Aws General

AWS General Reference
Reference guide
Version 1.0
AWS General Reference Reference guide
AWS General Reference: Reference guide

Copyright © 2019 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Table of Contents
AWS General Reference ...................................................................................................................... 1
AWS Service Endpoints ....................................................................................................................... 2
Endpoint Tables ......................................................................................................................... 3
Alexa for Business ...................................................................................................................... 3
Amazon API Gateway ................................................................................................................. 3
Amazon API Gateway Control Plane ..................................................................................... 3
Amazon API Gateway Data Plane ......................................................................................... 3
Application Auto Scaling ............................................................................................................. 6
AWS Application Discovery Service ............................................................................................... 8
Amazon AppStream 2.0 .............................................................................................................. 8
AWS App Mesh .......................................................................................................................... 9
AWS AppSync .......................................................................................................................... 10
AWS AppSync Control Plane .............................................................................................. 10
AWS AppSync Data Plane .................................................................................................. 10
Amazon Athena ....................................................................................................................... 11
Amazon Aurora ........................................................................................................................ 13
Amazon Aurora with MySQL compatibility ........................................................................... 13
Amazon Aurora with PostgreSQL compatibility .................................................................... 14
AWS Auto Scaling .................................................................................................................... 16
Amazon EC2 Auto Scaling ......................................................................................................... 17
AWS Backup ............................................................................................................................ 19
AWS Batch .............................................................................................................................. 20
AWS Billing and Cost Management ............................................................................................. 21
AWS Cost Explorer ............................................................................................................ 21
AWS Cost and Usage Reports ............................................................................................ 22
AWS Budgets ................................................................................................................... 22
AWS Price List Service ....................................................................................................... 23
Savings Plans ................................................................................................................... 23
AWS Certificate Manager ........................................................................................................... 24
AWS Certificate Manager Private Certificate Authority ................................................................... 26
Amazon Chime ......................................................................................................................... 27
AWS Cloud9 ............................................................................................................................ 28
Amazon Cloud Directory ........................................................................................................... 28
AWS CloudFormation ................................................................................................................ 29
Amazon CloudFront .................................................................................................................. 30
AWS CloudHSM ........................................................................................................................ 30
AWS CloudHSM Classic ............................................................................................................. 32
AWS Cloud Map ....................................................................................................................... 33
Amazon CloudSearch ................................................................................................................ 34
AWS CloudTrail ........................................................................................................................ 35
Amazon CloudWatch ................................................................................................................. 37
Amazon CloudWatch Events ...................................................................................................... 38
Amazon CloudWatch Logs ......................................................................................................... 40
AWS CodeBuild ........................................................................................................................ 42
AWS CodeCommit .................................................................................................................... 44
AWS CodeDeploy ...................................................................................................................... 45
AWS CodePipeline .................................................................................................................... 47
AWS CodeStar .......................................................................................................................... 48
AWS CodeStar Notifications ....................................................................................................... 49
Amazon Cognito Identity ........................................................................................................... 50
Amazon Cognito Your User Pools ....................................................................................... 50
Amazon Cognito Federated Identities .................................................................................. 51
Amazon Cognito Sync ............................................................................................................... 52
Amazon Comprehend ............................................................................................................... 53
Version 1.0
iii
Amazon Comprehend Medical .................................................................................................... 53

AWS Config and AWS Config Rules ............................................................................................. 54
Amazon Connect ...................................................................................................................... 55
Amazon Data Lifecycle Manager ................................................................................................. 56
AWS Data Pipeline .................................................................................................................... 57
AWS DataSync ......................................................................................................................... 57
AWS Database Migration Service ................................................................................................ 59
AWS DeepLens ......................................................................................................................... 60
AWS Device Farm ..................................................................................................................... 60
AWS Direct Connect ................................................................................................................. 61
AWS Directory Service .............................................................................................................. 62
Amazon DocumentDB ............................................................................................................... 64
Amazon DynamoDB .................................................................................................................. 65
DynamoDB Accelerator (DAX) ..................................................................................................... 67
Amazon DynamoDB Streams ..................................................................................................... 68
AWS Elastic Beanstalk ............................................................................................................... 69
AWS Elastic Beanstalk Health Service .......................................................................................... 71
Amazon Elastic Compute Cloud (Amazon EC2) ............................................................................. 73
Amazon Elastic Container Registry .............................................................................................. 75
Amazon Elastic Container Service ............................................................................................... 76
Amazon Elastic Kubernetes Service (Amazon EKS) ........................................................................ 78
Amazon Elastic File System ....................................................................................................... 79
Elastic Load Balancing .............................................................................................................. 80
Amazon Elastic Transcoder ........................................................................................................ 82
Amazon ElastiCache .................................................................................................................. 82
Amazon Elasticsearch Service ..................................................................................................... 84
Amazon EMR ........................................................................................................................... 86
Amazon EventBridge ................................................................................................................. 88
AWS Firewall Manager .............................................................................................................. 89
Amazon Forecast ...................................................................................................................... 90
Amazon Forecast .............................................................................................................. 90
Amazon Forecast Query .................................................................................................... 91
Amazon FreeRTOS .................................................................................................................... 91
Amazon FreeRTOS OTA Control Plane ................................................................................. 91
Amazon FreeRTOS OTA Data Plane ..................................................................................... 92
Amazon FSx ............................................................................................................................. 93
Amazon GameLift ..................................................................................................................... 94
Amazon S3 Glacier ................................................................................................................... 95
AWS Global Accelerator ............................................................................................................. 97
AWS Glue ................................................................................................................................ 97
AWS Ground Station ................................................................................................................. 99
Amazon GuardDuty .................................................................................................................. 99
AWS Health ........................................................................................................................... 100
AWS Identity and Access Management (IAM) .............................................................................. 101
AWS Import/Export ................................................................................................................ 102
AWS Import/Export Disk ................................................................................................. 102
Amazon Inspector ................................................................................................................... 103
AWS IoT 1-Click ..................................................................................................................... 104
AWS IoT 1-Click Projects API ............................................................................................ 104
AWS IoT 1-Click Devices API ............................................................................................ 104
AWS IoT Analytics .................................................................................................................. 104
AWS IoT Core ......................................................................................................................... 105
AWS IoT Device Defender ........................................................................................................ 108
AWS IoT Device Management ................................................................................................... 109
AWS IoT Events ...................................................................................................................... 112
AWS IoT Greengrass ................................................................................................................ 113
Control Plane Operations ................................................................................................ 113
Version 1.0
iv
AWS IoT Device Operations ............................................................................................. 114

Discovery Operations ...................................................................................................... 115
Supported Legacy Endpoints ............................................................................................ 116
AWS IoT Things Graph ............................................................................................................ 117
AWS Key Management Service ................................................................................................. 118
Amazon Kinesis Data Analytics ................................................................................................. 119
Amazon Kinesis Data Firehose .................................................................................................. 120
Amazon Kinesis Data Streams .................................................................................................. 122
Amazon Kinesis Video Streams ................................................................................................. 124
AWS Lake Formation ............................................................................................................... 124
AWS Lambda ......................................................................................................................... 125
Amazon Lex ........................................................................................................................... 126
Model Building Endpoints ................................................................................................ 126
Runtime Endpoints ......................................................................................................... 126
AWS License Manager ............................................................................................................. 127
Amazon Lightsail .................................................................................................................... 129
Amazon Macie ........................................................................................................................ 129
Amazon Machine Learning ....................................................................................................... 130
Amazon Managed Blockchain ................................................................................................... 130
AWS Marketplace .................................................................................................................... 130
AWS Marketplace Commerce Analytics .............................................................................. 130
AWS Marketplace Entitlement Service ............................................................................... 131
AWS Marketplace Metering Service ................................................................................... 131
Amazon Mechanical Turk ......................................................................................................... 132
Amazon Managed Streaming for Apache Kafka (Amazon MSK) ..................................................... 133
AWS Elemental MediaConnect .................................................................................................. 134
AWS Elemental MediaConvert .................................................................................................. 135
AWS Elemental MediaLive ....................................................................................................... 136
AWS Elemental MediaPackage .................................................................................................. 136
AWS Elemental MediaStore ...................................................................................................... 138
AWS Elemental MediaTailor ..................................................................................................... 139
AWS Migration Hub ................................................................................................................ 139
Amazon MQ ........................................................................................................................... 140
Amazon Neptune .................................................................................................................... 141
AWS OpsWorks ...................................................................................................................... 142
AWS OpsWorks CM ......................................................................................................... 142
AWS OpsWorks Stacks .................................................................................................... 143
AWS Organizations ................................................................................................................. 144
Amazon Personalize ................................................................................................................ 145
Amazon Personalize ........................................................................................................ 145
Amazon Personalize Events .............................................................................................. 145
Amazon Personalize Runtime ........................................................................................... 146
Amazon Pinpoint .................................................................................................................... 146
Amazon Pinpoint API ...................................................................................................... 146
Amazon Pinpoint Email API ............................................................................................. 147
Amazon Pinpoint SMS and Voice API ................................................................................ 147
Amazon Polly ......................................................................................................................... 148
Amazon QLDB ........................................................................................................................ 149
Amazon QLDB Control Plane ........................................................................................... 149
Amazon QLDB Transactional Data Plane ............................................................................ 150
Amazon QuickSight ................................................................................................................ 150
AWS Resource Access Manager ................................................................................................. 151
Amazon Redshift .................................................................................................................... 153
Amazon Rekognition ............................................................................................................... 154
Amazon Relational Database Service (Amazon RDS) .................................................................... 155
Amazon RDS Performance Insights ........................................................................................... 157
AWS Resource Groups ............................................................................................................. 158
Version 1.0
v
Resource Groups Tagging API ................................................................................................... 160

AWS RoboMaker ..................................................................................................................... 162
Amazon Route 53 ................................................................................................................... 162
Requests for hosted zones, records, health checks, DNS query logs, reusable delegation sets,
traffic policies, and cost allocation tags for hosted zones and health checks ............................ 162
Requests for domain registration ...................................................................................... 164
Requests for Route 53 Resolver ........................................................................................ 164
Requests for Route 53 Auto Naming ................................................................................. 165
Amazon SageMaker ................................................................................................................ 165
AWS Secrets Manager ............................................................................................................. 168
AWS Security Hub .................................................................................................................. 170
AWS Security Token Service (AWS STS) ..................................................................................... 171
AWS Server Migration Service .................................................................................................. 173
AWS Serverless Application Repository ...................................................................................... 174
AWS Service Catalog ............................................................................................................... 176
AWS Shield Advanced ............................................................................................................. 177
Amazon Simple Email Service (Amazon SES) .............................................................................. 177
Amazon Simple Notification Service (Amazon SNS) ..................................................................... 178
Amazon Simple Queue Service (Amazon SQS) ............................................................................ 180
Amazon SQS Legacy Endpoints ........................................................................................ 182
Amazon Simple Storage Service (Amazon S3) ............................................................................ 183
Amazon Simple Storage Service Website Endpoints ............................................................ 189
Amazon Simple Workflow Service (Amazon SWF) ....................................................................... 190
Amazon SimpleDB .................................................................................................................. 192
AWS Single Sign-On ............................................................................................................... 192
AWS Snowball ........................................................................................................................ 193
AWS Step Functions ................................................................................................................ 194
AWS Storage Gateway ............................................................................................................. 196
AWS Storage Gateway Hardware Appliance Regions ............................................................ 197
AWS Support ......................................................................................................................... 198
AWS Systems Manager ............................................................................................................ 198
Amazon Textract .................................................................................................................... 200
Amazon Transcribe ................................................................................................................. 200
Amazon Transcribe Streaming .................................................................................................. 200
AWS Transfer for SFTP ............................................................................................................ 202
Amazon Translate ................................................................................................................... 203
Amazon VPC .......................................................................................................................... 204
AWS WAF .............................................................................................................................. 205
Amazon WorkDocs .................................................................................................................. 208
Amazon WorkLink ................................................................................................................... 208
Amazon WorkMail .................................................................................................................. 209
Amazon WorkSpaces ............................................................................................................... 210
AWS X-Ray ............................................................................................................................ 211
Managing AWS Regions ................................................................................................................... 213
About AWS Regions ................................................................................................................ 213
Enabling a Region .................................................................................................................. 213
Disabling a Region .................................................................................................................. 214
Describing Your Regions Using the AWS CLI ............................................................................... 214
AWS Security Credentials ................................................................................................................. 215
AWS Account Root User Credentials vs. IAM User Credentials ....................................................... 215
AWS Tasks That Require AWS Account Root User Credentials ................................................ 216
Understanding and Getting Your Security Credentials .................................................................. 216
Email and Password (Root User) ....................................................................................... 217
IAM User Name and Password .......................................................................................... 217
Multi-Factor Authentication (MFA) .................................................................................... 218
Access Keys (Access Key ID and Secret Access Key) .............................................................. 218
Key Pairs ....................................................................................................................... 219
Version 1.0
vi
AWS Account Identifiers .......................................................................................................... 219

