Getting Started with AWS services in China
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

AWS Identity and Access Management

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services in China services and resources for your users. With IAM, you can create and manage AWS services in China users and groups and use permissions to allow and deny their access to AWS services in China resources. In some scenarios, you may also want to use AWS Security Token Service, which lets you grant a trusted user temporary, limited access to your AWS services in China resources.

Region Availability

AWS Identity and Access Management is available in the following regions in China:

  • Beijing Region

  • Ningxia Region

Feature Availability and Implementation Differences

The AWS services in China implementation of IAM is unique in the following ways:

  • Users and credentials—In the Beijing and Ningxia Regions, there is no concept of "root" or "account" user or credentials. All users are IAM users, including the user who created the account.

  • Forgot password - If an IAM user (including the administrator user) in the Beijing and Ningxia Regions forgets their password, they can reset the password from the AWS Management Console. AWS will send a password reset link to the email address that is associated with the AWS account. Administrators cannot use a policy to deny access to this feature because the requestor is not signed in to AWS. However, each request is stored as a CloudTrail entry. For more information, see IAM Credentials.

  • No hardware or SMS MFA—The Beijing and Ningxia Regions do not support using hardware or SMS multi-factor authentication (MFA) for IAM users. The Regions do support using virtual MFA. For information about using virtual MFA, see Enabling a Virtual Multi-factor Authentication (MFA) Device.

  • Web identity federation—Some web identity providers (for example, social media platforms) might not be available in the Beijing and Ningxia Regions.

  • AWS API Signature Version—Services available in the Beijing and Ningxia Regions support only signature version 4 signing.

  • Policy names—IAM policy names can contain only the following Unicode characters: horizontal tab (x09), linefeed (x0A), carriage return (x0D), and characters in the range x20 to xFF. In practice, this means that you can't use Chinese characters in policy names.

  • Service principals in policies—In IAM policies where the principal is a service (for example, Amazon EC2), the service principal name has the following format, with "service" replaced by the name of the service:

    service.amazonaws.com.cn

    For more information, see Creating a Role to Delegate Permissions to an AWS Service and Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.

  • SSH public keys—SSH public keys are used only in conjunction with CodeCommit, which is currently not available in the Beijing and Ningxia Regions.

  • In the Beijing Region, the Amazon Resource Name (ARN) syntax includes the aws-cn partition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Zhang.

  • In the Ningxia Region, the Amazon Resource Name (ARN) syntax includes the aws-cn partition for resources in the Region. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Wang.

  • Switching Roles - In the Beijing Region and Ningxia Region, after you switch to a role in the AWS Management Console, you cannot switch back to your original credentials. Instead, you must sign out and then sign in again using the desired credentials.

  • Only some AWS services support service-linked roles in the Beijing and Ningxia Regions. For information about which services support using service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. To learn whether the service supports service-linked roles in a specific region, choose the Yes link to view the service-linked role documentation for that service.

  • Data about when an IAM identity (user, group, or role) last attempted to access an AWS service through permissions granted by an IAM policy is not available. For more information, see Service Last Accessed Data.

Guides and References

AWS services in China user guides are available in HTML and PDF, in both Chinese and English. API guides are available in HTML and PDF, in English only. Currently, the API guides are not available in the Beijing and Ningxia Regions. Links to API guides will take you to the global AWS site. Note that some features and functionality described in the guides may not be available in the current AWS services in China release.

General Information About AWS services in China

The following information applies to all AWS services that are available in the China Regions.

AWS Accounts in the China Regions

To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to each of those Regions.

  • Accounts and credentials for other AWS Regions will not work for services operating in the Beijing and Ningxia Regions.

  • Accounts and credentials for the Beijing and Ningxia Regions will not work for other AWS Regions.

  • For more information, see Signup, Accounts, and Credentials

Domain for AWS services in China

The domain for AWS services in China is www.amazonaws.cn.

Endpoints & Amazon Resource Names (ARNs)

For information about endpoints and ARNs in AWS services in China, see Endpoints and ARNs for AWS services in China

Availability Zones for the China Regions

  • In the Beijing Region, there are two Availability Zones.

  • In the Ningxia Region, there are three Availability Zones.

General Information for AWS services in China

The following applies to all AWS services that are available in the China Regions. For detailed information about specific AWS services, see the service-specific topic in this guide.

  • AWS Identity and Access Management (IAM)

    • You can grant or deny a service access to resources using the Principal policy element.

    • Service principal values vary by Region.

  • EC2-Classic Platform

    • The EC2-Classic platform is not supported.

  • Free Usage Tier

    • The free usage tier is not available in the Beijing and Ningxia Regions.

AWS Console

The console for AWS services in China are unique to China. The screenshots in the AWS guides might differ from what you see on your console. For information about differences in service functionality, see the topics for each service in this guide.

Code Examples

The AWS documentation might include endpoints and ARNs in code examples that are not specific to the Beijing and Ningxia Regions. When using examples, verify you are using the endpoints and ARNs for your Region.