice messages.
+ The **Machine learning modules** section isn’t available in the Amazon Pinpoint console.
+ The **Analytics** section of the Amazon Pinpoint console doesn’t include the **Events** page.
+ When you create a campaign, you can’t configure the campaign to be sent when an event occurs.
+ When you create a journey, you can only configure the **Journey entry** activity to add participants who are in a specific segment. You can’t configure the **Journey entry** activity to add participants when they perform an activity (also known as an event).
+ You can’t create message templates that include recommendations provided by Amazon Personalize.
+ The In-App channel is unavailable.
+ Time zone estimation is not supported.
## Documentation for Amazon Pinpoint
Amazon Pinpoint [documentation](https://docs.aws.amazon.com/pinpoint/latest/userguide/pinpoint-ug.pdf) and Amazon Pinpoint API [documentaiton](https://docs.aws.amazon.com/pinpoint/latest/apireference/welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Pinpoint metadata is not permitted to contain export-controlled data. This metadata includes all the configuration data that you enter when creating and maintaining your Amazon Pinpoint tables, such as table names, hash attribute names, and range attribute names.
+ Do not enter export-controlled data in the following fields:
+ Keyspace names
+ Table names
+ Column names
+ Resource tags
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Polly in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Polly is a Text-to-Speech (TTS) cloud service that converts text into lifelike speech. You can use Amazon Polly to develop applications that increase engagement and accessibility. Amazon Polly supports multiple languages and includes a variety of lifelike voices, so you can build speech-enabled applications that work in multiple locations and use the ideal voice for your customers.
## How Amazon Polly differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Polly
[Amazon Polly documentation](https://aws.amazon.com/documentation/polly/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Quick Suite in AWS GovCloud (US)
Amazon Quick Suite is a comprehensive business intelligence and analytics platform that combines traditional BI capabilities with advanced AI-powered features. The service includes the core Amazon QuickSight functionality—cloud-scale business intelligence tools for creating dashboards, visualizations, and data analysis—along with new AI-driven capabilities for enhanced insights and automation. Quick Suite connects to your data in the cloud and combines data from many different sources, allowing you to include AWS data, third-party data, big data, spreadsheet data, SaaS data, B2B data, and more in a single data dashboard. **In AWS GovCloud (US), only the traditional QuickSight capabilities (dashboards, visualizations, and data analysis) are currently supported.** As a fully managed cloud-based service, the supported features provide enterprise-grade security, global availability, and built-in redundancy, along with user-management tools that scale from 10 users to 10,000, all with no infrastructure to deploy or manage.
The supported QuickSight capabilities in AWS GovCloud (US) give decision-makers the opportunity to explore and interpret information in an interactive visual environment. They have secure access to dashboards from any device on your network and from mobile devices.
## How Amazon Quick Suite differs for AWS GovCloud (US)
Amazon Quick Suite (formerly Amazon QuickSight) is supported in AWS GovCloud (US) regions with limitations. Only the core business intelligence capabilities are available, including dashboards, visualizations, data analysis, and reporting features. AI-powered features and functionality introduced as part of Amazon Quick Suite are not supported in AWS GovCloud (US) regions.
Below listed are the differences between the AWS GovCloud (US) and the standard AWS Regions.
+ Email based user provisioning is not supported in AWS GovCloud (US).
+ Using geospatial visualizations is not supported in AWS GovCloud (US).
+ Using Amazon SageMaker AI integration is not supported in AWS GovCloud (US).
+ The Q AI assistant is not supported in AWS GovCloud (US).
+ Amazon Quick Suite and interface VPC endpoints (AWS PrivateLink) are not supported in AWS GovCloud (US).
+ The mobile app is not supported for AWS GovCloud (US-East).
Amazon Quick Suite in AWS GovCloud (US) supports user authorization for federated users only. Quick directly supports authentication through AWS Identity and Access Management (IAM), AWS IAM Identity Center (IAM Identity Center), and AWS Directory Service for Microsoft Active Directory. For more information, see [Identity federation in AWS](https://aws.amazon.com/identity/federation/).
If you’re a Amazon Quick Suite administrator, make sure to allow-list the following domains within your organization’s network.
| User type | Domain to allow-list |
| --- | --- |
| Native Amazon Quite Suite and Active Directory users | awsapps.com and amazonaws-us-gov.com |
| IAM users | amazonaws-us-gov.com |
Specialized configurations that allow users to authenticate with a different identity service can also work, even if not directly supported from inside Amazon Quick Suite. For example, you can use Amazon Cognito as is described in the [Embedded Analytics Tutorial](https://aws.amazon.com/getting-started/hands-on/embedded-analytics-tutorial-introduction/). This authentication method works because it is compatible and transparent to Amazon Quick Suite. For more information on Amazon Quick Suite authentication, see [Identity and Access Management in Amazon Quick Suite](https://docs.aws.amazon.com/quicksight/latest/user/identity.html).
**Note**
If you are using the [Embedded Analytics Tutorial](https://aws.amazon.com/getting-started/hands-on/embedded-analytics-tutorial-introduction/), you can point to AWS GovCloud (US) ARNs and URLs for your resources, but in the step for the static website that uses Amazon CloudFront and Amazon S3, you need to point to a classic AWS Region, for example US East (N. Virginia), for the tutorial to work. This is not necessary outside the tutorial. For more information and additional examples, see [Developing with Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/quicksight_dev.html) in the Amazon Quick Suite User Guide.
## Documentation for Amazon Quick Suite
[Amazon Quick Suite documentation](https://docs.aws.amazon.com/quicksuite/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon RDS in AWS GovCloud (US)
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
## How Amazon Relational Database Service differs for AWS GovCloud (US)
+ Multi-AZ DB clusters aren’t available. However, Multi-AZ DB instances are available.
+ Amazon RDS Custom for SQL Server isn’t available.
+ Amazon RDS Kerberos authentication for PostgreSQL DB instances is not available.
+ Creation of [cross-Region read replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.XRgn.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn’t supported.
+ Copying of [DB snapshots](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html) from other AWS Regions to the AWS GovCloud (US) Regions or from AWS GovCloud (US) Regions to other AWS Regions isn’t supported.
+ Oracle Management Agent versions 12.1 and 13.1 aren’t available in the AWS GovCloud (US) Regions.
+ Intermediate SSL certificates must be used to connect to the AWS GovCloud (US) Regions using SSL. For more information related to Intermediate certificates, see [Using SSL/TLS to Encrypt a Connection](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html).
