# Connect to Amazon IoT FIPS endpoints
Amazon IoT provides endpoints that support the [Federal Information Processing Standard (FIPS) 140-2](https://www.amazonaws.cn//compliance/fips/). FIPS compliant endpoints are different from standard Amazon endpoints. To interact with Amazon IoT in a FIPS-compliant manner, you must use the endpoints described below with your FIPS compliant client. The Amazon IoT console is not FIPS compliant.
The following sections describe how to access the FIPS compliant Amazon IoT endpoints by using the REST API, an SDK, or the Amazon CLI.
**Topics**
+ [Amazon IoT Core - control plane endpoints](#iot-connect-fips-control)
+ [Amazon IoT Core - data plane endpoints](#iot-connect-fips-data)
+ [Amazon IoT Core - credential provider endpoints](#iot-connect-fips-credential)
+ [Amazon IoT Device Management - jobs data endpoints](#iot-connect-fips-jobs)
+ [Amazon IoT Device Management - Fleet Hub endpoints](#iot-connect-fips-fleethub)
+ [Amazon IoT Device Management - secure tunneling endpoints](#iot-connect-fips-tunnel)
+ [Amazon IoT Device Management - Managed Integrations endpoints](#mi-fips-endpoints)
## Amazon IoT Core - control plane endpoints
The FIPS compliant **Amazon IoT Core - control plane** endpoints that support the [Amazon IoT](https://docs.amazonaws.cn//iot/latest/apireference/API_Operations_AWS_IoT.html) operations and their related [CLI commands](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/index.html) are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Core - control plane** service, and look up the endpoint for your Amazon Web Services Region.
To use the FIPS compliant endpoint when you access the [Amazon IoT](https://docs.amazonaws.cn//iot/latest/apireference/API_Operations_AWS_IoT.html) operations, use the Amazon SDK or the REST API with the endpoint that is appropriate for your Amazon Web Services Region.
To use the FIPS compliant endpoint when you run [**aws iot** CLI commands](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/index.html), add the **--endpoint** parameter with the appropriate endpoint for your Amazon Web Services Region to the command.
## Amazon IoT Core - data plane endpoints
The FIPS compliant **Amazon IoT Core - data plane** endpoints are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Core - data plane** service, and look up the endpoint for your Amazon Web Services Region.
You can use the FIPS compliant endpoint for your Amazon Web Services Region with a FIPS compliant client by using the Amazon IoT Device SDK and providing the endpoint to the SDK's connection function in place of your account's default **Amazon IoT Core - data plane** endpoint. The connection function is specific to the Amazon IoT Device SDK. For an example of a connection function, see the [Connection function in the Amazon IoT Device SDK for Python](https://aws.github.io/aws-iot-device-sdk-python-v2/awsiot/mqtt_connection_builder.html).
**Note**
Amazon IoT doesn't support Amazon Web Services account-specific **Amazon IoT Core - data plane** endpoints that are FIPS-compliant. Service features that require an Amazon Web Services account-specific endpoint in the [Server Name Indication (SNI)](transport-security.md) can't be used. FIPS-compliant **Amazon IoT Core - data plane** endpoints can't support [Multi-Account Registration Certificates](x509-client-certs.md#multiple-account-cert), [Custom Domains](iot-custom-endpoints-configurable-custom.md), [Custom Authorizers](custom-authentication.md), and [Configurable Endpoints](iot-custom-endpoints-configurable.md) (including supported [TLS policies](transport-security.md#tls-policy-table)).
## Amazon IoT Core - credential provider endpoints
The FIPS compliant **Amazon IoT Core - credential provider** endpoints are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Core - credential provider** service, and look up the endpoint for your Amazon Web Services Region.