Finding Your AWS Account ID .......................................................................................... 219
Finding Your Account Canonical User ID ............................................................................ 220
Best Practices for Managing AWS Access Keys ............................................................................ 221
Remove (or Don't Generate) Account Access Key ................................................................. 221
Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys .................. 222
Manage IAM User Access Keys Properly ............................................................................. 223
More Resources .............................................................................................................. 223
Managing Access Keys for Your AWS Account Root User .............................................................. 224
Creating, Disabling, and Deleting Access Keys for Your AWS Account Root User ....................... 224
AWS Security Audit Guidelines ................................................................................................. 225
When Should You Perform a Security Audit? ...................................................................... 226
General Guidelines for Auditing ........................................................................................ 226
Review Your AWS Account Credentials ............................................................................... 226
Review Your IAM Users .................................................................................................... 226
Review Your IAM Groups ................................................................................................. 227
Review Your IAM Roles .................................................................................................... 227
Review Your IAM Providers for SAML and OpenID Connect (OIDC) ......................................... 227
Review Your Mobile Apps ................................................................................................ 227
Review Your Amazon EC2 Security Configuration ................................................................ 228
Review AWS Policies in Other Services .............................................................................. 228
Monitor Activity in Your AWS Account ............................................................................... 228
Tips for Reviewing IAM Policies ........................................................................................ 229
More Information ........................................................................................................... 230
Amazon Resource Names (ARNs) ...................................................................................................... 231
ARN Format ........................................................................................................................... 231
Paths in ARNs ................................................................................................................ 231
Resource ARNs ....................................................................................................................... 232
AWS Service Limits ......................................................................................................................... 236
Alexa for Business .................................................................................................................. 236
Amazon API Gateway .............................................................................................................. 236
Application Auto Scaling ......................................................................................................... 237
AWS Application Discovery Service ........................................................................................... 237
AWS App Mesh Service ........................................................................................................... 237
Amazon AppStream 2.0 ........................................................................................................... 238
AWS AppSync ........................................................................................................................ 238
Amazon Athena ...................................................................................................................... 239
AWS Auto Scaling ................................................................................................................... 240
Amazon EC2 Auto Scaling ....................................................................................................... 240
AWS Backup .......................................................................................................................... 241
AWS Batch ............................................................................................................................. 242
Billing and Cost Management .................................................................................................. 242
AWS Certificate Manager (ACM) ................................................................................................ 242
AWS Certificate Manager Private Certificate Authority (ACM PCA) ................................................. 243
Amazon Chime ....................................................................................................................... 243
AWS Cloud9 ........................................................................................................................... 244
AWS CloudFormation .............................................................................................................. 244
Amazon CloudFront ................................................................................................................ 245
AWS CloudHSM ...................................................................................................................... 246
AWS CloudHSM Classic ............................................................................................................ 246
AWS Cloud Map ..................................................................................................................... 246
Amazon CloudSearch .............................................................................................................. 246
AWS CloudTrail ...................................................................................................................... 247
Amazon CloudWatch ............................................................................................................... 247
Amazon CloudWatch Events ..................................................................................................... 248
Amazon CloudWatch Logs ....................................................................................................... 249
CodeBuild .............................................................................................................................. 250
Version 1.0
vii
CodeCommit .......................................................................................................................... 250

CodeDeploy ........................................................................................................................... 250
CodePipeline .......................................................................................................................... 251
Amazon Cognito User Pools ..................................................................................................... 251
Amazon Cognito Federated Identities Limits .............................................................................. 252
Amazon Cognito Sync ............................................................................................................. 252
Amazon Comprehend .............................................................................................................. 252
Amazon Comprehend Medical .................................................................................................. 253
AWS Config ........................................................................................................................... 253
Amazon Connect .................................................................................................................... 253
AWS Data Pipeline .................................................................................................................. 255
AWS Database Migration Service .............................................................................................. 255
AWS DataSync ........................................................................................................................ 256
AWS DeepLens ....................................................................................................................... 256
AWS Device Farm ................................................................................................................... 256
AWS Direct Connect ................................................................................................................ 256
AWS Directory Service ............................................................................................................. 257
Amazon DynamoDB ................................................................................................................ 257
AWS Elastic Beanstalk ............................................................................................................. 258
Amazon Elastic Block Store (Amazon EBS) ................................................................................. 258
Amazon Elastic Compute Cloud (Amazon EC2) ........................................................................... 259
Amazon Elastic Container Registry (Amazon ECR) ....................................................................... 260
Amazon Elastic Container Service (Amazon ECS) ......................................................................... 261
Amazon Elastic Kubernetes Service (Amazon EKS) ...................................................................... 262
Amazon Elastic File System ...................................................................................................... 262
Amazon Elastic Inference ......................................................................................................... 263
Elastic Load Balancing ............................................................................................................. 263
Amazon Elastic Transcoder ...................................................................................................... 264
Amazon ElastiCache ................................................................................................................ 265
Amazon EventBridge ............................................................................................................... 266
AWS Firewall Manager ............................................................................................................ 266
Amazon FSx ........................................................................................................................... 266
Amazon GameLift ................................................................................................................... 268
Amazon S3 Glacier ................................................................................................................. 268
AWS Global Accelerator ........................................................................................................... 268
AWS Glue .............................................................................................................................. 269
AWS Ground Station ............................................................................................................... 270
Amazon GuardDuty ................................................................................................................. 270
AWS Identity and Access Management (IAM) .............................................................................. 271
AWS Import/Export ................................................................................................................ 271
AWS Snowball (Snowball) ................................................................................................ 271
Amazon Inspector ................................................................................................................... 271
AWS IoT ................................................................................................................................ 272
Thing ............................................................................................................................ 272
Thing Group .................................................................................................................. 272
Message Broker .............................................................................................................. 273
Protocol ........................................................................................................................ 276
Device Shadow ............................................................................................................... 277
Security and Identity ....................................................................................................... 278
AWS IoT Throttling ......................................................................................................... 278
AWS IoT Rules Engine ..................................................................................................... 282
AWS IoT Job .................................................................................................................. 282
AWS IoT Fleet Indexing ................................................................................................... 284
AWS IoT Bulk Thing Registration ...................................................................................... 285
AWS IoT Device Defender ................................................................................................ 286
AWS IoT Analytics .................................................................................................................. 286
AWS IoT Events ...................................................................................................................... 287
Version 1.0
viii
AWS IoT Greengrass ................................................................................................................ 288

AWS IoT Greengrass Cloud API ......................................................................................... 288
AWS IoT Greengrass Core ................................................................................................ 289
AWS IoT Things Graph ............................................................................................................ 290
AWS Key Management Service (AWS KMS) ................................................................................. 292
Amazon Kinesis Data Firehose .................................................................................................. 292
Amazon Kinesis Data Streams .................................................................................................. 293
Amazon Kinesis Data Analytics ................................................................................................. 293
Amazon Kinesis Video Streams ................................................................................................. 293
Control Plane API ........................................................................................................... 294
Media and Archived Media API ......................................................................................... 295
AWS Lake Formation ............................................................................................................... 297
AWS Lambda ......................................................................................................................... 297
AWS License Manager ............................................................................................................. 298
Amazon Lightsail .................................................................................................................... 298
Amazon Macie ........................................................................................................................ 299
Amazon Machine Learning (Amazon ML) ................................................................................... 299
Amazon Managed Blockchain ................................................................................................... 299
AWS Elemental MediaConnect .................................................................................................. 300
AWS Elemental MediaConvert .................................................................................................. 300
AWS Elemental MediaLive ....................................................................................................... 302
AWS Elemental MediaPackage .................................................................................................. 302
AWS Elemental MediaStore ...................................................................................................... 302
AWS Elemental MediaTailor ..................................................................................................... 303
Amazon MQ ........................................................................................................................... 303
Amazon Neptune .................................................................................................................... 304
AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet Enterprise ................................ 304
AWS OpsWorks Stacks ............................................................................................................ 304
AWS Organizations ................................................................................................................. 304
OTA Update Manager .............................................................................................................. 305
Amazon Pinpoint .................................................................................................................... 305
Amazon Polly ......................................................................................................................... 306
Amazon QLDB ........................................................................................................................ 307
AWS Resource Access Manager ................................................................................................. 307
Amazon Redshift .................................................................................................................... 307
Amazon Rekognition ............................................................................................................... 308
Amazon Relational Database Service (Amazon RDS) .................................................................... 309
AWS Resource Groups ............................................................................................................. 310
AWS RoboMaker ..................................................................................................................... 310
Amazon Route 53 ................................................................................................................... 312
Amazon SageMaker ................................................................................................................ 312
AWS Secrets Manager ............................................................................................................. 318
AWS Server Migration Service .................................................................................................. 319
AWS Serverless Application Repository ...................................................................................... 319
Service Quotas ....................................................................................................................... 319
AWS Service Catalog ............................................................................................................... 321
AWS Shield Advanced ............................................................................................................. 321
Amazon Simple Email Service (Amazon SES) .............................................................................. 321
Amazon Simple Notification Service (Amazon SNS) ..................................................................... 322
Amazon SNS Resource .................................................................................................... 322
Amazon SNS API Throttling ............................................................................................. 322
AWS Streaming Service ........................................................................................................... 324
Amazon Simple Queue Service (Amazon SQS) ............................................................................ 325
Amazon Simple Storage Service (Amazon S3) ............................................................................ 325
Amazon Simple Workflow Service (Amazon SWF) ....................................................................... 325
Amazon SimpleDB .................................................................................................................. 325
AWS Step Functions ................................................................................................................ 326
Version 1.0
ix
AWS Storage Gateway ............................................................................................................. 326

Amazon Sumerian .................................................................................................................. 326
AWS Systems Manager ............................................................................................................ 326
Amazon Textract .................................................................................................................... 331
Amazon Transcribe ................................................................................................................. 332
AWS Transfer for SFTP ............................................................................................................ 333
Amazon Translate ................................................................................................................... 333
Amazon Virtual Private Cloud (Amazon VPC) ............................................................................. 333
Amazon VPC DNS ................................................................................................................... 337
AWS WAF .............................................................................................................................. 337
AWS Well-Architected Tool ...................................................................................................... 338
Amazon WorkMail .................................................................................................................. 339
Amazon WorkSpaces ............................................................................................................... 339
AWS X-Ray ............................................................................................................................ 339
AWS IP Address Ranges ................................................................................................................... 340
Download .............................................................................................................................. 340
Syntax ................................................................................................................................... 340
Filtering the JSON File ............................................................................................................ 342
Windows ....................................................................................................................... 342
Linux ............................................................................................................................. 343
Implementing Egress Control ................................................................................................... 344
Windows PowerShell ....................................................................................................... 344
jq .................................................................................................................................. 345
Python .......................................................................................................................... 345
AWS IP Address Ranges Notifications ........................................................................................ 346
API Retries ..................................................................................................................................... 348
Signing AWS API Requests ............................................................................................................... 350
When Do You Need to Sign Requests? ...................................................................................... 350
Why Requests Are Signed ........................................................................................................ 350
Signing Requests .................................................................................................................... 351
Signature Versions .................................................................................................................. 351
Signature Version 4 Signing Process .......................................................................................... 352
Changes in Signature Version 4 ........................................................................................ 353
Signature Version 4 Request Elements .............................................................................. 354
Signing AWS Requests .................................................................................................... 356
Handling Dates .............................................................................................................. 371
Examples of How to Derive a Signing Key .......................................................................... 372
Signing Examples (Python) .............................................................................................. 375
Test Suite ...................................................................................................................... 383
Troubleshooting ............................................................................................................. 386
Service-Specific Reference ............................................................................................... 389
Signature Version 2 Signing Process .......................................................................................... 389
Supported Regions and Services ....................................................................................... 389
Components of a Query Request for Signature Version 2 ..................................................... 390
How to Generate a Signature Version 2 for a Query Request ................................................ 391
AWS SDK Support for Amazon S3 Client-Side Encryption .................................................................... 397
AWS SDK Features for Amazon S3 Client-Side Encryption ............................................................ 397
Amazon S3 Encryption Client Cryptographic Algorithms .............................................................. 398
Markdown in AWS .......................................................................................................................... 400
Paragraphs, Line Spacing, and Horizontal Lines .......................................................................... 400
Headings ............................................................................................................................... 400
Text Formatting ..................................................................................................................... 401
Links ..................................................................................................................................... 401
Lists ...................................................................................................................................... 401
Tables and Buttons (CloudWatch Dashboards) ............................................................................ 401
Tagging AWS Resources ................................................................................................................... 403
Tag Naming and Usage Conventions ......................................................................................... 403
Version 1.0
x
More Information on Tagging .................................................................................................. 403

