IAM dual-stack endpoint support Amazon STS dual-stack endpoint support

Dual-stack endpoint support

Dual-stack endpoints enable clients to communicate with Amazon services using either IPv4 or IPv6 addresses. Both IAM and Amazon STS provide dual-stack endpoint support. For more information about how to configure your VPC for dual-stack mode, see IPv6 support for your VPC in the Amazon VPC User Guide.

If you use IAM policies that include the aws:sourceIp or aws:vpcSourceIp condition keys, you need to update these policies to support IPv6 clients. For more information about IPv6 addressing for your VPCs, see IP addressing for your VPCs and subnets in the Amazon VPC User Guide.

IAM dual-stack endpoint support

IAM provides a dual-stack public endpoint that supports both IPv4 and IPv6 clients. The IAM dual-stack public endpoint can also be accessed privately from your virtual private cloud (VPC) using Amazon PrivateLink. For more information about creating private interface VPC endpoints for IAM, see Create a VPC endpoint for IAM.

The IAM dual-stack public endpoint is https://iam.global.api.amazonwebservices.com.cn.

The IAM public endpoint at https://iam.cn-north-1.amazonaws.com.cn, unlike the dual-stack public endpoint, supports only IPv4 clients. When accessed privately from your VPC using Amazon PrivateLink, the IAM public endpoint can support both IPv4 and IPv6 clients.

Amazon STS dual-stack endpoint support

Amazon STS provides dual-stack regional endpoints that support both IPv4 and IPv6 clients. The Amazon STS dual-stack regional endpoints can also be accessed privately from your virtual private cloud (VPC) using Amazon PrivateLink. For more information about creating private interface VPC endpoints for Amazon STS, see Create a VPC endpoint for Amazon STS.

The following table shows the Amazon STS dual-stack regional endpoints by partition:

Partition Dual-stack endpoint URL

Commercial Amazon Regions

Partition	Dual-stack endpoint URL
Commercial Amazon Regions	Regular endpoints: `https://sts.<region>.api.aws` FIPS endpoints: `https://sts-fips.<region>.api.aws`
Amazon GovCloud (US) Regions	Regular endpoints: `https://sts.<region>.api.aws`
China Regions	Regular endpoints: `https://sts.<region>.api.amazonwebservices.com.cn`

Regular endpoints: https://sts.<region>.api.aws

FIPS endpoints: https://sts-fips.<region>.api.aws

Amazon GovCloud (US) Regions

Regular endpoints: https://sts.<region>.api.aws

China Regions

Regular endpoints: https://sts.<region>.api.amazonwebservices.com.cn

Note

FIPS endpoints only apply to US and Canada regions.

Limitations

The following limitations apply to Amazon STS dual-stack endpoint support:

IPv6 clients are not supported on the global endpoint https://sts.amazonaws.com. You must use dual-stack regional endpoints for IPv6 client support.
IPv6-only Amazon STS VPC endpoints are not supported. VPC endpoints can be configured for IPv4 or dual-stack connectivity.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

IAM and Amazon STS quotas

Interface VPC endpoints