+ Instance types and engine versions might vary in the AWS GovCloud (US) Regions. To determine instance and engine availability, see the [RDS Management Console](https://console.amazonaws-us-gov.com/rds/) or CLI tools.
+ Since the AWS GovCloud (US) Regions use a unique certificate authority (CA), update your DB instances for the AWS GovCloud (US) Regions to use the Region-specific certificate identified by `rds-ca-rsa4096-g1` in [DescribeCertificates](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeCertificates.html) calls as soon as possible. The remaining instructions described in the [Rotating your SSL/TLS certificate](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html) topic are the same, except for the certificate identifier.
+ Copying an option group isn’t available.
+ Performance Insights [proactive recommendations](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.InsightsRecommendationViewDetails.html) aren’t available.
+ Zero-ETL integration with SageMaker Lakehouse isn’t available.
## Documentation for Amazon Relational Database Service
[Amazon RDS documentation](http://aws.amazon.com/documentation/rds/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon RDS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon RDS instances except the master password.
+ Do not enter export-controlled data in the following fields:
+ Database instance identifier
+ Master user name
+ Database name
+ Database snapshot name
+ Database security group name
+ Database security group description
+ Database parameter group name
+ Database parameter group description
+ Option group name
+ Option group description
+ Database subnet group name
+ Database subnet group description
+ Event subscription name
+ Resource tags
If you are processing export-controlled data with Amazon RDS, follow these guidelines in order to maintain export compliance:
+ When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon RDS master password.
+ After you create your database, change the master password of your Amazon RDS instance by directly using the database client.
+ You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon RDS.
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the *Amazon VPC User Guide*.
+ For each database instance that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Regions or other export-controlled environments to export-controlled database instances.
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Redshift in AWS GovCloud (US)
Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte or more and costs less than \$11,000 per terabyte per year, a tenth the cost of most traditional data warehousing solutions.
## How Amazon Redshift differs for AWS GovCloud (US)
+ To connect to Amazon Redshift with SSL, you must download the Amazon Redshift certificate bundle from https://s3.us-gov-west-1.amazonaws.com/redshift-downloads/amazon-trust-ca-bundle.crt. For more information, see [Configure Security Options for Connections.](https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html)
+ The COPY EXPLICIT\$1IDS parameter is not available.
## Documentation for Amazon Redshift
[Amazon Redshift documentation](http://aws.amazon.com/documentation/redshift/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Redshift metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon Redshift clusters except the master password.
+ Do not enter export-controlled data in the following fields:
+ Database instance identified
+ Master user name
+ Database name
+ Database snapshot name
+ Database security group name
+ Database security group description
+ Database parameter group name
+ Database parameter group description
+ Option group name
+ Option group description
+ Database subnet group name
+ Database subnet group description
+ Event subscription name
+ Resource tags
If you are processing export-controlled data with Amazon Redshift, follow these guidelines in order to maintain export compliance:
+ When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon Redshift Master Password.
+ After you create your database, change the master password of your Amazon Redshift cluster by directly using the database client.
+ You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon Redshift.
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
+ For example, if you’re running an application server on an Amazon EC2 instance that connects to an Amazon Redshift cluster, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US) Regions.
To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the *Amazon VPC User Guide*.
+ For each cluster that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the cluster, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Regions or other export-controlled environments to export-controlled clusters.
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Rekognition in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Rekognition makes it easy to add image and video analysis to your applications. You just provide an image or video to the Rekognition API, and the service can identify objects, people, text, scenes, and activities. It can detect any inappropriate content as well. Amazon Rekognition also provides highly accurate facial analysis and facial recognition. You can detect, analyze, and compare faces for a wide variety of use cases, including user verification, cataloging, people counting, and public safety.
## How Amazon Rekognition differs for AWS GovCloud (US)
+ Celebrity Recognition is not available in AWS GovCloud (US) for either Amazon Rekognition Image or Amazon Rekognition Stored Video.
+ Amazon Rekognition Streaming Video is not available in AWS GovCloud (US).
+ Amazon Rekognition Custom Labels is not available in AWS GovCloud (US).
+ Amazon Rekognition Bulk Analysis is not available in AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Rekognition
[Amazon Rekognition documentation](https://docs.aws.amazon.com/rekognition/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Route 53 in AWS GovCloud (US)
Route 53 is a highly available and scalable Domain Name System (DNS) web service. In the AWS GovCloud (US), you can use Route 53 public and private DNS and health checking.
## How Amazon Route 53 differs for AWS GovCloud (US-West) Region
Public Hosted Zones
+ DNS queries will be answered from within FedRAMP boundary.
+ When creating alias records, you can now choose alias targets in the AWS GovCloud (US) Regions, but you cannot choose alias targets in global AWS Regions. Currently, we support alias targets for API Gateway, Elastic Beanstalk, Application Load Balancer, Classic Load Balancer, Network Load Balancer, Amazon S3 website endpoint, and VPC endpoint. The other alias targets are not supported.
+ The customer managed key that you use with DNSSEC signing must be in AWS GovCloud (US-West).
+ The CloudWatch Logs log group for query logging must be in AWS GovCloud (US-West).
+ CloudWatch metrics like DNSQueries can be found in AWS GovCloud (US-West).
+ IP-based routing type is not available.
+ Traffic Flow features are not available.
+ DNS query checking tool on the console, and `TestDNSAnswer` API are not available.
Private Hosted Zones
+ You can create private hosted zones in the AWS GovCloud (US). In general, the functionality is the same as for private hosted zones in the commercial version of Route 53.
+ Latency based, geolocation, and geoproximity routing types are not available in private hosted zones.
+ Route 53 Resolver delegation is not available.
Health Checking
+ You can create health checks that monitor endpoints in the AWS GovCloud, and you can create health checks that monitor the status of other health checks.
+ As in other AWS Regions, if you create a health check that monitors an endpoint in the AWS GovCloud, you must make the endpoint available on the public internet. Route 53 health checkers send health checking requests over the public internet.
+ You can restrict access to your endpoints by allowlisting the IP addresses of Route 53 health checkers in the AWS GovCloud:
+ 160.1.56.0/25
+ 160.1.55.0/25
+ 160.1.55.128/25
+ 18.253.167.128/25
+ 18.253.168.0/25
+ 18.253.167.0/25
The control plane for Route 53 in the AWS GovCloud (US) is in the AWS GovCloud (US-West).