Document Conventions ................................................................................................................... 404
AWS Glossary ................................................................................................................................. 406
Version 1.0
xi
AWS General Reference

The AWS General Reference provides information that is useful across Amazon Web Services.
Contents
• AWS Service Endpoints (p. 2)

• Managing AWS Regions (p. 213)
• AWS Security Credentials (p. 215)
• Amazon Resource Names (ARNs) (p. 231)
• AWS Service Limits (p. 236)
• AWS IP Address Ranges (p. 340)
• Error Retries and Exponential Backoff in AWS (p. 348)
• Signing AWS API Requests (p. 350)
• AWS SDK Support for Amazon S3 Client-Side Encryption (p. 397)
• Using Markdown in AWS (p. 400)
• Tagging AWS Resources (p. 403)
• Document Conventions (p. 404)
• AWS Glossary (p. 406)
Version 1.0
1
AWS Service Endpoints

To connect programmatically to an AWS service, you use an endpoint. An endpoint is the URL of the
entry point for an AWS web service. For example, https://dynamodb.us-west-2.amazonaws.com is
the endpoint for the Amazon DynamoDB service in the US West (Oregon) Region. The AWS SDKs and the
AWS Command Line Interface (CLI) automatically use the default endpoint for each service in an AWS
Region. But you can specify an alternate endpoint for your API requests.
To view a table of supported endpoints for an AWS service, choose the service name from the list on the
right, if available. Otherwise go to AWS Regions and Endpoints by Service (p. 3) and search for the
service name.
To see the supported AWS services in each Region (without endpoints) in a tabbed format, see the
Region Table.
Regional Endpoints
Most Amazon Web Services offer a Regional endpoint that you can use to make your requests. If a service
supports Regions, the resources in each Region are independent of similar resources in other Regions. For
example, you can create an Amazon EC2 instance or an Amazon SQS queue in one Region. When you do,
the instance or queue is independent of instances or queues in all other Regions.
Some services, such as IAM, do not support Regions. Thus, the endpoints for those services do not
include a Region. Other services, such as Amazon EC2, support Regions but let you specify an endpoint
that does not include a Region, such as https://ec2.amazonaws.com. When you use an endpoint
with no Region, AWS routes the Amazon EC2 request to US East (N. Virginia) (us-east-1), which is the
default Region for API calls.
To learn about enabling and disabling AWS Regions, see Managing AWS Regions (p. 213).
FIPS Endpoints
Some AWS services offer FIPS endpoints in selected AWS Regions. Unlike standard AWS endpoints,
FIPS endpoints use a TLS software library that complies with Federal Information Processing Standards
(FIPS) standards. These endpoints might be required by enterprises that interact with the United States
government.
To use FIPS endpoints in your requests, use the procedure in your AWS SDK for specifying a custom
endpoint. For example, when using the AWS Command Line Interface, use the endpoint-url
parameter. The following example uses the FIPS endpoint in the US West (Oregon) Region to create an
AWS Key Management Service (AWS KMS) customer master key.
aws kms create-key --endpoint-url https://kms-fips.us-west-2.amazonaws.com
Learn More About Endpoints
You can find endpoint information from the following sources:
• For information about the AWS services and endpoints available in the China (Beijing) Region, see
China (Beijing) Region Endpoints.
For information about the AWS services and endpoints available in the China (Ningxia) Region, see
China (Ningxia) Region Endpoints.
• For information about the AWS services and endpoints available in the AWS GovCloud (US-West)
Region, see AWS GovCloud (US-West) Endpoints.
• To programmatically discover AWS Region and service information, see Calling AWS Service, Region,
and Endpoint Public Parameters in the AWS Systems Manager User Guide. For information about how
Version 1.0
2
Endpoint Tables
to use AWS Systems Manager public parameters, see Query for AWS Regions, Endpoints, and More
Using AWS Systems Manager Parameter Store.
• For information about which Regions and endpoints are supported for each service, see the the section
called “Endpoint Tables” (p. 3).
AWS Regions and Endpoints by Service

Each of the following tables lists all supported Regions and endpoints for an AWS service. To find the
table for a service, choose the service name from the list on the right, if available. You can also search for
the service name.
Alexa for Business

Region Region Endpoint Protocol
Name
US East (N. us-east-1 a4b.us-east-1.amazonaws.com HTTPS

Virginia)
Amazon API Gateway

You can use the Asia Pacific (Osaka-Local) Region only in conjunction with the Asia Pacific (Tokyo)
Region. To request access to the Asia Pacific (Osaka-Local) Region, contact your sales representative.
For information about using Amazon API Gateway in the AWS GovCloud (US-West) Region, see AWS
GovCloud (US-West) Endpoints.
For information about using Amazon API Gateway in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
Amazon API Gateway includes the API Gateway Control Plane (for creating and managing APIs) and the
API Gateway Data Plane (for calling deployed APIs).
The Route 53 Hosted Zone ID column shows the Route 53 Hosted Zone IDs for API Gateway Regional
endpoints. Route 53 Hosted Zone IDs are for use with the execute-api (API Gateway component
service for API execution) domain. For edge-optimized endpoints, the Route 53 Hosted Zone ID is
Z2FDTNDATAQYW2 for all Regions.
Amazon API Gateway Control Plane

Name
US East us-east-2 apigateway.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 apigateway.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 apigateway.us-west-1.amazonaws.com HTTPS

West (N.
California)
Version 1.0
3
Amazon API Gateway Control Plane

Name
US West us-west-2 apigateway.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 apigateway.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- apigateway.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- apigateway.ap-northeast-2.amazonaws.com HTTPS

Pacific northeast-2
(Seoul)
Asia ap- apigateway.ap-southeast-1.amazonaws.com HTTPS

Pacific southeast-1
(Singapore)
Asia ap- apigateway.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- apigateway.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- apigateway.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 apigateway.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- apigateway.cn-northwest-1.amazonaws.com.cn HTTPS

(Ningxia) northwest-1
EU eu- apigateway.eu-central-1.amazonaws.com HTTPS

(Frankfurt) central-1
EU eu-west-1 apigateway.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 apigateway.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 apigateway.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 apigateway.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- apigateway.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
Version 1.0
4
Amazon API Gateway Data Plane

Name
South sa-east-1 apigateway.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- apigateway.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- apigateway.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon API Gateway Data Plane
Region Region Endpoint Protocol Route 53

Name Hosted
Zone ID
US East us-east-2 execute-api.us-east-2.amazonaws.com HTTPS ZOJJZC49E0EPZ

(Ohio)
US us-east-1 execute-api.us-east-1.amazonaws.com HTTPS Z1UJRXOUMOOFQ8

East (N.
Virginia)
US us- execute-api.us-west-1.amazonaws.com HTTPS Z2MUQ32089INYE

West (N. west-1
California)
US West us- execute-api.us-west-2.amazonaws.com HTTPS Z2OJLYMUO9EFXC

(Oregon) west-2
Asia ap-east-1 execute-api.ap-east-1.amazonaws.com HTTPS Z3FD1VL90ND7K5

Pacific
(Hong
Kong)
Asia ap- execute-api.ap-south-1.amazonaws.com HTTPS Z3VO1THU9YC4UR

Pacific south-1
(Mumbai)
Asia ap- execute-api.ap-northeast-2.amazonaws.com HTTPS Z20JF4UZKIW1U8

(Seoul)
Asia ap- execute-api.ap-southeast-1.amazonaws.com HTTPS ZL327KTPIQFUL

(Singapore)
Asia ap- execute-api.ap-southeast-2.amazonaws.com HTTPS Z2RPCDW04V8134

(Sydney)
Version 1.0
5
Application Auto Scaling

Name Hosted
Zone ID
Asia ap- execute-api.ap-northeast-1.amazonaws.com HTTPS Z1YSHQZHG15GKL

(Tokyo)
Canada ca- execute-api.ca-central-1.amazonaws.com HTTPS Z19DQILCV0OWEC

(Central) central-1
China cn- execute-api.cn-north-1.amazonaws.com.cn HTTPS None

(Beijing) north-1
China cn- execute-api.cn- HTTPS None

(Ningxia) northwest-1northwest-1.amazonaws.com.cn
EU eu- execute-api.eu-central-1.amazonaws.com HTTPS Z1U9ULNL0V5AJ3

EU eu- execute-api.eu-west-1.amazonaws.com HTTPS ZLY8HYME6SFDD

(Ireland) west-1
EU eu- execute-api.eu-west-2.amazonaws.com HTTPS ZJ5UAJN8Y3Z2Q

(London) west-2
EU (Paris) eu- execute-api.eu-west-3.amazonaws.com HTTPS Z3KY65QIEKYHQQ

west-3
EU eu- execute-api.eu-north-1.amazonaws.com HTTPS Z3UWIKFBOOGXPP

(Stockholm)north-1
Middle me- execute-api.me-south-1.amazonaws.com HTTPS Z20ZBPC0SS8806

East south-1
(Bahrain)
South sa-east-1 execute-api.sa-east-1.amazonaws.com HTTPS ZCMLWB8V5SYIT

America
(Sao
Paulo)
AWS us-gov- execute-api.us-gov-east-1.amazonaws.com HTTPS Z3SE9ATJYCRCZJ

GovCloud east-1
(US-East)
AWS us-gov- execute-api.us-gov-west-1.amazonaws.com HTTPS Z1K6XKP9SAGWDV

GovCloud west-1
(US-
West)

Name
US East us-east-2 autoscaling.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
Version 1.0
6

Name
US East (N. us-east-1 autoscaling.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 autoscaling.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 autoscaling.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap-east-1 autoscaling.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- autoscaling.ap-south-1.amazonaws.com HTTP and

Pacific south-1 HTTPS
(Mumbai)
Asia ap- autoscaling.ap-northeast-3.amazonaws.com HTTP and

Pacific northeast-3 HTTPS
(Osaka-
Local)

(Seoul)
Asia ap- autoscaling.ap-southeast-1.amazonaws.com HTTP and

Pacific southeast-1 HTTPS
(Singapore)

(Sydney)

(Tokyo)
Canada ca- autoscaling.ca-central-1.amazonaws.com HTTP and

(Central) central-1 HTTPS
China cn-north-1 autoscaling.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- autoscaling.cn-northwest-1.amazonaws.com.cn HTTP and

(Ningxia) northwest-1 HTTPS
EU eu- autoscaling.eu-central-1.amazonaws.com HTTP and

(Frankfurt) central-1 HTTPS
EU eu-west-1 autoscaling.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS

(London) HTTPS
Version 1.0
7
AWS Application Discovery Service

Name
EU (Paris) eu-west-3 autoscaling.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 autoscaling.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- autoscaling.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 autoscaling.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- autoscaling.us-gov-east-1.amazonaws.com HTTP and

GovCloud east-1 HTTPS
(US-East)
AWS us-gov- autoscaling.us-gov-west-1.amazonaws.com HTTP and

GovCloud west-1 HTTPS
(US-West)
For information about using Application Auto Scaling in the China (Beijing) Region, see China (Beijing)
Region Endpoints.

