Region Availability Feature Availability and Implementation Differences Guides and References General Information About Amazon Web Services in China

Amazon Identity and Access Management

Amazon Identity and Access Management (IAM) enables you to securely control access to Amazon Web Services in China services and resources for your users. With IAM, you can create and manage Amazon Web Services in China users and groups and use permissions to allow and deny their access to Amazon Web Services in China resources. In some scenarios, you may also want to use Amazon Security Token Service, which lets you grant a trusted user temporary, limited access to your Amazon Web Services in China resources.

Topics

Region Availability
Feature Availability and Implementation Differences
Guides and References
General Information About Amazon Web Services in China

Region Availability

Amazon Identity and Access Management does not require region selection, but is available in the following regions in China:

Beijing Region
Ningxia Region

Feature Availability and Implementation Differences

The Amazon Web Services in China implementation of IAM is unique in the following ways:

Users and credentials – In the Beijing and Ningxia Regions, there is no concept of the "root user" or "account user" credentials. All users are IAM users, including the user who created the account. Administrative IAM users might have permissions to complete tasks that require root user credentials. If they don't, you must contact Support to complete those tasks.
Forgot password – If an IAM user (including the administrator user) in the Beijing and Ningxia Regions forgets their password, they can reset the password from the Amazon Web Services Management Console. Amazon will send a password reset link to the email address that is associated with the Amazon account. Administrators cannot use a policy to deny access to this feature because the requestor is not signed in to Amazon. However, each request is stored as a CloudTrail entry. For more information, see IAM Credentials.
No hardware or SMS MFA – The Beijing and Ningxia Regions do not support using hardware or SMS multi-factor authentication (MFA) for IAM users. The Regions do support using virtual MFA. For information about using virtual MFA, see Enabling a Virtual Multi-factor Authentication (MFA) Device.
Web identity federation – Some web identity providers, such as social media platforms, might not be available in the Beijing and Ningxia Regions.
IAM control plane – There is one IAM control plane for all China Regions, which is located in the China (Beijing) Region. Each Amazon Web Services Region has a completely independent instance of the IAM data plane. For more information, see Resilience in Amazon Identity and Access Management.
Amazon API Signature Version – Services available in the Beijing and Ningxia Regions support only signature version 4 signing.
Policy names – IAM policy names can contain only the following Unicode characters: horizontal tab (x09), linefeed (x0A), carriage return (x0D), and characters in the range x20 to xFF. In practice, this means that you can't use Chinese characters in policy names.
Service principals in policies – In IAM policies where the principal is a service, the service principal name can include the following formats, with "service" replaced by the name of the service:
```
service.amazonaws.com
```
```
service.amazonaws.com.cn
```
Note
Do not try to guess the service principal, because it is case sensitive and the format can vary across Amazon services. The service principal is defined by the service. To learn the service principal for a service, see the documentation for that service. For some services, see Amazon services that work with IAM and look for the services that have Yes in the Service-linked role column. Choose a Yes with a link to view the service-linked role documentation for that service. View the Service-linked role permissions section for that service to view the service principal.

For more information, see Creating a Role to Delegate Permissions to an Amazon Service and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.
SSH public keys – SSH public keys are used only in conjunction with CodeCommit, which is currently not available in the Beijing and Ningxia Regions.
In the Beijing Region, the Amazon Resource Name (ARN) syntax includes the aws-cn partition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Zhang.
In the Ningxia Region, the Amazon Resource Name (ARN) syntax includes the aws-cn partition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Wang.
Switching roles – In the Beijing Region and Ningxia Region, after you switch to a role in the Amazon Web Services Management Console, you cannot switch back to your original credentials. Instead, you must sign out and then sign in again using the desired credentials.
Only some Amazon services support service-linked roles in the Beijing and Ningxia Regions. For information about which services support using service-linked roles, see Amazon services that work with IAM and look for the services that have Yes in the Service-Linked Role column. To learn whether the service supports service-linked roles in a specific region, choose the Yes link to view the service-linked role documentation for that service.
Access Analyzer – The Beijing and Ningxia Regions do not support the creation of unused access analyzers. The Beijing and Ningxia Regions do not support the creation of external access analyzers with an organization as the zone of trust. The Beijing and Ningxia Regions do support creation of an analyzer with the Amazon Web Services account as the zone of trust. For more information, see Enabling Access Analyzer.
Last accessed data – Data about when an IAM identity (user, group, or role) last attempted to access an Amazon service through permissions granted by an IAM policy is not available. For more information, see Service Last Accessed Data.
Role last used – Information about when a role was last used is not available. For more information, see View Role Access.
Custom policy checks – Custom policy checks are not supported in the Beijing and Ningxia Regions. To learn more, see IAM Access Analyzer custom policy checks in the IAM User Guide.
Policy generation – Policy generation is not supported in the Beijing and Ningxia Regions. To learn more, see Generate policies based on access activity in the IAM User Guide.
IAM Roles Anywhere – The Beijing and Ningxia Regions do not support the creation of trust anchors with Amazon Private Certificate Authority. The Beijing and Ningxia Regions do support the creation of a trust anchor with your own certificate authority. To learn more, see Creating a trust anchor and profile in the IAM Roles Anywhere User Guide.

Guides and References

Amazon Web Services in China user guides are available in HTML and PDF, in both Chinese and English. API references are available in HTML and PDF. Some API references may be available only in English. Currently, not all API references are available in the Beijing and Ningxia Regions. Links to some API references will take you to the global Amazon Web Services site. Note that some features and functionality described in the guides and references may not be available in the current Amazon Web Services in China release.

General Information About Amazon Web Services in China

The following information applies to all Amazon Web Services that are available in the China Regions.

Amazon Web Services Accounts in the China Regions

To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to each of those Regions.

Accounts and credentials for other Amazon Regions will not work for services operating in the Beijing and Ningxia Regions.
Accounts and credentials for the Beijing and Ningxia Regions will not work for other Amazon Regions.
For more information, see Signup, Accounts, and Credentials.

Domain for Amazon Web Services in China

The domain for Amazon Web Services in China is www.amazonaws.cn.

Endpoints & Amazon Resource Names (ARNs)

For information about endpoints and ARNs in Amazon Web Services in China, see Endpoints and ARNs for Amazon Web Services in China.

Availability Zones for the China Regions

In the Beijing Region, there are three Availability Zones.
In the Ningxia Region, there are three Availability Zones.

General Information for Amazon Web Services in China

The following applies to all Amazon Web Services that are available in the China Regions. For detailed information about specific Amazon Web Services, see the service-specific topic in this guide.

Amazon Identity and Access Management (IAM)
- You can grant or deny a service access to resources using the Principal policy element.
- Service principal values vary by Region.
EC2-Classic Platform
- The EC2-Classic platform is not supported.
Free Usage Tier
- The free usage tier is supported in the Ningxia Region.
- The free usage tier is not supported in the Beijing Region.

Amazon Web Services Console

The console for Amazon Web Services in China is unique to China. The screenshots in the Amazon Web Services guides might differ from what you see on your console. For information about differences in service functionality, see the topics for each service in this guide.

Code Examples

The Amazon Web Services documentation might include endpoints and ARNs in code examples that are not specific to the Beijing and Ningxia Regions. When using examples, verify you are using the endpoints and ARNs for your Region.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Health

IAM Identity Center