## Documentation for Amazon Route 53
[Amazon Route 53 documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Application Recovery Controller (ARC) in AWS GovCloud (US)
## How Amazon Application Recovery Controller (ARC) differs for AWS GovCloud (US)
The AWS GovCloud (US-West) implementation of ARC is unique in the following way:
+ The routing control, and readiness check features of the ARC service are not available in AWS GovCloud (US-West).
## Zonal Shift
You can use ARC zonal shift to quickly isolate and recover from single Availability Zone (AZ) impairments. Zonal shift temporarily shifts traffic for a supported resource away from an impaired AZ to healthy AZs in the same AWS Region. Starting a zonal shift helps your application recover quickly, for example, from a developer’s bad code deployment or from an AWS impairment in a single AZ. Shifting traffic away from the impaired AZ reduces the impact for clients who are using your application in the impaired AZ.
You can start a zonal shift for any supported resource in your account in an AWS Region. Zonal shifts are manual and temporary. When you start a zonal shift, you must specify an (extendable) expiration of up to three days.
## Region Switch
You can use Region switch in ARC to orchestrate large-scale, complex recovery tasks for your application resources across AWS accounts, to help ensure business continuity and reduce operational overhead. Region switch provides a centralized and observable solution that you can perform manually, or automate by using Amazon CloudWatch alarm triggers. If an AWS Region becomes impaired, you can execute the plans that you create by using Region switch to fail over or switch your resources to another Region. This ensures that your application can continue to operate, running in a healthy AWS Region.
## Documentation for Amazon Application Recovery Controller (ARC)
[Amazon Application Recovery Controller (ARC) Developer Guide](https://docs.aws.amazon.com/r53recovery/latest/dg/what-is-route53-recovery.html)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ All customer parameters provided as input to ARC through the console, APIs, or other mechanisms, are not permitted to contain export-controlled data. Examples include comments entered by the user, and the resource name and Amazon Resource Name (ARN) for registered resources.
# Amazon S3 in AWS GovCloud (US)
Amazon Simple Storage Service (Amazon S3) is storage for the internet. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web. You can accomplish these tasks using the simple and intuitive web interface of the AWS Management Console.
## How Amazon Simple Storage Service differs for AWS GovCloud (US)
+ Amazon Route 53 Private DNS for VPCs is currently not supported for Amazon S3 endpoints.
+ You cannot do a direct copy of the contents of an Amazon S3 bucket in the AWS GovCloud (US) Regions to or from another AWS Region.
+ If you use Amazon S3 policies, use the AWS GovCloud (US) Amazon Resource Name (ARN) identifier. For more information, see [Amazon Resource Names (ARNs) in AWS GovCloud (US) Regions](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html).
+ In the AWS GovCloud (US) Regions, Amazon S3 has three endpoints. If you are processing export-controlled data, use one of the SSL endpoints. If you have FIPS requirements, use a FIPS 140-3 endpoint (https://s3-fips.us-gov-west-1.amazonaws.com or https://s3-fips.us-gov-east-1.amazonaws.com).
+ Amazon S3 bucket names are unique to the AWS GovCloud (US) Regions. Bucket names in the AWS GovCloud (US) Regions are not shared across other AWS Regions.
+ Multi-factor authentication (MFA) delete is not available in the AWS GovCloud (US) Regions.
+ [Amazon S3 Transfer Acceleration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html) is not available in the AWS GovCloud (US) Regions.
+ Amazon S3 Object Lambda Access Points are available in the AWS GovCloud (US) Regions for SSL endpoints. Object Lambda Access Points are not available for FIPS endpoints.
+ Amazon S3 presigned URLs are available only through the AWS Command Line Interface (AWS CLI) and AWS SDKs.
+ Bucket-style aliases for your Amazon S3 Object Lambda Access Points are not available.
+ Amazon S3 Express One Zone is not available in the AWS GovCloud (US) Regions.
+ Amazon S3 Tables replication is not available in the AWS GovCloud (US) Regions.
+ Amazon S3 Metadata is not available in the AWS GovCloud (US) Regions.
+ Access points for directory buckets are not available in the AWS GovCloud (US) Regions.
+ You cannot use S3 access points to access file data stored on Amazon FSx file systems.
## Documentation for Amazon Simple Storage Service
[Amazon Simple Storage Service documentation](https://aws.amazon.com/documentation/s3/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon S3 metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon S3 buckets, such as bucket names.
+ Do not enter export-controlled data in the following fields:
+ Resource tags
# Amazon Glacier in AWS GovCloud (US)
Amazon Glacier is a storage service optimized for infrequently used data, or cold data. The service provides durable and extremely low-cost storage with security features for data archiving and backup.
## How Amazon Glacier differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for Amazon Glacier
[Amazon Glacier documentation](http://aws.amazon.com/documentation/glacier/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Glacier metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon Glacier vaults names.
+ Do not enter export-controlled data in the following fields:
+ Resource tags: Key
+ Resource tags: Value
# Amazon S3 on Outposts in AWS GovCloud (US)
Amazon S3 on Outposts delivers object storage to your on-premises AWS Outposts environment to help you meet your low latency, local data processing, and data residency needs. Using the Amazon S3 APIs and features, Amazon S3 on Outposts makes it easier to store, secure, tag, retrieve, report on, and control access to the data on your Outposts. AWS Outposts is a fully managed service that extends AWS infrastructure, services, and tools to virtually any data center, co-location space, or on-premises facility for a truly consistent hybrid experience.
## How Amazon S3 on Outposts differs for AWS GovCloud (US)
AWS CloudFormation is not supported.
## Documentation for Amazon S3 on Outposts
[S3 on Outposts documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon S3 on Outposts metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon S3 on Outposts buckets, such as bucket names. For example, do not enter export-controlled data in the following fields:
+ Outpost Bucket Name
+ Outpost Object Name
+ Resource tags
# Amazon SageMaker AI in AWS GovCloud (US)
Amazon SageMaker AI is a fully managed machine learning service. With Amazon SageMaker AI, data scientists and developers can quickly and easily build and train machine learning models, and then directly deploy them into a production-ready hosted environment. It provides an integrated Jupyter authoring notebook instance for easy access to your data sources for exploration and analysis, so you don’t have to manage servers. It also provides common machine learning algorithms that are optimized to run efficiently against extremely large data in a distributed environment. With native support for bring-your-own-algorithms and frameworks, Amazon SageMaker AI provides flexible distributed training options that adjust to your specific workflows.