Name
US West us-west-2 discovery.us-west-2.amazonaws.com

(Oregon)
Amazon AppStream 2.0

Name
US East (N. us-east-1 appstream2.us-east-1.amazonaws.com HTTPS

Virginia)
appstream2-fips.us-east-1.amazonaws.com HTTPS
US West us-west-2 appstream2.us-west-2.amazonaws.com HTTPS

(Oregon)
appstream2-fips.us-west-2.amazonaws.com HTTPS
Asia ap- appstream2.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
8
AWS App Mesh

Name
Asia ap- appstream2.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- appstream2.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- appstream2.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- appstream2.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 appstream2.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS us-gov- appstream2.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) appstream2-fips.us-gov-west-1.amazonaws.com HTTPS
AWS App Mesh

Name
US East us-east-2 appmesh.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 appmesh.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 appmesh.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 appmesh.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- appmesh.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- appmesh.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- appmesh.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
9
AWS AppSync

Name
Asia ap- appmesh.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- appmesh.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- appmesh.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- appmesh.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 appmesh.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 appmesh.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 appmesh.eu-west-3.amazonaws.com HTTPS
AWS AppSync
AWS AppSync Control Plane
Name
US East us-east-2 appsync.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 appsync.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 appsync.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- appsync.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- appsync.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- appsync.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- appsync.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
10
AWS AppSync Data Plane

Name
Asia ap- appsync.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- appsync.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 appsync.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 appsync.eu-west-2.amazonaws.com HTTPS

(London)
AWS AppSync Data Plane

Name
US East us-east-2 <unique-id>.appsync-api.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 <unique-id>.appsync-api.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 <unique-id>.appsync-api.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia Pacific ap-south-1 <unique-id>.appsync-api.ap-south-1.amazonaws.com HTTPS

(Mumbai)
Asia Pacific ap- <unique-id>.appsync-api.ap- HTTPS

(Singapore) southeast-1 southeast-1.amazonaws.com

(Sydney) southeast-2 southeast-2.amazonaws.com

(Tokyo) northeast-1 northeast-1.amazonaws.com
EU eu-central-1 <unique-id>.appsync-api.eu-central-1.amazonaws.com HTTPS

(Frankfurt)
EU (Ireland) eu-west-1 <unique-id>.appsync-api.eu-west-1.amazonaws.com HTTPS
Amazon Athena
Name
US East us-east-2 athena.us-east-2.amazonaws.com HTTPS

(Ohio)
Version 1.0
11
Amazon Athena

Name
US East (N. us-east-1 athena.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 athena.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 athena.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 athena.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- athena.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- athena.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- athena.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- athena.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- athena.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- athena.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- athena.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 athena.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 athena.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 athena.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 athena.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- athena.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
Version 1.0
12
Amazon Aurora

Name
AWS us-gov- athena.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- athena.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Note
To download the latest version of the JDBC driver and its documentation, see Using Athena with
the JDBC Driver.
For more information about the previous versions of the JDBC driver and their documentation,
see Using the Previous Version of the JDBC Driver.
To download the latest and previous versions of the ODBC driver and their documentation, see
Connecting to Athena with ODBC.
Amazon Aurora
Amazon Aurora with MySQL compatibility

Name
US East us-east-2 rds.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 rds.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 rds.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 rds.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 rds.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- rds.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- rds.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
13
Amazon Aurora with PostgreSQL compatibility

Name
Asia ap- rds.ap-southeast-1.amazonaws.com HTTPS

(Singapore)

(Sydney)

(Tokyo)
Canada ca- rds.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn- rds.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- rds.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 rds.eu-west-1.amazonaws.com HTTPS

(Ireland)

(London)
EU (Paris) eu-west-3 rds.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 rds.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- rds.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
AWS us-gov- rds.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- rds.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)

Name

(Ohio)

Virginia)
Version 1.0
14

Name

West (N.
California)

(Oregon)

Pacific
(Hong
Kong)

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)

(Central) central-1



(Ireland)

(London)

(Stockholm)

East south-1
(Bahrain)
Version 1.0
15
AWS Auto Scaling

Name

GovCloud east-1
(US-East)

GovCloud west-1
(US-West)
AWS Auto Scaling

Name

(Ohio) HTTPS

Virginia) HTTPS

West (N. HTTPS
California)

(Oregon) HTTPS

(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)



(Ireland) HTTPS
Version 1.0
16
Amazon EC2 Auto Scaling

Name

(London) HTTPS

Name

(Ohio) HTTPS

Virginia) HTTPS

West (N. HTTPS
California)

(Oregon) HTTPS
Asia ap-east-1 autoscaling.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)

(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)

Version 1.0
17

Name
China cn-north-1 autoscaling.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- autoscaling.cn-northwest-1.amazonaws.com.cn HTTP and



(Ireland) HTTPS

(London) HTTPS
EU (Paris) eu-west-3 autoscaling.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 autoscaling.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- autoscaling.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 autoscaling.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- autoscaling.us-gov-east-1.amazonaws.com HTTP and

(US-East)
AWS us-gov- autoscaling.us-gov-west-1.amazonaws.com HTTP and

(US-West)
If you just specify the general endpoint (autoscaling.amazonaws.com), Amazon EC2 Auto Scaling directs
your request to the us-east-1 endpoint.
For information about using Amazon EC2 Auto Scaling in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon EC2 Auto Scaling in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
Version 1.0
18
AWS Backup
AWS Backup
Name
US East us-east-2 backup.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 backup.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 backup.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 backup.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 backup.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- backup.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- backup.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- backup.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- backup.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- backup.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- backup.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- backup.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 backup.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 backup.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 backup.eu-west-3.amazonaws.com HTTPS
Version 1.0
19
AWS Batch

Name
EU eu-north-1 backup.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- backup.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 backup.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Batch
Name
US East us-east-2 batch.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 batch.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 batch.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 batch.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 batch.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- batch.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- batch.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- batch.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- batch.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
20
AWS Billing and Cost Management

Name
Asia ap- batch.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- batch.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 batch.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- batch.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- batch.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 batch.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 batch.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 batch.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 batch.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- batch.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 batch.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Billing and Cost Management

AWS Billing and Cost Management includes the AWS Cost Explorer API, the AWS Cost and Usage Reports
API, the AWS Budgets API, and the AWS Price List API.
AWS Cost Explorer

Name
US East (N. us-east-1 ce.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
21
AWS Cost and Usage Reports
AWS Cost and Usage Reports

Name
US East (N. us-east-1 cur.us-east-1.amazonaws.com HTTPS

Virginia)
AWS Budgets

Name
US East us-east-2 budgets.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 budgets.amazonaws.com HTTPS

Virginia)
US us-west-1 budgets.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 budgets.amazonaws.com HTTPS

(Oregon)
Asia ap- budgets.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- budgets.amazonaws.com HTTPS

(Central) central-1
EU eu- budgets.amazonaws.com HTTPS

EU eu-west-1 budgets.amazonaws.com HTTPS

(Ireland)
Version 1.0
22
AWS Price List Service

Name
EU eu-west-2 budgets.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 budgets.amazonaws.com HTTPS
South sa-east-1 budgets.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Price List Service

Name
US East (N. us-east-1 api.pricing.us-east-1.amazonaws.com HTTPS

Virginia)
Asia ap- api.pricing.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Savings Plans
Name
US East us-east-2 savingsplans.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 savingsplans.amazonaws.com HTTPS

Virginia)
US us-west-1 savingsplans.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 savingsplans.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 savingsplans.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- savingsplans.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

Version 1.0
23
AWS Certificate Manager

Name
(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- savingsplans.amazonaws.com HTTPS

(Central) central-1
EU eu- savingsplans.amazonaws.com HTTPS

EU eu-west-1 savingsplans.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 savingsplans.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 savingsplans.amazonaws.com HTTPS
EU eu-north-1 savingsplans.amazonaws.com HTTPS

(Stockholm)
Middle me- savingsplans.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 savingsplans.amazonaws.com HTTPS

America
(Sao
Paulo)

Name
US East us-east-2 acm.us-east-2.amazonaws.com HTTPS

(Ohio)
Version 1.0
24

Name
US East (N. us-east-1 acm.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 acm.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 acm.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 acm.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- acm.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- acm.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- acm.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- acm.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- acm.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- acm.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 acm.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 acm.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 acm.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 acm.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Version 1.0
25
AWS Certificate Manager Private Certificate Authority

Name
Middle me- acm.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 acm.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- acm.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- acm.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Certificate Manager in the AWS GovCloud (US-West) Region, see AWS
AWS Certificate Manager Private Certificate

Authority
Name
US East us-east-2 acm-pca.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 acm-pca.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 acm-pca.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 acm-pca.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 acm-pca.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- acm-pca.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- acm-pca.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
26
Amazon Chime

Name
Asia ap- acm-pca.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- acm-pca.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- acm-pca.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- acm-pca.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- acm-pca.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 acm-pca.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 acm-pca.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 acm-pca.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 acm-pca.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- acm-pca.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 acm-pca.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- acm-pca.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- acm-pca.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon Chime
Amazon Chime has a single endpoint: service.chime.aws.amazon.com (HTTPS).
Version 1.0
27
AWS Cloud9
AWS Cloud9
Name
US East us-east-2 cloud9.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cloud9.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 cloud9.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- cloud9.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cloud9.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- cloud9.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cloud9.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Cloud Directory

Name
US East us-east-2 clouddirectory.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 clouddirectory.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 clouddirectory.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- clouddirectory.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- clouddirectory.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Canada ca- clouddirectory.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- clouddirectory.eu-central-1.amazonaws.com HTTPS

Version 1.0
28
AWS CloudFormation

Name
EU eu-west-1 clouddirectory.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 clouddirectory.eu-west-2.amazonaws.com HTTPS

(London)
AWS us-gov- clouddirectory.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS CloudFormation
Name
US East us-east-2 cloudformation.us-east-2.amazonaws.com HTTPS

(Ohio)
cloudformation-fips.us-east-2.amazonaws.com
US East (N. us-east-1 cloudformation.us-east-1.amazonaws.com HTTPS

Virginia)
cloudformation-fips.us-east-1.amazonaws.com
US West (N. us-west-1 cloudformation.us-west-1.amazonaws.com HTTPS

California)
cloudformation-fips.us-west-1.amazonaws.com
US West us-west-2 cloudformation.us-west-2.amazonaws.com HTTPS

(Oregon)
cloudformation-fips.us-west-2.amazonaws.com
Asia Pacific ap-south-1 cloudformation.ap-south-1.amazonaws.com HTTPS

(Mumbai)
Asia Pacific ap- cloudformation.ap-northeast-3.amazonaws.com HTTPS

(Osaka- northeast-3
Local)

(Seoul) northeast-2
Asia Pacific ap- cloudformation.ap-southeast-1.amazonaws.com HTTPS

(Singapore) southeast-1
Asia Pacific ap- cloudformation.ap-southeast-2.amazonaws.com HTTPS

(Sydney) southeast-2

(Tokyo) northeast-1
Canada ca-central-1 cloudformation.ca-central-1.amazonaws.com HTTPS

(Central)
China cn-north-1 cloudformation.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
Version 1.0
29
Amazon CloudFront

Name
China cn- cloudformation.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu-central-1 cloudformation.eu-central-1.amazonaws.com HTTPS

(Frankfurt)
EU (Ireland) eu-west-1 cloudformation.eu-west-1.amazonaws.com HTTPS
EU (London) eu-west-2 cloudformation.eu-west-2.amazonaws.com HTTPS
EU (Paris) eu-west-3 cloudformation.eu-west-3.amazonaws.com HTTPS
South sa-east-1 cloudformation.sa-east-1.amazonaws.com HTTPS

America
(São Paulo)
EU eu-north-1 cloudformation.eu-north-1.amazonaws.com HTTPS

(Stockholm)
AWS us-gov- cloudformation.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS CloudFormation in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS CloudFormation in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
Amazon CloudFront
Region Region Endpoint Protocol Amazon
Name Route 53
Hosted
Zone ID*
US East (N. us-east-1 cloudfront.amazonaws.com HTTPS Z2FDTNDATAQYW2

Virginia)
Region
AWS CloudHSM
Name
US East us-east-2 cloudhsmv2.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cloudhsmv2.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
30
AWS CloudHSM

Name
US us-west-1 cloudhsmv2.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 cloudhsmv2.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 cloudhsmv2.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- cloudhsmv2.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- cloudhsmv2.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- cloudhsmv2.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cloudhsmv2.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- cloudhsmv2.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- cloudhsmv2.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- cloudhsmv2.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cloudhsmv2.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 cloudhsmv2.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 cloudhsmv2.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 cloudhsmv2.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- cloudhsmv2.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 cloudhsmv2.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
31
AWS CloudHSM Classic

Name
AWS us-gov- cloudhsmv2.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- cloudhsmv2.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS CloudHSM is supported in all Availability Zones of the following Regions:
• US West (Oregon) - us-west-2

• US East (Ohio) - us-east-2
• Asia Pacific (Sydney) - ap-southeast-2
• EU (Frankfurt) - eu-central-1
• EU (Ireland) - eu-west-1
• EU (London) - eu-west-2
• EU (Paris) - eu-west-3
• EU (Stockholm) - eu-north-1
• AWS GovCloud (US-East) - us-gov-east-1
• AWS GovCloud (US-West) - us-gov-west-1

Name
US East us-east-2 cloudhsm.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cloudhsm.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 cloudhsm.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 cloudhsm.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- cloudhsm.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cloudhsm.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- cloudhsm.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Version 1.0
32
AWS Cloud Map

Name
Canada ca- cloudhsm.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- cloudhsm.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cloudhsm.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS us-gov- cloudhsm.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS CloudHSM Classic in the AWS GovCloud (US-West) Region, see AWS
AWS Cloud Map

Name
US East us-east-2 servicediscovery.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 servicediscovery.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 servicediscovery.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 servicediscovery.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 servicediscovery.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- servicediscovery.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- servicediscovery.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- servicediscovery.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
33
Amazon CloudSearch