**Note**
Amazon IoT doesn't support Amazon Web Services account-specific **Amazon IoT Core - credential provider** endpoints that are FIPS-compliant. Service features that require an Amazon Web Services account-specific endpoint in the [Server Name Indication (SNI)](transport-security.md) can't be used. FIPS-compliant **Amazon IoT Core - credential provider** endpoints can't support [Multi-Account Registration Certificates](x509-client-certs.md#multiple-account-cert), [Custom Domains](iot-custom-endpoints-configurable-custom.md), [Custom Authorizers](custom-authentication.md), and [Configurable Endpoints](iot-custom-endpoints-configurable.md) (including supported [TLS policies](transport-security.md#tls-policy-table)).
## Amazon IoT Device Management - jobs data endpoints
The FIPS compliant **Amazon IoT Device Management - jobs data** endpoints are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Device Management - jobs data** service, and look up the endpoint for your Amazon Web Services Region.
To use the FIPS compliant **Amazon IoT Device Management - jobs data** endpoint when you run [**aws iot-jobs-data** CLI commands](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot-jobs-data/index.html), add the **--endpoint** parameter with the appropriate endpoint for your Amazon Web Services Region to the command. You can also use the REST API with this endpoint.
We recommend using `Data-ATS` instead of `iot:Jobs`. `iot:Data-ATS` supports dual-stack endpoints (IPv4 and IPv6) while `iot:Jobs` supports only IPv4.
You can use the FIPS compliant endpoint for your Amazon Web Services Region with a FIPS compliant client by using the Amazon IoT Device SDK and providing the endpoint to the SDK's connection function in place of your account's default **Amazon IoT Device Management - jobs data** endpoint. The connection function is specific to the Amazon IoT Device SDK. For an example of a connection function, see the [Connection function in the Amazon IoT Device SDK for Python](https://aws.github.io/aws-iot-device-sdk-python-v2/awsiot/mqtt_connection_builder.html).
## Amazon IoT Device Management - Fleet Hub endpoints
The FIPS compliant **Amazon IoT Device Management - Fleet Hub** endpoints to use with [Fleet Hub for Amazon IoT Device Management](https://docs.amazonaws.cn//iot/latest/fleethubuserguide/what-is-aws-iot-monitor.html) [CLI commands](https://docs.amazonaws.cn//cli/latest/reference/iotfleethub/index.html) are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Device Management - Fleet Hub** service, and look up the endpoint for your Amazon Web Services Region.
To use the FIPS compliant **Amazon IoT Device Management - Fleet Hub** endpoint when you run [**aws iotfleethub** CLI commands](https://docs.amazonaws.cn//cli/latest/reference/iotfleethub/index.html), add the **--endpoint** parameter with the appropriate endpoint for your Amazon Web Services Region to the command. You can also use the REST API with this endpoint.
## Amazon IoT Device Management - secure tunneling endpoints
The FIPS compliant **Amazon IoT Device Management - secure tunneling** endpoints for the [Amazon IoT secure tunneling API](https://docs.amazonaws.cn//iot/latest/apireference/API_Operations_AWS_IoT_Secure_Tunneling.html) and the corresponding [CLI commands](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iotsecuretunneling/index.html) are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Device Management - secure tunneling** service, and look up the endpoint for your Amazon Web Services Region.
To use the FIPS compliant **Amazon IoT Device Management - secure tunneling** endpoint when you run [**aws iotsecuretunneling** CLI commands](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iotsecuretunneling/index.html), add the **--endpoint** parameter with the appropriate endpoint for your Amazon Web Services Region to the command. You can also use the REST API with this endpoint.
## Amazon IoT Device Management - Managed Integrations endpoints
The FIPS compliant **control plane** endpoints that support the managed integrations operations and their related Amazon CLI commands are listed in [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service). In [FIPS Endpoints by Service](https://www.amazonaws.cn//compliance/fips/#FIPS_Endpoints_by_Service), find the **Amazon IoT Device Management - Managed integrations** service, and look up the endpoint for your Amazon Web Services Region.
To use the FIPS compliant endpoint when you access the managed integrations operations, use the Amazon SDK or the REST API with the endpoint that is appropriate for your Amazon Web Services Region.
To use the FIPS compliant endpoint when you run managed integrations CLI commands, add the **--endpoint** parameter with the appropriate endpoint for your Amazon Web Services Region to the command.