## How Amazon SageMaker AI differs for AWS GovCloud (US)
+ Only the following features are available. API calls to unavailable features will fail with a 4xx message indicating "The requested operation is not supported in the called region".
+ Notebook instances
+ Training
+ Pipelines
+ SageMaker JumpStart
+ Hosting
+ Batch Transform
+ Processing
+ Neo
+ SageMaker Search
+ SageMaker Debugger and Profiler
+ Model Tuning
+ SageMaker Studio and Studio Classic
+ Authentication using AWS Identity and Access Management is supported; authentication using IAM Identity Center is not supported
+ Scheduling a notebook job is not supported
+ AWS Glue interactive sessions is supported only in AWS GovCloud (US-West)
+ SageMaker Studio notebooks
**Note**
SageMaker Jumpstart in GovCloud only provides support for open-weight models. You can only access SageMaker Jumpstart with SageMaker AI Python SDK.
## Documentation for Amazon SageMaker AI
[Amazon SageMaker AI documentation](https://aws.amazon.com/documentation/sagemaker/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon SageMaker AI metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your NotebookInstances, NotebookInstanceLifecycleConfigs, Endpoints, Models, EndpointConfigs, TrainingJobs, HyperParameterTuningJobs, and BatchTransformJobs.
Do not enter export-controlled data in the following console fields:
+ NotebookInstance Name
+ NotebookInstanceLifecycleConfig Name
+ Model Name
+ Model Container Hostname
+ Model Environment names and values
+ Endpoint Name
+ Endpoint Config Name
+ Endpoint Config Production Variant names
+ Endpoint Config
+ TrainingJob Name
+ BatchTransformJob Name
+ Hyperparameter Names or values
+ Input Channel Name
+ Any resource tag or value
+ Names of any metrics emitted by algorithms
+ Names of any training or inference container environment variables
# Amazon SES in AWS GovCloud (US)
Lists the differences for using Amazon SES in the AWS GovCloud (US) compared to other AWS Regions.
Amazon SES is an email platform that provides an easy, cost-effective way for you to send and receive email using your own email addresses and domains. For example, you can send marketing emails such as special offers, transactional emails such as order confirmations, and other types of correspondence such as newsletters. When you use Amazon SES to receive mail, you can develop software solutions such as email autoresponders, email unsubscribe systems, and applications that generate customer support tickets from incoming emails.
## How Amazon SES differs for AWS GovCloud (US)
+ Amazon SES doesn’t support email receiving in the AWS GovCloud (US) Region.
## Documentation for Amazon SES
[Amazon SES documentation](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/Welcome.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon Security Lake in AWS GovCloud (US)
Amazon Security Lake is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS environments, SaaS providers, on premises, cloud sources, and third-party sources into a purpose-built data lake that’s stored in your AWS account. Security Lake helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization. With Security Lake, you can also improve the protection of your workloads, applications, and data.
## How Amazon Security Lake differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, the subscriber [HttpsNotificationConfiguration](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_HttpsNotificationConfiguration.html) operation is not supported.
+ In AWS GovCloud (US) Regions, AWS doesn’t use or store Customer Content processed by Amazon Security Lake to develop and improve the service or technologies of AWS or its affiliates. Opt-out policies are currently not applicable to these Regions.
## Documentation for Amazon Security Lake
[Security Lake documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon SNS in AWS GovCloud (US)
Amazon Simple Notification Service (Amazon SNS) is a web service that enables applications, end-users, and devices to instantly send and receive notifications from the cloud.
## How Amazon Simple Notification Service differs for AWS GovCloud (US)
+ You cannot use Amazon SNS to send SMS messages while using the AWS GovCloud (US-East) Region.
+ Amazon Data Firehose subscriptions are not supported.
+ Kinesis Firehose protocol option for the Amazon SNS topics is not available.
+ Message Data Protection is not supported.
+ Custom data identifiers are not supported.
+ Amazon SNS message archiving and replay is not supported.
+ IPv6 is not supported.
## Documentation for Amazon Simple Notification Service
[Amazon SNS documentation](http://aws.amazon.com/documentation/sns/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Export-controlled data may not be entered, stored, or processed in Amazon SNS notification messages when the following notification endpoints are being used:
Notification Endpoints
+ Mobile push notifications – not permitted to contain export-controlled data
+ Email – not permitted to contain export-controlled data
+ Amazon SQS queues outside of AWS GovCloud (US) Regions – not permitted to contain export-controlled data
+ HTTP URL endpoint – not permitted to contain export-controlled data
+ Amazon SNS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when setting up and maintaining your topics.
For example, do not enter export-controlled data in the following fields:
+ Topic Name
+ Display Name
+ Topic Policy
+ Topic Delivery Policy
+ Topic ARN
+ Endpoint
+ Subject
+ Application Name
# Amazon SQS in AWS GovCloud (US)
Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS moves data between distributed application components and helps you decouple these components.
## How Amazon Simple Queue Service differs for AWS GovCloud (US)
+ IPv6 is not supported.
## Documentation for Amazon Simple Queue Service
[Amazon SQS documentation](http://aws.amazon.com/documentation/sqs/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon SQS metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when setting up and maintaining your queues.
For example, do not enter export-controlled data in the following fields:
+ Queue Name
+ Queue Configuration
+ Queue Policy Document
+ Queue Permissions
# Amazon SWF in AWS GovCloud (US)
Amazon Simple Workflow Service (Amazon SWF) makes it easy to build applications that coordinate work across distributed components. In Amazon SWF, a task represents a logical unit of work that is performed by a component of your application. Coordinating tasks across the application involves managing intertask dependencies, scheduling, and concurrency in accordance with the logical flow of the application. Amazon SWF gives you full control over implementing tasks and coordinating them without worrying about underlying complexities such as tracking their progress and maintaining their state.
## How Amazon Simple Workflow Service Differs for AWS GovCloud (US)
This service has no differences between the AWS GovCloud (US) and the standard AWS Regions.
## Documentation for Amazon Simple Workflow Service
[Amazon SWF documentation](http://aws.amazon.com/documentation/swf/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No export-controlled data can be entered, stored, or processed in Amazon SWF.
+ Amazon SWF metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your workflows.