Name
Asia ap- servicediscovery.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- servicediscovery.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- servicediscovery.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- servicediscovery.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 servicediscovery.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 servicediscovery.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 servicediscovery.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 servicediscovery.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- servicediscovery.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 servicediscovery.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Note
AWS Cloud Map is available in the South America (São Paulo) with the following limitations:
the Cloud Map console isn't available, you can't create HTTP namespaces, and you can't use the
DiscoverInstances API to find resources.
Amazon CloudSearch
Name
US East (N. us-east-1 cloudsearch.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 cloudsearch.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 cloudsearch.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
34
AWS CloudTrail

Name
Asia ap- cloudsearch.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- cloudsearch.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cloudsearch.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- cloudsearch.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- cloudsearch.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cloudsearch.eu-west-1.amazonaws.com HTTPS

(Ireland)
South sa-east-1 cloudsearch.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS CloudTrail
Name
US East us-east-2 cloudtrail.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cloudtrail.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 cloudtrail.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 cloudtrail.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 cloudtrail.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- cloudtrail.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
35
AWS CloudTrail

Name
Asia ap- cloudtrail.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- cloudtrail.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cloudtrail.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- cloudtrail.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 cloudtrail.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- cloudtrail.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- cloudtrail.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cloudtrail.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 cloudtrail.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 cloudtrail.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 cloudtrail.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- cloudtrail.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 cloudtrail.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- cloudtrail.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
36
Amazon CloudWatch

Name
AWS us-gov- cloudtrail.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS CloudTrail in the AWS GovCloud (US-West) Region, see AWS GovCloud
(US-West) Endpoints.
For information about using AWS CloudTrail in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Amazon CloudWatch
Name
US East us-east-2 monitoring.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 monitoring.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 monitoring.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 monitoring.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap-east-1 monitoring.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- monitoring.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- monitoring.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Asia ap- monitoring.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- monitoring.ap-southeast-2.amazonaws.com HTTP and

(Sydney)
Version 1.0
37
Amazon CloudWatch Events

Name

(Tokyo)
Canada ca- monitoring.ca-central-1.amazonaws.com HTTP and

China cn-north-1 monitoring.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- monitoring.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- monitoring.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 monitoring.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 monitoring.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 monitoring.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 monitoring.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- monitoring.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 monitoring.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- monitoring.us-gov-east-1.amazonaws.com HTTP and

(US-East)
AWS us-gov- monitoring.us-gov-west-1.amazonaws.com HTTP and

(US-West)

Name
US East us-east-2 events.us-east-2.amazonaws.com HTTPS

(Ohio)
Version 1.0
38

Name
US East (N. us-east-1 events.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 events.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 events.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 events.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- events.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- events.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- events.ap-southeast-1.amazonaws.com HTTPS

(Singapore)

(Sydney)

(Tokyo)
Canada ca- events.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 events.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- events.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- events.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 events.eu-west-1.amazonaws.com HTTPS

(Ireland)

(London)
Version 1.0
39
Amazon CloudWatch Logs

Name
EU (Paris) eu-west-3 events.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 events.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- events.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 events.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- events.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- events.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon CloudWatch Events in the AWS GovCloud (US-West) Region, see
AWS GovCloud (US-West) Endpoints.

Name
US East us-east-2 logs.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 logs.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 logs.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 logs.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 logs.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- logs.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
40

Name
Asia ap- logs.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- logs.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- logs.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- logs.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 logs.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- logs.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- logs.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 logs.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 logs.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 logs.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 logs.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- logs.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 logs.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- logs.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
41
AWS CodeBuild

Name
AWS us-gov- logs.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon CloudWatch Logs in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon CloudWatch Logs in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
AWS CodeBuild
Name
US East us-east-2 codebuild.us-east-2.amazonaws.com HTTPS

(Ohio)
codebuild-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 codebuild.us-east-1.amazonaws.com HTTPS

Virginia)
codebuild-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 codebuild.us-west-1.amazonaws.com HTTPS

West (N.
California) codebuild-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 codebuild.us-west-2.amazonaws.com HTTPS

(Oregon)
codebuild-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 codebuild.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- codebuild.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- codebuild.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- codebuild.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- codebuild.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
42
AWS CodeBuild

Name
Asia ap- codebuild.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- codebuild.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 codebuild.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- codebuild.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- codebuild.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 codebuild.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codebuild.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 codebuild.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 codebuild.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- codebuild.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 codebuild.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- codebuild.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- codebuild.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS CodeBuild in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Version 1.0
43
AWS CodeCommit
AWS CodeCommit
Name
US East us-east-2 codecommit.us-east-2.amazonaws.com HTTPS

(Ohio)
codecommit-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 codecommit.us-east-1.amazonaws.com HTTPS

Virginia)
codecommit-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 codecommit.us-west-1.amazonaws.com HTTPS

West (N.
California) codecommit-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 codecommit.us-west-2.amazonaws.com HTTPS

(Oregon)
codecommit-fips.us-west-2.amazonaws.com HTTPS
Asia ap- codecommit.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- codecommit.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- codecommit.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- codecommit.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- codecommit.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- codecommit.ca-central-1.amazonaws.com HTTPS

(Central) central-1
codecommit-fips.ca-central-1.amazonaws.com HTTPS
EU eu- codecommit.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 codecommit.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codecommit.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 codecommit.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 codecommit.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Version 1.0
44
AWS CodeDeploy

Name
Middle me- codecommit.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 codecommit.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- codecommit.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- codecommit.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about Git connection endpoints, including SSH and HTTPS information, see Regions and
Git Connection Endpoints for CodeCommit.
AWS CodeDeploy
Name
US East us-east-2 codedeploy.us-east-2.amazonaws.com HTTPS

(Ohio)
codedeploy-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 codedeploy.us-east-1.amazonaws.com HTTPS

Virginia)
codedeploy-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 codedeploy.us-west-1.amazonaws.com HTTPS

West (N.
California) codedeploy-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 codedeploy.us-west-2.amazonaws.com HTTPS

(Oregon)
codedeploy-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 codedeploy.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- codedeploy.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- codedeploy.ap-northeast-3.amazonaws.com HTTPS

Version 1.0
45
AWS CodeDeploy

Name
(Osaka-
Local)

(Seoul)
Asia ap- codedeploy.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- codedeploy.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- codedeploy.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 codedeploy.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- codedeploy.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- codedeploy.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 codedeploy.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codedeploy.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 codedeploy.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 codedeploy.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- codedeploy.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 codedeploy.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- codedeploy.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East) codedeploy-fips.us-gov-east-1.amazonaws.com HTTPS
Version 1.0
46
AWS CodePipeline

Name
AWS us-gov- codedeploy.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) codedeploy-fips.us-gov-west-1.amazonaws.com HTTPS
For information about using AWS CodeDeploy in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS CodeDeploy in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
AWS CodePipeline
Name
US East us-east-2 codepipeline.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 codepipeline.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 codepipeline.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 codepipeline.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- codepipeline.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- codepipeline.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- codepipeline.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- codepipeline.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- codepipeline.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- codepipeline.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- codepipeline.eu-central-1.amazonaws.com HTTPS

Version 1.0
47
AWS CodeStar

Name
EU eu-west-1 codepipeline.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codepipeline.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 codepipeline.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 codepipeline.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 codepipeline.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS CodeStar
Name
US East us-east-2 codestar.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 codestar.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 codestar.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 codestar.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- codestar.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- codestar.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- codestar.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- codestar.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- codestar.ca-central-1.amazonaws.com HTTPS

(Central) central-1
Version 1.0
48
AWS CodeStar Notifications

Name
EU eu- codestar.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 codestar.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codestar.eu-west-2.amazonaws.com HTTPS

(London)
AWS CodeStar Notifications

Name
US East us-east-2 codestar-notifications.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 codestar-notifications.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 codestar-notifications.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 codestar-notifications.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- codestar-notifications.ap- HTTPS

Pacific south-1 south-1.amazonaws.com
(Mumbai)

Pacific northeast-2 northeast-2.amazonaws.com
(Seoul)

Pacific southeast-1 southeast-1.amazonaws.com
(Singapore)

(Sydney)

(Tokyo)
Canada ca- codestar-notifications.ca- HTTPS

(Central) central-1 central-1.amazonaws.com
EU eu- codestar-notifications.eu- HTTPS

(Frankfurt) central-1 central-1.amazonaws.com
Version 1.0
49
Amazon Cognito Identity

Name
EU eu-west-1 codestar-notifications.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 codestar-notifications.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 codestar-notifications.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 codestar-notifications.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 codestar-notifications.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Amazon Cognito Identity

Amazon Cognito Identity includes Amazon Cognito Your User Pools and Amazon Cognito Federated
Identities.
Amazon Cognito Your User Pools

Name
US East us-east-2 cognito-idp.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cognito-idp.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 cognito-idp.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- cognito-idp.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- cognito-idp.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- cognito-idp.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cognito-idp.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
50
Amazon Cognito Federated Identities

Name
Asia ap- cognito-idp.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- cognito-idp.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- cognito-idp.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cognito-idp.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 cognito-idp.eu-west-2.amazonaws.com HTTPS

(London)
Amazon Cognito Federated Identities

Name
US East us-east-2 cognito-identity.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cognito-identity.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 cognito-identity.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- cognito-identity.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- cognito-identity.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- cognito-identity.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cognito-identity.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- cognito-identity.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- cognito-identity.ca-central-1.amazonaws.com HTTPS

(Central) central-1
Version 1.0
51
Amazon Cognito Sync

Name
China cn-north-1 cognito-identity.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
EU eu- cognito-identity.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cognito-identity.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 cognito-identity.eu-west-2.amazonaws.com HTTPS

(London)
Amazon Cognito Sync

Name
US East us-east-2 cognito-sync.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 cognito-sync.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 cognito-sync.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- cognito-sync.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- cognito-sync.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- cognito-sync.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- cognito-sync.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- cognito-sync.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- cognito-sync.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 cognito-sync.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 cognito-sync.eu-west-2.amazonaws.com HTTPS

(London)
Version 1.0
52
Amazon Comprehend
Amazon Comprehend
Name
US East us-east-2 comprehend.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 comprehend.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 comprehend.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- comprehend.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- comprehend.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Canada ca- comprehend.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- comprehend.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 comprehend.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 comprehend.eu-west-2.amazonaws.com HTTPS

(London)
AWS us-gov- comprehend.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon Comprehend Medical

Name
US East us-east-2 comprehendmedical.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 comprehendmedical.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 comprehendmedical.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- comprehendmedical.ap- HTTPS

(Sydney)
Version 1.0
53
AWS Config and AWS Config Rules

Name
Canada ca- comprehendmedical.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu-west-1 comprehendmedical.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 comprehendmedical.eu-west-2.amazonaws.com HTTPS

(London)
AWS Config and AWS Config Rules

Name
US East us-east-2 config.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 config.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 config.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 config.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 config.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- config.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- config.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- config.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- config.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- config.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- config.ca-central-1.amazonaws.com HTTPS

(Central) central-1
Version 1.0
54
Amazon Connect

Name
China cn-north-1 config.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- config.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- config.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 config.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 config.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 config.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 config.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- config.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 config.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- config.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- config.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Config in the AWS GovCloud (US-West) Region, see AWS GovCloud
For information about using AWS Config in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Amazon Connect
Name
US East (N. us-east-1 connect.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 connect.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
55
Amazon Data Lifecycle Manager

Name
Asia ap- connect.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- connect.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- connect.eu-central-1.amazonaws.com HTTPS

Amazon Data Lifecycle Manager

Name
US East us-east-2 dlm.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 dlm.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 dlm.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 dlm.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- dlm.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- dlm.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- dlm.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- dlm.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- dlm.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- dlm.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- dlm.eu-central-1.amazonaws.com HTTPS

Version 1.0
56
AWS Data Pipeline

Name
EU eu-west-1 dlm.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 dlm.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 dlm.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 dlm.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 dlm.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Data Pipeline

Name
US East (N. us-east-1 datapipeline.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 datapipeline.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- datapipeline.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- datapipeline.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 datapipeline.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS DataSync
Name
US East us-east-2 datasync.us-east-2.amazonaws.com HTTPS

(Ohio)
datasync-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 datasync.us-east-1.amazonaws.com HTTPS

Virginia)
datasync-fips.us-east-1.amazonaws.com HTTPS
Version 1.0
57
AWS DataSync

Name
US us-west-1 datasync.us-west-1.amazonaws.com HTTPS

West (N.
California) datasync-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 datasync.us-west-2.amazonaws.com HTTPS

(Oregon)
datasync-fips.us-west-2.amazonaws.com HTTPS
Asia ap- datasync.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- datasync.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- datasync.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- datasync.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- datasync.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- datasync.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 datasync.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 datasync.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 datasync.eu-west-3.amazonaws.com HTTPS
Middle me- datasync.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
AWS us-gov- datasync.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) datasync-fips.us-gov-west-1.amazonaws.com HTTPS
For information about using AWS DataSync in the AWS GovCloud (US-West) Region, see AWS GovCloud
Version 1.0
58
AWS Database Migration Service

Name
US East us-east-2 dms.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 dms.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 dms.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 dms.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 dms.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- dms.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- dms.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- dms.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- dms.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- dms.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- dms.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 dms.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- dms.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- dms.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 dms.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
59
AWS DeepLens

Name
EU eu-west-2 dms.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 dms.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 dms.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- dms.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 dms.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- dms.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- dms.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS DeepLens
Name
US East (N. us-east-1 deeplens.us-east-1.amazonaws.com HTTPS

Virginia)
AWS Device Farm

Name
US West us-west-2 devicefarm.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
60
AWS Direct Connect
AWS Direct Connect

Name
US East us-east-2 directconnect.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 directconnect.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 directconnect.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 directconnect.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 directconnect.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- directconnect.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- directconnect.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- directconnect.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- directconnect.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- directconnect.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 directconnect.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- directconnect.cn-northwest-1.amazonaws.com.cn HTTPS

Version 1.0
61
AWS Directory Service

Name
EU eu- directconnect.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 directconnect.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 directconnect.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 directconnect.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 directconnect.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- directconnect.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 directconnect.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- directconnect.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- directconnect.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Direct Connect in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS Direct Connect in the China (Beijing) Region, see China (Beijing) Region
Endpoints.

