Amazon Identity and Access Management in Amazon Web Services China
Amazon Identity and Access Management (IAM) enables you to securely control access to Amazon Web Services China services and resources for your users. With IAM, you can create and manage Amazon Web Services China users and groups and use permissions to allow and deny their access to Amazon Web Services China resources. In some scenarios, you may also want to use Amazon Security Token Service, which lets you grant a trusted user temporary, limited access to your Amazon Web Services China resources.
Region availability
Amazon Identity and Access Management does not require region selection, but is available in the following regions in China:
-
China (Beijing) Region
-
China (Ningxia) Region
How Amazon Identity and Access Management differs
The following differences apply to Amazon Identity and Access Management:
-
Users and credentials – In the China (Beijing) and China (Ningxia) Regions, there is no concept of the "root user" or "account user" credentials. All users are IAM users, including the user who created the account. Administrative IAM users might have permissions to complete tasks that require root user credentials. If they don’t, you must contact Support to complete those tasks.
-
Forgot password – If an IAM user (including the administrator user) in the China (Beijing) and China (Ningxia) Regions forgets their password, they can reset the password from the Amazon Web Services Management Console. Amazon will send a password reset link to the email address that is associated with the Amazon account. Administrators cannot use a policy to deny access to this feature because the requestor is not signed in to Amazon. However, each request is stored as a CloudTrail entry. For more information, see IAM Credentials.
-
No hardware or SMS MFA – The China (Beijing) and China (Ningxia) Regions do not support using hardware or SMS multi-factor authentication (MFA) for IAM users. The Regions do support using virtual MFA. For information about using virtual MFA, see Enabling a Virtual Multi-factor Authentication (MFA) Device.
-
Web identity federation – Some web identity providers, such as social media platforms, might not be available in the China (Beijing) and China (Ningxia) Regions.
-
IAM control plane – There is one IAM control plane for all China Regions, which is located in the China (Beijing) Region. Each Amazon Web Services Region has a completely independent instance of the IAM data plane. For more information, see Resilience in Amazon Identity and Access Management.
-
IAM dual-stack public endpoint – In the China Regions, the IAM dual-stack public endpoint is
https://iam.global.api.amazonwebservices.com.cn. This endpoint supports clients using either IPv4 or IPv6 addresses. For more information, see Dual-stack endpoint support in the IAM User Guide. -
No Amazon STS global endpoint – In the China Regions, there is no Amazon STS global endpoint. Amazon provides Regional Amazon STS endpoints.
-
Interface VPC endpoints for IAM – In the China (Beijing) Region, the Amazon PrivateLink interface VPC endpoint service name for IAM is
com.amazonaws.iam. You can create interface VPC endpoints for IAM only in the Amazon Web Services Region where the IAM control plane resides, since IAM is a global service. For more information, see Interface VPC endpoints. -
Interface VPC endpoints for Amazon STS – In the China Regions, the Amazon PrivateLink interface VPC endpoint service name for Amazon STS is
cn.com.amazonaws.region.sts. Replace region with the Amazon Web Services Region of where you intend to create the interface VPC endpoint. For more information, see Interface VPC endpoints. -
Amazon API Signature Version – In the China (Beijing) Region, the Amazon STS endpoint only supports request Signature Version 4 (SigV4) by default and can be updated to support both SigV4 and Signature Version 4A (SigV4A). Session tokens supporting the SigV4A algorithm are larger than those supporting SigV4 and match the size of tokens issued by the Amazon STS endpoint in the China (Ningxia) Region, which already supports SigV4A. Changing this setting might affect existing systems where you temporarily store tokens. For more information, see Managing Amazon STS in an Amazon Web Services Region.
-
Documentation that mentions Valid only in Amazon Web Services Regions enabled by default refers to Support only SigV4-based signatures on Amazon Web Services requests for the Amazon STS endpoint in the China (Beijing) Region.
-
Documentation that mentions All Amazon Web Services Regions refers to Both the SigV4 and SigV4A algorithms for the Amazon STS endpoint in the China (Beijing) Region.
-
-
Policy names – IAM policy names can contain only the following Unicode characters: horizontal tab (x09), linefeed (x0A), carriage return (x0D), and characters in the range x20 to xFF. In practice, this means that you can’t use Chinese characters in policy names.
-
Service principals in policies – In IAM policies where the principal is a service, the service principal name can include the following formats, with "service" replaced by the name of the service:
-
service.amazonaws.com -
service.amazonaws.com.cnDo not try to guess the service principal, because it is case sensitive and the format can vary across Amazon services. The service principal is defined by the service. To learn the service principal for a service, see the documentation for that service. For some services, see Amazon services that work with IAM and look for the services that have Yes in the Service-linked role column. Choose a Yes with a link to view the service-linked role documentation for that service. View the Service-linked role permissions section for that service to view the service principal.
For more information, see Creating a Role to Delegate Permissions to an Amazon Service and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.
-
-
SSH public keys – SSH public keys are used only in conjunction with CodeCommit, which is currently not available in the China (Beijing) and China (Ningxia) Regions.
-
In the China (Beijing) Region, the Amazon Resource Name (ARN) syntax includes the
aws-cnpartition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Zhang. -
In the China (Ningxia) Region, the Amazon Resource Name (ARN) syntax includes the
aws-cnpartition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Wang. -
Switching roles – In the China (Beijing) Region and China (Ningxia) Region, after you switch to a role in the Amazon Web Services Management Console, you cannot switch back to your original credentials. Instead, you must sign out and then sign in again using the desired credentials.
-
Only some Amazon services support service-linked roles in the China (Beijing) and China (Ningxia) Regions. For information about which services support using service-linked roles, see Amazon services that work with IAM and look for the services that have Yes in the Service-Linked Role column. To learn whether the service supports service-linked roles in a specific region, choose the Yes link to view the service-linked role documentation for that service.
-
Access Analyzer – The China (Beijing) and China (Ningxia) Regions do not support the creation of unused access analyzers or internal access analyzers. For more information, see Getting started with Amazon Identity and Access Management Access Analyzer.
-
Last accessed data – Data about when an IAM identity (user, group, or role) last attempted to access an Amazon service through permissions granted by an IAM policy is not available. For more information, see Service Last Accessed Data.
-
Role last used – Information about when a role was last used is not available. For more information, see View Role Access.
-
Policy generation – Policy generation is not available in the China (Beijing) and China (Ningxia) Regions. To learn more, see Generate policies based on access activity in the IAM User Guide.
-
IAM Roles Anywhere – The China (Beijing) and China (Ningxia) Regions do not support the creation of trust anchors with Amazon Private Certificate Authority. The China (Beijing) and China (Ningxia) Regions do support the creation of a trust anchor with your own certificate authority. To learn more, see Creating a trust anchor and profile in the IAM Roles Anywhere User Guide.