For example, do not enter export-controlled data in the following fields:
+ Workflow type name
+ Workflow type version
+ Activity type name
+ Activity type version
+ Execution workflow ID
+ Activity task ID
+ The `input`, `result`, or `details` arguments to workflow executions
+ The `input`, `result`, or `details` arguments to activity tasks
# Amazon Textract in AWS GovCloud (US)
Amazon Textract makes it easy to add document text detection and analysis to your applications. The Amazon Textract Text Detection API can detect text in a variety of documents including financial reports, medical records, and tax forms. For documents with structured data, you can use the Amazon Textract Document Analysis API to extract text, forms and tables.
## How Amazon Textract Differs for AWS GovCloud (US)
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Textract
[Amazon Textract documentation](https://docs.aws.amazon.com/textract/latest/dg/what-is.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Textract metadata is not permitted to contain export-controlled data.
# Amazon Timestream in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Timestream is a fast, scalable, and serverless time series database service for IoT and operational applications. With Timestream, you can store and analyze trillions of events per day up to 1,000 times faster than with relational databases—at as little as one-tenth of the cost.
Timestream saves you time and cost in managing the lifecycle of time series data by keeping recent data in memory and moving historical data to a cost-optimized storage tier, based upon user-defined policies.
With the purpose-built query engine in Timestream, you can access and analyze recent and historical data together, without needing to specify explicitly in the query whether the data resides in memory or in the cost-optimized storage tier.
Timestream helps ensure that your time series data is always encrypted, whether at rest or in transit. With Timestream, you can also specify an AWS KMS customer managed key for encrypting data in the magnetic store.
## How Amazon Timestream differs for AWS GovCloud (US)
The AWS GovCloud (US) Region implementation of Amazon Timestream is unique in the following ways.
+ The query editor in the Timestream console does not allow you to save your queries for later usage or search from saved queries.
+ Customers who rely upon FIFO support with SNS notifications from the scheduled query service for Timestream will not be able to create such a topic in GovCloud since the Region does not support FIFO topics. For more information, see [Amazon SNS in AWS GovCloud (US)](govcloud-sns.md). This might cause notifications for scheduled queries to arrive out of order.
## Documentation for Amazon Timestream
[Timestream documentation](https://docs.aws.amazon.com/timestream/latest/developerguide/what-is-timestream).
## Export-controlled content
For AWS services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon Timestream metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon Timestream instances except the master password.
+ Do not enter export-controlled data in the following fields.
+ Master user name
+ Database name
+ Table name
+ Scheduled query, Query Name
+ Resource tags
If you are processing export-controlled data with Amazon Timestream, follow these guidelines in order to maintain export compliance.
+ When you use the console or the AWS APIs, the only data field that is protected as export-controlled data is the Amazon Timestream master password.
+ You can enter export-controlled data into any data fields by using your database client-side tools. Do not pass export-controlled data by using the web service APIs that are provided by Amazon Timestream.
+ To secure export-controlled data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.
For example, if you’re running an application server on an Amazon EC2 instance that connects to Amazon Timestream, a non-U.S. person could reconfigure the DNS to redirect export-controlled data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US) Regions.
To prevent this type of attack and to maintain export compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html) in the *Amazon VPC User Guide*.
+ For each database that contains export-controlled data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the database instance, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Regions or other export-controlled environments to export-controlled database instances.
+ If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Amazon Transcribe in AWS GovCloud (US)
Amazon Transcribe uses advanced machine learning technologies to recognize speech in audio files and transcribe them into text. Use Amazon Transcribe to convert audio to text and to create applications that incorporate the content of audio files. For example, you can transcribe the audio track from a video recording to create closed captioning for the video.
## How Amazon Transcribe differs for AWS GovCloud (US)
+ Automatic language identification is not available in the AWS GovCloud (US-East) Region.
+ Call Analytics is not available in the AWS GovCloud (US) Regions.
+ Automatic content redaction is not available in the AWS GovCloud (US-East) Region.
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Transcribe
[Amazon Transcribe documentation](https://docs.aws.amazon.com/transcribe/latest/dg/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# AWS Transit Gateway in AWS GovCloud (US)
A transit gateway is a network transit hub that interconnects your virtual private clouds (VPC) and on-premises networks.
## How AWS Transit Gateway differs for AWS GovCloud (US)
+ You can’t visualize your global network in geographic map view in Transit Gateway Network Manager console.
+ Inter-Region peering is only supported between AWS GovCloud (US-East) and AWS GovCloud (US-West). You can’t create an Inter-Region peering between a AWS GovCloud (US) Region and any other AWS Region.
## Documentation for AWS Transit Gateway
[Transit Gateway documentation](https://docs.aws.amazon.com/vpc/#aws-transit-gateway)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Transit gateway metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your transit gateways. This applies to free-text entry fields for transit gateway resources, including but not limited to:
+ Resource names
+ Resource descriptions
+ Tag keys and values
# Amazon Translate in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) only.
Amazon Translate is a neural machine translation service for translating text to and from English across a breadth of supported languages. Powered by deep-learning technologies, Amazon Translate delivers fast, high-quality, and affordable language translation. It provides a managed, continually trained solution so you can easily translate company and user-authored content or build applications that require support across multiple languages. The machine translation engine has been trained on a wide variety of content across different domains to produce quality translations that serve any industry need.
## How Amazon Translate differs for AWS GovCloud (US)
+ Async batch is not available in AWS GovCloud (US).
+ Active Custom Translation is not available in AWS GovCloud (US).
+ Parallel Data Operations are not available in AWS GovCloud (US).
+ In AWS GovCloud (US) Regions, AWS DOES NOT use or store AI Content processed by this AI Service to develop and improve that Service or technologies of AWS or its affiliates. Opt-out policies are not currently applicable to these Regions.
## Documentation for Amazon Translate
[Amazon Translate documentation](https://aws.amazon.com/documentation/translate/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Amazon VPC in AWS GovCloud (US)
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
**Note**
Not all Amazon VPC endpoints in AWS GovCloud (US) support Amazon VPC endpoint policies.
## How Amazon Virtual Private Cloud differs for AWS GovCloud (US)
+ Use SSL (HTTPS) when you make calls to the service in the AWS GovCloud (US) Region. In other AWS Regions, you can use HTTP or HTTPS.
+ Traffic mirror sessions are visible to the owner of a traffic mirror target only if created using the same account. If a traffic mirror target is shared with other accounts, those other accounts can still create sessions with that target, but those sessions are not visible to the target owner.
+ Security group rule IDs are not available in the Amazon VPC console.