Name
US East us-east-2 ds.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ds.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ds.us-west-1.amazonaws.com HTTPS

West (N.
California)
Version 1.0
62

Name
US West us-west-2 ds.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 ds.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- ds.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ds.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- ds.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ds.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- ds.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- ds.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 ds.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- ds.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- ds.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ds.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 ds.eu-west-2.amazonaws.com HTTPS

(London)
EU eu-north-1 ds.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 ds.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- ds.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
63
Amazon DocumentDB

Name
AWS us-gov- ds.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For a list of supported Region endpoints sorted by directory type, see Region Availability for AWS
Directory Service.
For information about using AWS Directory Service in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS Directory Service in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
Amazon DocumentDB
Name
US East us-east-2 rds.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 rds.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US West us-west-2 rds.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap- rds.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- rds.ap-northeast-2.amazonaws.com HTTP and

(Seoul)
Asia ap- rds.ap-southeast-1.amazonaws.com HTTP and

(Singapore)

(Sydney)

(Tokyo)
EU eu- rds.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 rds.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
Version 1.0
64
Amazon DynamoDB

Name

(London) HTTPS
EU (Paris) eu-west-3 rds.eu-west-3.amazonaws.com HTTP and

HTTPS
For information on finding and connecting to your cluster or instance endpoints, see Working with
Amazon DocumentDB Endpoints in the Amazon DocumentDB Developer's Guide.
Amazon DynamoDB
Name
US East us-east-2 dynamodb.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
dynamodb-fips.us-east-2.amazonaws.com
HTTPS
US East (N. us-east-1 dynamodb.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
HTTPS
US us-west-1 dynamodb.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California) dynamodb-fips.us-west-1.amazonaws.com
HTTPS
US West us-west-2 dynamodb.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
dynamodb-fips.us-west-2.amazonaws.com
HTTPS
Asia ap-east-1 dynamodb.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- dynamodb.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- dynamodb.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Version 1.0
65
Amazon DynamoDB

Name
Asia ap- dynamodb.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- dynamodb.ap-southeast-2.amazonaws.com HTTP and

(Sydney)

(Tokyo)
Canada ca- dynamodb.ca-central-1.amazonaws.com HTTP and

dynamodb-fips.ca-central-1.amazonaws.com
HTTPS
China cn-north-1 dynamodb.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- dynamodb.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- dynamodb.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 dynamodb.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 dynamodb.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 dynamodb.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 dynamodb.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- dynamodb.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 dynamodb.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- dynamodb.us-gov-east-1.amazonaws.com HTTP and

(US-East) dynamodb.us-gov-east-1.amazonaws.com
HTTPS
AWS us-gov- dynamodb.us-gov-west-1.amazonaws.com HTTP and

(US-West) dynamodb.us-gov-west-1.amazonaws.com
HTTPS
Version 1.0
66
DynamoDB Accelerator (DAX)
For information about using Amazon DynamoDB in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon DynamoDB in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
DynamoDB Accelerator (DAX)

Name
US East us-east-2 dax.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 dax.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 dax.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 dax.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap- dax.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- dax.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- dax.ap-southeast-2.amazonaws.com HTTP and

(Sydney)
Asia ap- dax.ap-northeast-1.amazonaws.com HTTP and

(Tokyo)
EU eu- dax.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 dax.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
South sa-east-1 dax.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
Version 1.0
67
Amazon DynamoDB Streams
Amazon DynamoDB Streams

Name
US East us-east-2 streams.dynamodb.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
HTTPS
US East (N. us-east-1 streams.dynamodb.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
HTTPS
US us-west-1 streams.dynamodb.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California) dynamodb-fips.us-west-1.amazonaws.com
HTTPS
US West us-west-2 streams.dynamodb.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
dynamodb-fips.us-west-2.amazonaws.com
HTTPS
Asia ap- streams.dynamodb.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- streams.dynamodb.ap- HTTP and

Pacific northeast-3 northeast-3.amazonaws.com HTTPS
(Osaka-
Local)

(Seoul)

Pacific southeast-1 southeast-1.amazonaws.com HTTPS
(Singapore)

Pacific southeast-2 southeast-2.amazonaws.com HTTPS
(Sydney)

(Tokyo)
Canada ca- streams.dynamodb.ca-central-1.amazonaws.com HTTP and

dynamodb-fips.ca-central-1.amazonaws.com
HTTPS
China cn-north-1 streams.dynamodb.cn- HTTP and

(Beijing) north-1.amazonaws.com.cn HTTPS
Version 1.0
68
AWS Elastic Beanstalk

Name
China cn- streams.dynamodb.cn- HTTP and

(Ningxia) northwest-1 northwest-1.amazonaws.com.cn HTTPS
EU eu- streams.dynamodb.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 streams.dynamodb.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 streams.dynamodb.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 streams.dynamodb.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 streams.dynamodb.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- streams.dynamodb.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 streams.dynamodb.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- streams.dynamodb.us-gov- HTTP and

GovCloud east-1 east-1.amazonaws.com HTTPS
(US-East)
dynamodb.us-gov-east-1.amazonaws.com HTTPS
AWS us-gov- streams.dynamodb.us-gov- HTTP and

GovCloud west-1 west-1.amazonaws.com HTTPS
(US-West)
dynamodb.us-gov-west-1.amazonaws.com HTTPS
For information about using Amazon DynamoDB Streams in the AWS GovCloud (US-West) Region, see
For information about using Amazon DynamoDB Streams in the China (Beijing) Region, see China
(Beijing) Region Endpoints.

Name Hosted
Zone ID
US East us-east-2 elasticbeanstalk.us-east-2.amazonaws.com HTTPS Z14LCN19Q5QHIC

(Ohio)
Version 1.0
69

Name Hosted
Zone ID
US us-east-1 elasticbeanstalk.us-east-1.amazonaws.com HTTPS Z117KPS5GTRQ2G

East (N.
Virginia)
US us- elasticbeanstalk.us-west-1.amazonaws.com HTTPS Z1LQECGX5PH1X

West (N. west-1
California)
US West us- elasticbeanstalk.us-west-2.amazonaws.com HTTPS Z38NKT9BP95V3O

(Oregon) west-2
Asia ap-east-1 elasticbeanstalk.ap-east-1.amazonaws.com HTTPS ZPWYUBWRU171A

Pacific
(Hong
Kong)
Asia ap- elasticbeanstalk.ap- HTTPS Z18NTBI3Y7N9TZ

(Mumbai)
Asia ap- elasticbeanstalk.ap- HTTPS ZNE5GEY1TIAGY

Pacific northeast-3northeast-3.amazonaws.com
(Osaka-
Local)
Asia ap- elasticbeanstalk.ap- HTTPS Z3JE5OI70TWKCP

(Seoul)
Asia ap- elasticbeanstalk.ap- HTTPS Z16FZ9L249IFLT

Pacific southeast-1southeast-1.amazonaws.com
(Singapore)
Asia ap- elasticbeanstalk.ap- HTTPS Z2PCDNR3VC2G1N

Pacific southeast-2southeast-2.amazonaws.com
(Sydney)
Asia ap- elasticbeanstalk.ap- HTTPS Z1R25G3KIG2GBW

(Tokyo)
Canada ca- elasticbeanstalk.ca- HTTPS ZJFCZL7SSZB5I

China cn- elasticbeanstalk.cn- HTTPS

(Beijing) north-1 north-1.amazonaws.com.cn
China cn- elasticbeanstalk.cn- HTTPS

EU eu- elasticbeanstalk.eu- HTTPS Z1FRNW7UH4DEZJ

EU eu- elasticbeanstalk.eu-west-1.amazonaws.com HTTPS Z2NYPWQ7DFZAZH

(Ireland) west-1
Version 1.0
70
AWS Elastic Beanstalk Health Service

Name Hosted
Zone ID
EU eu- elasticbeanstalk.eu-west-2.amazonaws.com HTTPS Z1GKAAAUGATPF1

(London) west-2
EU (Paris) eu- elasticbeanstalk.eu-west-3.amazonaws.com HTTPS Z5WN6GAYWG5OB

west-3
EU eu- elasticbeanstalk.eu-north-1.amazonaws.com HTTPS Z23GO28BZ5AETM

(Stockholm)north-1
Middle me- elasticbeanstalk.me- HTTPS Z2BBTEKR2I36N2

East south-1 south-1.amazonaws.com
(Bahrain)
South sa-east-1 elasticbeanstalk.sa-east-1.amazonaws.com HTTPS Z10X7K2B4QSOFV

America
(Sao
Paulo)
AWS us-gov- elasticbeanstalk.us-gov- HTTPS Z35TSARG0EJ4VU

GovCloud east-1 east-1.amazonaws.com
(US-East)
AWS us-gov- elasticbeanstalk.us-gov- HTTPS Z4KAURWC4UUUG

GovCloud west-1 west-1.amazonaws.com
(US-
West)
For information about using AWS Elastic Beanstalk in the China (Beijing) Region, see China (Beijing)
Region Endpoints.

Name
US East us-east-2 elasticbeanstalk-health.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 elasticbeanstalk-health.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 elasticbeanstalk-health.us- HTTPS

West (N. west-1.amazonaws.com
California)
US West us-west-2 elasticbeanstalk-health.us- HTTPS

(Oregon) west-2.amazonaws.com
Asia ap-east-1 elasticbeanstalk-health.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Version 1.0
71

Name
Asia ap- elasticbeanstalk-health.ap- HTTPS

(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- elasticbeanstalk-health.ca- HTTPS

China cn-north-1 elasticbeanstalk-health.cn- HTTPS

(Beijing) north-1.amazonaws.com.cn
China cn- elasticbeanstalk-health.cn- HTTPS

(Ningxia) northwest-1 northwest-1.amazonaws.com.cn
EU eu- elasticbeanstalk-health.eu- HTTPS

EU eu-west-1 elasticbeanstalk-health.eu- HTTPS

(Ireland) west-1.amazonaws.com
EU eu-west-2 elasticbeanstalk-health.eu- HTTPS

(London) west-2.amazonaws.com
EU (Paris) eu-west-3 elasticbeanstalk-health.eu- HTTPS

west-3.amazonaws.com
EU eu-north-1 elasticbeanstalk-health.eu- HTTPS

(Stockholm) north-1.amazonaws.com
Middle me- elasticbeanstalk-health.me- HTTPS

(Bahrain)
South sa-east-1 elasticbeanstalk-health.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
72
Amazon Elastic Compute Cloud (Amazon EC2)

Name
AWS us-gov- elasticbeanstalk-health.us-gov- HTTPS

(US-East)
AWS us-gov- elasticbeanstalk-health.us-gov- HTTPS

(US-West)

Name
US East us-east-2 ec2.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 ec2.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 ec2.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 ec2.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap-east-1 ec2.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- ec2.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- ec2.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Asia ap- ec2.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- ec2.ap-southeast-2.amazonaws.com HTTP and

(Sydney)
Version 1.0
73

Name

(Tokyo)
Canada ca- ec2.ca-central-1.amazonaws.com HTTP and

China cn-north-1 ec2.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- ec2.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- ec2.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 ec2.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 ec2.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 ec2.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 ec2.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- ec2.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 ec2.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- ec2.us-gov-east-1.amazonaws.com HTTP and

(US-East)
AWS us-gov- ec2.us-gov-west-1.amazonaws.com HTTP and

(US-West)
For information about using Amazon EC2 in the AWS GovCloud (US-West) Region, see AWS GovCloud
For information about using Amazon EC2 in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Version 1.0
74
Amazon Elastic Container Registry
Amazon Elastic Container Registry

Name
US East us-east-2 ecr.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ecr.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ecr.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 ecr.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 ecr.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- ecr.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ecr.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- ecr.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ecr.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- ecr.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- ecr.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 ecr.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- ecr.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- ecr.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ecr.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
75
Amazon Elastic Container Service

Name
EU eu-west-2 ecr.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 ecr.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 ecr.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- ecr.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 ecr.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- ecr.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- ecr.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon ECR in the China (Beijing) Region, see China (Beijing) Region
Endpoints.