+ The AWS-managed prefix list for Amazon CloudFront is not available.
+ Amazon VPC Route Server is not supported.
## Documentation for Amazon Virtual Private Cloud
[Amazon VPC documentation](https://docs.aws.amazon.com/vpc/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon VPC metadata is not permitted to contain export-controlled data. This metadata includes all of the configuration data that you enter when setting up and maintaining your VPCs. This applies to free-text entry fields for VPC resources, including but not limited to:
+ Names and descriptions of security groups and security group rules
+ Keys and values of DHCP option sets
+ Names of destination log groups for VPC Flow Logs
+ Tag keys and values
+ Service names of VPC endpoints
+ Client token values used for the idempotency of API requests
# Amazon Verified Permissions in AWS GovCloud (US)
Amazon Verified Permissions is a scalable, fine-grained permissions management and authorization service for custom applications built by you. With Verified Permissions, your developers can build secure applications faster by externalizing authorization and centralizing policy management and administration. Verified Permissions uses the Cedar Policy Language to define fine-grained permissions for application users.
## How Amazon Verified Permissions differs for AWS GovCloud (US)
+ Identity sources, including Amazon Cognito user pools, aren’t available to Verified Permissions policy stores in AWS GovCloud (US) Regions.
## Documentation for Amazon Verified Permissions
[Verified Permissions documentation](https://docs.aws.amazon.com/verifiedpermissions).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ No data will leave the AWS GovCloud (US) Regions for this service.
# Amazon WorkSpaces in AWS GovCloud (US)
Amazon WorkSpaces is a managed, secure cloud desktop service. You can use Amazon WorkSpaces to provision either Windows or Amazon Linux 2 desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. You can pay either monthly or hourly, just for the WorkSpaces you launch, which helps you save money when compared to traditional desktops and on-premises virtual desktop infrastructure (VDI) solutions. Amazon WorkSpaces helps you eliminate the complexity in managing hardware inventory and OS versions and patches which helps simplify your desktop delivery strategy. With Amazon WorkSpaces, your users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device.
## How Amazon WorkSpaces differs for AWS GovCloud (US)
+ The Amazon WorkSpaces Application Manager console is not supported.
+ The Web Access client (from browser) does not support PCoIP WorkSpaces.
+ The cross-Region redirection feature is not supported.
+ The **Forgot Password** option and the **Welcome Email** feature are not supported in the AWS GovCloud (US) Regions. Users cannot reset their own passwords and users with new WorkSpaces will not receive a welcome email.
+ Amazon WorkSpaces Advisor is not supported.
## Documentation for Amazon WorkSpaces
[Amazon WorkSpaces documentation](https://docs.aws.amazon.com/workspaces/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ Amazon WorkSpaces metadata is not permitted to contain export-controlled data. This metadata includes all configuration data that you enter when creating and maintaining your WorkSpaces.
Do not enter export-controlled data in the following console fields:
+ AMI descriptions
+ Resource tags
+ If importing export-controlled images, do not use pre-signed URLs for the CLI argument
+ Key pairs created using HTTP
# Elastic Load Balancing
Elastic Load Balancing automatically distributes your incoming application traffic across multiple targets, such as EC2 instances. It monitors the health of registered targets and routes traffic only to the healthy targets.
Elastic Load Balancing supports the following types of load balancers: Application Load Balancers, Network Load Balancers, Gateway Load Balancers, and Classic Load Balancers. All four types of load balancers are supported in AWS GovCloud (US) Regions.
**Note**
Some features of Elastic Load Balancing (ELB) TLS do not support FIPS 140-3 requirements by default. When using the Classic or Network Load Balancer, you can pass TCP traffic and terminate TLS on your target (for example, web server), that is configured to support FIPS 140-3 requirements. Application Load Balancer (ALB) supports selecting FIPS algorithms.
## How Elastic Load Balancing differs for AWS GovCloud (US)
+ When using the legacy bucket policy, specify the following AWS account IDs in the policy to grant Elastic Load Balancing permission to write logs to your S3 bucket:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-elb.html)
+ Export data must be encrypted in transit outside of the export boundary. Because Elastic Load Balancing uses global DNS servers, export traffic across Elastic Load Balancing must be encrypted.
+ Cognito authentication is not available.
## Documentation for Elastic Load Balancing
[Elastic Load Balancing documentation](https://aws.amazon.com/documentation/elastic-load-balancing/).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ All customer parameters provided as input to Elastic Load Balancing (via console, APIs, or other mechanism) are not permitted to contain export-controlled data. Examples include the names of load balancers and the names of load balancer policies.
+ Do not enter export-controlled data in the following fields:
+ Resource tags
If you are processing export-controlled data with this service, use the SSL (HTTPS) endpoint to maintain export compliance. For more information, see [Service Endpoints](using-govcloud-endpoints.md).
# Red Hat OpenShift Service on AWS in AWS GovCloud (US)
Red Hat OpenShift Service on AWS (ROSA) is a managed service that you can use to build, scale, and deploy containerized applications with Red Hat OpenShift running on AWS infrastructure. ROSA is jointly supported and operated by AWS and Red Hat. ROSA offers 24-hour site reliability engineering (SRE) support for cluster installation, management, and upgrades backed by Red Hat’s 99.95% uptime service-level agreement.
**Note**
Red Hat OpenShift Service on AWS has achieved FedRAMP High Authorization for classic and hosted control plane architectures.
## How Red Hat OpenShift Service on AWS differs for AWS GovCloud (US)
+ You must have access to the [Red Hat Hybrid Cloud Console on AWS GovCloud (US)](https://console.openshiftusgov.com/openshift). To obtain access, complete the [ROSA FedRAMP access request form](https://console.redhat.com/openshift/create/rosa/govcloud).
+ Support does not yet have the ability to transfer support cases to Red Hat on behalf of customers.
+ Red Hat support cases are managed through ServiceNow. ServiceNow has a Provisional Authority to Operate (P-ATO) at the FedRAMP High benchmark. Red Hat personnel that manage ROSA support cases through ServiceNow are U.S. persons. For more information, see [ServiceNow’s FedRAMP authorization details](https://marketplace.fedramp.gov/products/F1305072116) on the FedRAMP Marketplace.
+ Customers set up access to ServiceNow during the onboarding process.
+ ROSA classic and ROSA with Hosted Control Planes (HCP) are both supported.