Name
US East us-east-2 ecs.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ecs.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ecs.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 ecs.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 ecs.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Version 1.0
76

Name
Asia ap- ecs.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ecs.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- ecs.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ecs.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- ecs.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- ecs.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 ecs.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- ecs.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- ecs.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ecs.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 ecs.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 ecs.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 ecs.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- ecs.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 ecs.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- ecs.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
77
Amazon Elastic Kubernetes Service (Amazon EKS)

Name
AWS us-gov- ecs.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon ECS in the China (Beijing) Region, see China (Beijing) Region
Endpoints.

Name
US East us-east-2 eks.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 eks.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 eks.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 eks.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- eks.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- eks.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- eks.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- eks.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- eks.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- eks.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 eks.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
78
Amazon Elastic File System

Name
EU eu-west-2 eks.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 eks.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 eks.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- eks.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 eks.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

Name
US East us-east-2 elasticfilesystem.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 elasticfilesystem.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 elasticfilesystem.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 elasticfilesystem.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- elasticfilesystem.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- elasticfilesystem.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- elasticfilesystem.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- elasticfilesystem.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- elasticfilesystem.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Version 1.0
79
Elastic Load Balancing

Name
Canada ca- elasticfilesystem.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- elasticfilesystem.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 elasticfilesystem.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 elasticfilesystem.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 elasticfilesystem.eu-west-3.amazonaws.com HTTPS
AWS us-gov- elasticfilesystem.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)

Region Region Endpoint Protocol Route 53 Route 53
Name Hosted Zone Hosted Zone ID
ID (Application (Network Load
Load Balancers, Balancers)
Classic Load
Balancers)
US East us-east-2 elasticloadbalancing.us- HTTPS Z3AADJGX6KTTL2ZLMOA37VPKANP

(Ohio) east-2.amazonaws.com
US us-east-1 elasticloadbalancing.us- HTTPS Z35SXDOTRQ7X7KZ26RNL4JYFTOTI

East (N. east-1.amazonaws.com
Virginia)
US us-west-1 elasticloadbalancing.us- HTTPS Z368ELLRRE2KJ0 Z24FKFUX50B4VW

West (N. west-1.amazonaws.com
California)
US West us-west-2 elasticloadbalancing.us- HTTPS Z1H1FL5HABSF5 Z18D5FSROUN65G

(Oregon) west-2.amazonaws.com
Asia ap-east-1 elasticloadbalancing.ap- HTTPS Z3DQVH9N71FHZ0Z12Y7K3UBGUAD1

Pacific east-1.amazonaws.com
(Hong
Kong)
Asia ap- elasticloadbalancing.ap- HTTPS ZP97RAFLXTNZK ZVDDRBQ08TROA

(Mumbai)
Asia ap- elasticloadbalancing.ap- HTTPS Z5LXEXXYW11ES Z1GWIQ4HH19I5X

Version 1.0
80
Region Region Endpoint Protocol Route 53 Route 53

Name Hosted Zone Hosted Zone ID
ID (Application (Network Load
Load Balancers, Balancers)
Classic Load
Balancers)
(Osaka-
Local)
Asia ap- elasticloadbalancing.ap- HTTPS ZWKZPGTI48KDX ZIBE1TIR4HY56

(Seoul)
Asia ap- elasticloadbalancing.ap- HTTPS Z1LMS91P8CMLE5ZKVM4W9LS7TM

(Singapore)
Asia ap- elasticloadbalancing.ap- HTTPS Z1GM3OXH4ZPM65

ZCT6FZBF4DROD
(Sydney)
Asia ap- elasticloadbalancing.ap- HTTPS Z14GRHDCWA56QT

Z31USIVHYNEOWT
(Tokyo)
Canada ca- elasticloadbalancing.ca- HTTPS ZQSVJUPU6J1EY Z2EPGBW3API2WT

China cn- elasticloadbalancing.cn- HTTPS

(Beijing) north-1 north-1.amazonaws.com.cn
China cn- elasticloadbalancing.cn- HTTPS

EU eu- elasticloadbalancing.eu- HTTPS Z215JYRZR1TBD5 Z3F0SRJ5LGBH90

EU eu-west-1 elasticloadbalancing.eu- HTTPS Z32O12XQLNTSW2

Z2IFOLAFXWLO4F
(Ireland) west-1.amazonaws.com
EU eu-west-2 elasticloadbalancing.eu- HTTPS ZHURV8PSTC4K8 ZD4D7Y8KGAS4G

(London) west-2.amazonaws.com
EU (Paris) eu-west-3 elasticloadbalancing.eu- HTTPS Z3Q77PNBQS71R4Z1CMS0P5QUZ6D5

EU eu- elasticloadbalancing.eu- HTTPS Z23TAZ6LKFMNIOZ1UDT6IFJ4EJM

(Stockholm) north-1 north-1.amazonaws.com
Middle me- elasticloadbalancing.me- HTTPS ZS929ML54UICD Z3QSRYVP46NYYV

(Bahrain)
South sa-east-1 elasticloadbalancing.sa- HTTPS Z2P70J7HTTTPLU ZTK26PT1VY4CU

America east-1.amazonaws.com
(São
Paulo)
Version 1.0
81
Amazon Elastic Transcoder
If you just specify the general endpoint (elasticloadbalancing.amazonaws.com), Elastic Load Balancing
directs your request to the us-east-1 endpoint.
For information about using Elastic Load Balancing in the AWS GovCloud (US-West) Region, see AWS
For information about using Elastic Load Balancing in the China (Beijing) Region, see China (Beijing)
Region Endpoints.

Name
US East (N. us-east-1 elastictranscoder.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 elastictranscoder.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 elastictranscoder.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- elastictranscoder.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- elastictranscoder.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- elastictranscoder.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- elastictranscoder.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 elastictranscoder.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon ElastiCache
Name
US East us-east-2 elasticache.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 elasticache.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
82
Amazon ElastiCache

Name
US us-west-1 elasticache.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 elasticache.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 elasticache.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- elasticache.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- elasticache.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- elasticache.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- elasticache.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- elasticache.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 elasticache.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- elasticache.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- elasticache.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 elasticache.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 elasticache.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 elasticache.eu-west-3.amazonaws.com HTTPS
Version 1.0
83
Amazon Elasticsearch Service

Name
EU eu-north-1 elasticache.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- elasticache.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 elasticache.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- elasticache.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- elasticache.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Additional Information:
The Asia Pacific (Osaka-Local) Region is a local Region that is available to select AWS customers who
request access. Customers wishing to use the Asia Pacific (Osaka-Local) Region should speak with their
sales representative. The Asia Pacific (Osaka-Local) Region supports a single availability zone.
For information about using Amazon ElastiCache in the AWS GovCloud (US-West) Region, see AWS

Name
US East us-east-2 es.us-east-2.amazonaws.com HTTPS

(Ohio)
es-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 es.us-east-1.amazonaws.com HTTPS

Virginia)
es-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 es.us-west-1.amazonaws.com HTTPS

West (N.
California) es-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 es.us-west-2.amazonaws.com HTTPS

(Oregon)
es-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 es.ap-east-1.amazonaws.com HTTPS

Pacific
Version 1.0
84

Name
(Hong
Kong)
Asia ap- es.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- es.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- es.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- es.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- es.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- es.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 es.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- es.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- es.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 es.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 es.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 es.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 es.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- es.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 es.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
85
Amazon EMR

Name
AWS us-gov- es.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East) es-fips.us-gov-east-1.amazonaws.com HTTPS
AWS us-gov- es.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) es-fips.us-gov-west-1.amazonaws.com HTTPS
Amazon EMR
Name
US East us-east-2 elasticmapreduce.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 elasticmapreduce.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 elasticmapreduce.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 elasticmapreduce.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 elasticmapreduce.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- elasticmapreduce.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- elasticmapreduce.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- elasticmapreduce.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- elasticmapreduce.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
86
Amazon EMR

Name

(Tokyo)
Canada ca- elasticmapreduce.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 elasticmapreduce.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- elasticmapreduce.cn- HTTPS

EU eu- elasticmapreduce.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 elasticmapreduce.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 elasticmapreduce.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 elasticmapreduce.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 elasticmapreduce.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- elasticmapreduce.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 elasticmapreduce.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- elasticmapreduce.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- elasticmapreduce.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
If you specify the general endpoint (elasticmapreduce.amazonaws.com), Amazon EMR directs your
request to an endpoint in the default Region. For accounts created on or after March 8, 2013, the default
Region is us-west-2; for older accounts, the default Region is us-east-1.
For information about using Amazon EMR in the AWS GovCloud (US-West) Region, see AWS GovCloud
For information about using Amazon EMR in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Version 1.0
87
Amazon EventBridge
Amazon EventBridge
Name
US East us-east-2 events.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 events.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 events.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 events.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 events.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- events.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- events.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 events.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- events.cn-northwest-1.amazonaws.com.cn HTTPS

Version 1.0
88
AWS Firewall Manager

Name
EU eu- events.eu-central-1.amazonaws.com HTTPS


(Ireland)

(London)
EU (Paris) eu-west-3 events.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 events.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- events.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 events.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- events.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- events.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon CloudWatch Events in the AWS GovCloud (US-West) Region, see

Name
US East us-east-2 fms.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 fms.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 fms.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 fms.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
89
Amazon Forecast

Name
Asia ap- fms.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- fms.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- fms.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- fms.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- fms.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 fms.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 fms.eu-west-2.amazonaws.com HTTPS

(London)
Amazon Forecast
Amazon Forecast

Name
US East us-east-2 forecast.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 forecast.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 forecast.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- forecast.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- forecast.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 forecast.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
90
Amazon Forecast Query
Amazon Forecast Query

Name
US East us-east-2 forecastquery.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 forecastquery.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 forecastquery.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- forecastquery.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- forecastquery.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 forecastquery.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon FreeRTOS
The following tables provide a list of Region-specific endpoints that Amazon FreeRTOS supports for
Over-the-Air functionality. The Amazon FreeRTOS console is also supported in these Regions.
Amazon FreeRTOS OTA Control Plane

Name
US East us-east-2 iot.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 iot.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 iot.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 iot.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 iot.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Version 1.0
91
Amazon FreeRTOS OTA Data Plane

Name
Asia ap- iot.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- iot.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- iot.ap-southeast-1.amazonaws.com HTTPS

(Singapore)

(Sydney)

(Tokyo)
Canada ca- iot.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- iot.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 iot.eu-west-1.amazonaws.com HTTPS

(Ireland)

(London)
EU (Paris) eu-west-3 iot.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 iot.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- iot.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 iot.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Amazon FreeRTOS OTA Data Plane
Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 prefix.iot.us-east-2.amazonaws.com MQTT
US East (N. us-east-1 prefix.iot.us-east-1.amazonaws.com MQTT

Virginia)
Version 1.0
92
Amazon FSx
US West (N. us-west-1 prefix.iot.us-west-1.amazonaws.com MQTT

California)
US West us-west-2 prefix.iot.us-west-2.amazonaws.com MQTT

(Oregon)
Asia Pacific ap-east-1 prefix.iot.ap-east-1.amazonaws.com MQTT

(Hong Kong)
Asia Pacific ap-south-1 prefix.iot.ap-south-1.amazonaws.com MQTT

(Mumbai)
Asia Pacific ap-northeast-2 prefix.iot.ap-northeast-2.amazonaws.com MQTT

(Seoul)
Asia Pacific ap-southeast-1 prefix.iot.ap-southeast-1.amazonaws.com MQTT

(Singapore)

(Sydney)

(Tokyo)
Canada ca-central-1 prefix.iot.ca-central-1.amazonaws.com MQTT

(Central)
EU (Frankfurt) eu-central-1 prefix.iot.eu-central-1.amazonaws.com MQTT
EU (Ireland) eu-west-1 prefix.iot.eu-west-1.amazonaws.com MQTT
EU (London) eu-west-2 prefix.iot.eu-west-2.amazonaws.com MQTT
EU (Paris) eu-west-3 prefix.iot.eu-west-3.amazonaws.com MQTT
EU eu-north-1 prefix.iot.eu-north-1.amazonaws.com MQTT