+ The AWS ROSA console is not yet available in AWS GovCloud (US) Regions.
+ Only ROSA clusters that use AWS PrivateLink can be deployed in AWS GovCloud (US).
+ You must meet the U.S. regulatory requirements as described in [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html).
+ You must deploy ROSA into an existing VPC.
+ ROSA only supports the use of AWS Security Token Service (AWS STS) temporary security credentials to allow the service to perform actions in the customer AWS account.
+ ROSA only uses FIPS-validated modules to process cryptographic libraries.
+ You must have a FIPS 140-3 compliant hardware token for use with the service.
+ You need to configure the AWS CLI on your local machine to use your AWS GovCloud (US) account. This configuration is required to create ROSA clusters.
+ ROSA entitlements cannot be shared between AWS standard accounts and AWS GovCloud (US) accounts using AWS License Manager.
+ VPC sharing is not supported.
## Enabling ROSA
To enable access to ROSA in the AWS GovCloud (US) Regions, the AWS GovCloud (US) account root user must complete the following steps.
**Note**
For AWS Organizations users, repeat these steps for each member account that requires access.
1. Create a Red Hat commercial account or use an existing one.
1. Create an AWS standard account. AWS recommends creating a new AWS standard account that will only be used for AWS GovCloud (US) sign-up and billing.
1. Log in to the AWS standard account.
1. Go to the [ROSA console](https://console.aws.amazon.com/rosa) and enable ROSA.
1. Link your AWS standard account to your [Red Hat account](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/rosa-activation-and-account-linking).
1. Sign up for an AWS GovCloud (US) account. For more information, see [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html).
**Note**
Before creating accounts in the AWS GovCloud (US) Regions, make sure that you meet specific U.S. regulatory requirements as described in [AWS GovCloud (US) Sign Up](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html).
1. Link your AWS GovCloud account to your AWS standard account.
1. Complete the [ROSA FedRAMP access request form](https://console.redhat.com/openshift/create/rosa/govcloud) to initiate onboarding to AWS GovCloud (US). Upon submission, this form will be processed by Red Hat. If Red Hat requires further information, you will receive a follow-up email, or you will receive instructions on how to access the service.
**Note**
You can use the Red Hat Hybrid Cloud Console on AWS GovCloud (US) to deploy ROSA to multiple AWS GovCloud (US) accounts.
## Creating and deploying a ROSA cluster into the AWS GovCloud (US) Regions
After enabling ROSA for AWS GovCloud (US), you can create and deploy ROSA clusters into the AWS GovCloud (US) Regions.
### Prerequisites
To deploy ROSA clusters into the AWS GovCloud (US) Regions, the following prerequisites must be met.
+ You have access to the Red Hat Hybrid Cloud Console on AWS GovCloud (US).
+ You have an AWS GovCloud (US) account linked to an AWS standard account.
+ You configured the AWS CLI on your local machine to use your AWS GovCloud (US) account. For more information, see [Configure your Account using AWS CLI](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/configure-using-cli.html).
+ You created your own Amazon VPC architecture to deploy your clusters into. For more information, see [Create Amazon VPC architecture for the cluster](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-private-link.html#getting-started-private-link-step-2) in the * ROSA User Guide*.
+ You completed the prerequisite actions documented in [Getting started with ROSA](https://docs.aws.amazon.com/rosa/latest/userguide/getting-started.html).
### Log in to your AWS GovCloud (US) and Red Hat Hybrid Cloud Console on AWS GovCloud (US) accounts
Once the prerequisites have been met, follow these steps.
**Note**
If you cannot sign in to your AWS GovCloud (US) account or Red Hat Hybrid Cloud Console on AWS GovCloud (US) account, ask your administrator for the information that you need to sign in.
1. Sign in to your AWS GovCloud (US) account.
1. Go to the [Red Hat Hybrid Cloud Console on AWS GovCloud (US) login page](https://console.openshiftusgov.com/openshift) and sign in with your Red Hat account credentials.
1. The remaining procedure varies depending on whether you are creating clusters using the Red Hat Hybrid Cloud Console on AWS GovCloud (US) or ROSA CLI.
1. Console
1. Choose **Create cluster with web interface**.
1. Follow the console prompts to create the ROSA cluster.
1. ROSA CLI
1. Choose **Create cluster with CLI**.
1. Copy the following command:
```
rosa login --govcloud
```
1. Open a terminal session and run the command.
### Create and deploy a ROSA cluster that uses AWS PrivateLink
Once logged in to your AWS GovCloud (US) and Red Hat Hybrid Cloud Console on AWS GovCloud (US) accounts, you can create a ROSA cluster that uses AWS PrivateLink and deploys into the AWS GovCloud (US) Regions.
The procedure is the same for deploying a ROSA cluster in AWS GovCloud (US) Regions and AWS standard Regions. For more information, see [Getting started with ROSA](https://docs.aws.amazon.com/rosa/latest/userguide/getting-started.html) in the * ROSA User Guide*.
## Documentation for Red Hat OpenShift Service on AWS
[ROSA documentation.](https://docs.aws.amazon.com/ROSA/latest/userguide/what-is-rosa.html)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This service can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Research and Engineering Studio on AWS in AWS GovCloud (US)
This product is currently available in AWS GovCloud (US-West) only.
Research and Engineering Studio on AWS (RES) is an AWS supported, open source product that enables IT administrators to provide a web portal for scientists and engineers to run technical computing workloads on AWS. RES provides a single pane of glass for users to launch secure virtual desktops to conduct scientific research, product design, engineering simulations, or data analysis workloads. Users can connect to the RES portal using their existing corporate credentials and work on individual or collaborative projects.
## How Research and Engineering Studio on AWS differs for AWS GovCloud (US)
The Research and Engineering Studio User Guide already includes special instructions for AWS GovCloud (US) where appropriate. The following list describes the instances where there are special instructions for AWS GovCloud (US).
+ In the [Deploy the product](https://docs.aws.amazon.com/res/latest/ug/deploy-the-product.html) chapter:
+ Under [Prerequisites](https://docs.aws.amazon.com/res/latest/ug/deploy-the-product.html#prerequisites):
+ You must follow the procedures under [Create domain (GovCloud only)](https://docs.aws.amazon.com/res/latest/ug/deploy-the-product.html#create-domain-govcloud).
+ Under [Step 1: Create external resources](https://docs.aws.amazon.com/res/latest/ug/deploy-the-product.html#create-external-resources):
+ We provide a different [template for AWS GovCloud (US)](https://console.amazonaws-us-gov.com/cloudformation/home?region=us-gov-west-1#/stacks/quickcreate?templateURL=https://s3.amazonaws.com/aws-hpc-recipes/main/recipes/res/res_demo_env/assets/bi.yaml).
+ The ` SubDomain ` template parameter is required in AWS GovCloud (US).
+ Don’t use the ` PortalDomainName ` template parameter.
+ Under [Step 2: Launch the product](https://docs.aws.amazon.com/res/latest/ug/deploy-the-product.html#launch-the-product):
+ We provide a different [template for AWS GovCloud (US)](https://research-engineering-studio-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/releases/2024.01.01/ResearchAndEngineeringStudio.template.json).
+ In the [Configuration guide](https://docs.aws.amazon.com/res/latest/ug/configuration-guide.html) chapter:
+ In the [Managing users and groups](https://docs.aws.amazon.com/res/latest/ug/manage-users.html) section:
+ Under [Setting up SSO with Identity Center](https://docs.aws.amazon.com/res/latest/ug/manage-users.html#sso-idc):
+ You must set up SSO in the AWS GovCloud (US) partition where you deployed RES.
+ In the [Create an ACM certificate](https://docs.aws.amazon.com/res/latest/ug/acm-certificate.html) section:
+ You must create a certificate in your AWS GovCloud (US) account.
+ For step 7: copy the CNAME key and value. From the commercial partition account, use the values to create a new record in the Public Hosted Zone. The status of the certificate should change to **Issued**.
+ In the [Administrator guide](https://docs.aws.amazon.com/res/latest/ug/administrator-guide.html) chapter:
+ In the [eVDI](https://docs.aws.amazon.com/res/latest/ug/evdi.html) section:
+ Under [Software Stacks (AMIs)](https://docs.aws.amazon.com/res/latest/ug/evdi.html#software-stacks):
+ To run the provided CentOS7 stack, you must subscribe to the AMI in AWS Marketplace with your [linked standard account](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html).
+ In the [Cost monitoring and control](https://docs.aws.amazon.com/res/latest/ug/cost-management.html) section:
+ Associating RES projects to AWS Budgets isn’t supported.
+ In the [Cost analysis dashboard](https://docs.aws.amazon.com/res/latest/ug/cost-analysis-dashboard.html) section:
+ Use of the cost analysis dashboard isn’t supported.
## Documentation for Research and Engineering Studio on AWS
[Research and Engineering Studio documentation](https://docs.aws.amazon.com/res/latest/ug/overview.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ This product can generate metadata from customer-defined configurations. AWS suggests customers do not enter export-controlled information in console fields, descriptions, resource names, and tagging information.
# Service Quotas in AWS GovCloud (US)
[Service Quotas](https://console.aws.amazon.com/servicequotas) enables you to view and manage your AWS service quotas from a central location. You can view the AWS default quotas, your account-level or applied quotas and request for quota increases. Through its [integration with AWS CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Service-Quota-Integration.html), you can also view usage against quotas and configure alarms to get notified when approaching a quota threshold. Service Quotas offers both a console experience and programmatic access via the AWS SDK, and is available to all AWS customers at no additional cost.
## How Service Quotas differs for AWS GovCloud (US)
+ The [Quota request template](https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html) is currently not supported in AWS GovCloud(US) Regions.
## Documentation for Service Quotas
[Service Quotas documentation](https://docs.aws.amazon.com/servicequotas/index.html).
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
+ The initial quota value established by AWS (default value) and the new quota value after a quota increase (applied value).
+ Information related to open quota increase requests or requests that were closed in the last 90 days.
+ Tags on any service quota with applied values.
# VMware Cloud on AWS in AWS GovCloud (US)
VMware Cloud on AWS brings VMware’s enterprise-class Software-Defined Data Center software to the AWS Cloud, and enables customers to run production applications in a managed service from VMware and AWS. For more information, see [VMware Cloud on AWS](https://aws.amazon.com/vmware).
## Documentation for VMware Cloud on AWS
[VMware Cloud on AWS documentation](https://www.vmware.com/products/vmc-on-aws.html).
# Kiro in AWS GovCloud (US)
This service is currently available in AWS GovCloud (US-West) and AWS GovCloud (US-East).
Kiro is an AI-powered development platform that accelerates software development from prototype to production through spec-driven development. The platform transforms natural language prompts into structured requirements, architectural designs, and discrete implementation tasks, enabling developers to build complex features with precision and speed.
Kiro provides both an integrated development environment (IDE) and command-line interface (CLI) that help developers maintain control throughout the development process. The platform converts requirements into clear specifications, analyzes codebases to recommend optimal architectures, and creates sequenced implementation plans with comprehensive tests. Developers can automate repetitive workflows through hooks that trigger on events, generating documentation and unit tests in the background.
## How Kiro differs for AWS GovCloud (US)
The following differences apply to Kiro in AWS GovCloud (US) Region:
+ Kiro Plugins: IDE integrations, including the Visual Studio Code plugin, are not available. Users must access Kiro through the standalone IDE or CLI.
+ Inline Suggestions: Real-time code suggestions and inline completions are not available.
+ Autonomous Agent is not available.
+ Social or BuilderID Login: Authentication through social providers and AWS Builder ID is not supported.
+ Data Storage for Service Improvement: Content collection for service improvement (prompts, responses, generated code) is disabled.
+ User Activity Metrics and S3 Reporting: Collection of user activity metrics and generation of daily reports in Amazon S3 is not available. Enterprise administrators cannot enable telemetry or activity reporting.
+ Cross-Region Inference (CRIS): For customers in AWS GovCloud (US-East) (us-gov-east-1), inference requests are processed using Amazon Bedrock in AWS GovCloud (US-West) (us-gov-west-1). Your content remains stored in the region where your Kiro profile was created. All cross-region communication is encrypted in transit using TLS 1.2 or higher.
+ Auto: Automated model selection is disabled at launch. Claude Sonnet 4.5 is the default foundation model in AWS GovCloud (US).
## Documentation for Kiro
+ [Kiro Documentation](https://kiro.dev/docs/)
+ [Kiro VPC Endpoint Documentation](https://kiro.dev/docs/privacy-and-security/vpc-endpoints/)
## Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
Kiro metadata is not permitted to contain export-controlled data. This metadata includes:
+ Authentication and authorization tokens (IAM Identity Center integration).