(Stockholm)
Middle East me-south-1 prefix.iot.me-south-1.amazonaws.com MQTT

(Bahrain)
South America sa-east-1 prefix.iot.sa-east-1.amazonaws.com MQTT

(São Paulo)
Amazon FSx
Name
US East us-east-2 fsx.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 fsx.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
93
Amazon GameLift

Name
US us-west-1 fsx.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 fsx.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- fsx.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- fsx.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- fsx.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- fsx.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 fsx.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 fsx.eu-west-2.amazonaws.com HTTPS

(London)
EU eu-north-1 fsx.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Amazon GameLift
Name
US East us-east-2 gamelift.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 gamelift.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 gamelift.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 gamelift.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- gamelift.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
94
Amazon S3 Glacier

Name
Asia ap- gamelift.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- gamelift.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- gamelift.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- gamelift.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- gamelift.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 gamelift.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
EU eu- gamelift.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 gamelift.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 gamelift.eu-west-2.amazonaws.com HTTPS

(London)
South sa-east-1 gamelift.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Amazon S3 Glacier
Name
US East us-east-2 glacier.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 glacier.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 glacier.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 glacier.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Version 1.0
95
Amazon S3 Glacier

Name
Asia ap-east-1 glacier.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- glacier.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- glacier.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Asia ap- glacier.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- glacier.ap-southeast-2.amazonaws.com HTTP and

(Sydney)

(Tokyo)
Canada ca- glacier.ca-central-1.amazonaws.com HTTP and

China cn-north-1 glacier.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- glacier.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- glacier.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 glacier.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 glacier.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 glacier.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 glacier.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- glacier.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
Version 1.0
96
AWS Global Accelerator

Name
South sa-east-1 glacier.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- glacier.us-gov-east-1.amazonaws.com HTTP and

(US-East)
AWS us-gov- glacier.us-gov-west-1.amazonaws.com HTTP and

(US-West)
For information about using Amazon S3 Glacier in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon S3 Glacier in the China (Beijing) Region, see China (Beijing) Region
Endpoints.

Region Region Endpoint Protocol Amazon
Name Route 53
Hosted
Zone ID*
US West us-west-2 globalaccelerator.amazonaws.com HTTPS Z2BJ6XQ5FK7U4H

(Oregon)
Region
AWS Glue
Name
US East us-east-2 glue.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 glue.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 glue.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 glue.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
97
AWS Glue

Name
Asia ap-east-1 glue.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- glue.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- glue.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- glue.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- glue.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- glue.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- glue.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- glue.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 glue.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 glue.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 glue.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 glue.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- glue.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 glue.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- glue.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
98
AWS Ground Station

Name
AWS us-gov- glue.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Ground Station

Name
US East us-east-2 groundstation.us-east-2.amazonaws.com HTTPS

(Ohio)
US West us-west-2 groundstation.us-west-2.amazonaws.com HTTPS

(Oregon)
Amazon GuardDuty
Name
US East us-east-2 guardduty.us-east-2.amazonaws.com HTTPS

(Ohio)
guardduty-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 guardduty.us-east-1.amazonaws.com HTTPS

Virginia)
guardduty-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 guardduty.us-west-1.amazonaws.com HTTPS

West (N.
California) guardduty-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 guardduty.us-west-2.amazonaws.com HTTPS

(Oregon)
guardduty-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 guardduty.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- guardduty.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- guardduty.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
99
AWS Health

Name
Asia ap- guardduty.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- guardduty.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- guardduty.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- guardduty.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- guardduty.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 guardduty.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 guardduty.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 guardduty.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 guardduty.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- guardduty.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 guardduty.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- guardduty.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Health
AWS Health has a single endpoint: health.us-east-1.amazonaws.com (HTTPS).
Version 1.0
100
AWS Identity and Access Management (IAM)

Name
US East us-east-2 iam.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 iam.amazonaws.com HTTPS

Virginia)
US us-west-1 iam.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 iam.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 iam.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- iam.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- iam.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 iam.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- iam.cn-north-1.amazonaws.com.cn HTTPS

Version 1.0
101
AWS Import/Export

Name
EU eu- iam.amazonaws.com HTTPS

EU eu-west-1 iam.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 iam.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 iam.amazonaws.com HTTPS
EU eu-north-1 iam.amazonaws.com HTTPS

(Stockholm)
Middle me- iam.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 iam.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- iam.us-gov.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- iam.us-gov.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Import/Export
AWS Snowball is a standalone service now. For Region information on that service, see AWS
Snowball (p. 193).
AWS Import/Export Disk

AWS Import/Export Disk has a single endpoint for all Regions.
Endpoint Protocol
importexport.amazonaws.com HTTPS
Version 1.0
102
Amazon Inspector
Amazon Inspector
Name
US East us-east-2 inspector.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 inspector.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 inspector.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 inspector.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- inspector.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- inspector.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- inspector.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- inspector.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- inspector.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 inspector.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 inspector.eu-west-2.amazonaws.com HTTPS

(London)
EU eu-north-1 inspector.eu-north-1.amazonaws.com HTTPS

(Stockholm)
AWS us-gov- inspector.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- inspector.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon Inspector in the AWS GovCloud (US-West) Region, see AWS
Version 1.0
103
AWS IoT 1-Click
AWS IoT 1-Click

AWS IoT 1-Click Projects API
Name
US East us-east-2 projects.iot1click.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 projects.iot1click.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 projects.iot1click.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- projects.iot1click.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- projects.iot1click.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 projects.iot1click.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 projects.iot1click.eu-west-2.amazonaws.com HTTPS

(London)
AWS IoT 1-Click Devices API

US West (Oregon) us-west-2 devices.iot1click.us- HTTPS

AWS IoT Analytics

The following table provides a list of Region-specific endpoints that AWS IoT Analytics supports.

Name
US East us-east-2 iotanalytics.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 iotanalytics.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 iotanalytics.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
104
AWS IoT Core

Name
Asia ap- iotanalytics.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- iotanalytics.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 iotanalytics.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS IoT Core

The following table provides a list of Region-specific endpoints that AWS IoT supports for working with
rules, certificates, and policies.

Name

(Ohio)

Virginia)

West (N.
California)

(Oregon)

Pacific
(Hong
Kong)

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)
Version 1.0
105
AWS IoT Core

Name

(Tokyo)

(Central) central-1
China cn-north-1 iot.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- iot.cn-northwest-1.amazonaws.com.cn HTTPS



(Ireland)

(London)

(Stockholm)

East south-1
(Bahrain)
South sa-east-1 iot.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- iot.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS IoT in the AWS GovCloud (US-West) Region, see AWS GovCloud (US-
West) Endpoints.
For information about using AWS IoT in the China (Beijing) Region, see China (Beijing) Region Endpoints.
AWS IoT supports additional endpoints for working with device shadows. These endpoints add an
account specific prefix to the endpoints already listed and can be used with both the MQTT and HTTPS
protocols. To look up your account-specific prefix, use the describe-endpoint command:
US East (Ohio) us-east-2 prefix.iot.us-east-2.amazonaws.com HTTPS, MQTT
US East (N. us-east-1 prefix.iot.us-east-1.amazonaws.com HTTPS, MQTT

Virginia)
Version 1.0
106
AWS IoT Core
US West (N. us-west-1 prefix.iot.us-west-1.amazonaws.com HTTPS, MQTT

California)
US West us-west-2 prefix.iot.us-west-2.amazonaws.com HTTPS, MQTT

(Oregon)
Asia Pacific ap-east-1 prefix.iot.ap-east-1.amazonaws.com HTTPS, MQTT

(Hong Kong)
Asia Pacific ap-south-1 prefix.iot.ap-south-1.amazonaws.com HTTPS, MQTT

(Mumbai)
Asia Pacific ap-northeast-2 prefix.iot.ap-northeast-2.amazonaws.com HTTPS, MQTT

(Seoul)
Asia Pacific ap-southeast-1 prefix.iot.ap-southeast-1.amazonaws.com HTTPS, MQTT

(Singapore)
Asia Pacific ap-southeast-2 prefix.iot.ap-southeast-2.amazonaws.com HTTPS, MQTT

(Sydney)
Asia Pacific ap-northeast-1 prefix.iot.ap-northeast-1.amazonaws.com HTTPS, MQTT

(Tokyo)
Canada ca-central-1 prefix.iot.ca-central-1.amazonaws.com HTTPS, MQTT

(Central)
China (Beijing) cn-north-1 prefix.iot.cn-north-1.amazonaws.com.cn HTTPS, MQTT
China (Ningxia) cn- prefix.iot.cn-northwest-1.amazonaws.com.cn HTTPS, MQTT

northwest-1
EU (Frankfurt) eu-central-1 prefix.iot.eu-central-1.amazonaws.com HTTPS, MQTT
EU (Ireland) eu-west-1 prefix.iot.eu-west-1.amazonaws.com HTTPS, MQTT
EU (London) eu-west-2 prefix.iot.eu-west-2.amazonaws.com HTTPS, MQTT
EU (Paris) eu-west-3 prefix.iot.eu-west-3.amazonaws.com HTTPS, MQTT
EU eu-north-1 prefix.iot.eu-north-1.amazonaws.com HTTPS, MQTT

(Stockholm)
Middle East me-south-1 prefix.iot.me-south-1.amazonaws.com HTTPS, MQTT

(Bahrain)
South America sa-east-1 prefix.iot.sa-east-1.amazonaws.com HTTPS, MQTT

(São Paulo)
AWS GovCloud us-gov-west-1 prefix.iot.us-gov-west-1.amazonaws.com HTTPS, MQTT

(US-West)
AWS IoT supports multiple protocols for accessing the message broker and the Thing Shadows service.
The following table lists the ports to use for each protocol.
Version 1.0
107
AWS IoT Device Defender
Port Protocol Authentication Mechanism
443 HTTPS Signature Version 4
443 MQTT over Signature Version 4

WebSocket
8443 HTTPS TLS client authentication, with certificates
8883 MQTT TLS client authentication, with certificates

The following table provides a list of Region-specific endpoints supported by AWS IoT Device Defender.

Name

(Ohio)

Virginia)

West (N.
California)

(Oregon)

Pacific
(Hong
Kong)

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Version 1.0
108
AWS IoT Device Management

Name

(Central) central-1


(Ireland)

(London)

(Stockholm)

East south-1
(Bahrain)
AWS us-gov- iot.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)

The following table provides a list of Region-specific endpoints that AWS IoT Device Management
supports.
US East (Ohio) us-east-2 iot.us-east-2.amazonaws.com HTTPS

Virginia)
US West (N. us-west-1 iot.us-west-1.amazonaws.com HTTPS

California)

(Oregon)
Asia Pacific ap-east-1 iot.ap-east-1.amazonaws.com HTTPS

(Hong Kong)
Asia Pacific ap-south-1 iot.ap-south-1.amazonaws.com HTTPS

(Mumbai)
Asia Pacific ap-northeast-2 iot.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia Pacific ap-southeast-1 iot.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
109
Asia Pacific ap-southeast-2 iot.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia Pacific ap-northeast-1 iot.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca-central-1 iot.ca-central-1.amazonaws.com HTTPS

(Central)
China (Beijing) cn-north-1 iot.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn- iot.cn-northwest-1.amazonaws.com.cn HTTPS

northwest-1
EU (Frankfurt) eu-central-1 iot.eu-central-1.amazonaws.com HTTPS
EU (Ireland) eu-west-1 iot.eu-west-1.amazonaws.com HTTPS
EU (London) eu-west-2 iot.eu-west-2.amazonaws.com HTTPS

(Stockholm)
Middle East me-south-1 iot.me-south-1.amazonaws.com HTTPS

(Bahrain)
South America sa-east-1 iot.sa-east-1.amazonaws.com HTTPS

(São Paulo)
AWS GovCloud us-gov-west-1 iot.us-gov-west-1.amazonaws.com HTTPS

(US-West)
For information about using AWS IoT in the AWS GovCloud (US-West) Region, see AWS GovCloud (US-
West) Endpoints.
For information about using AWS IoT in the China (Beijing) Region, see China (Beijing) Region Endpoints.
AWS IoT Device Management supports additional endpoints for working with jobs. These endpoints
add an account specific prefix to the endpoints already listed and can be used with both the MQTT and
HTTPS protocols. To look up your account-specific prefix, use the describe-endpoint command:
US East (Ohio) us-east-2 prefix.iot.us-east-2.amazonaws.com MQTT
US East (N. us-east-1 prefix.iot.us-east-1.amazonaws.com MQTT

Virginia)
US West (N. us-west-1 prefix.iot.us-west-1.amazonaws.com MQTT

California)
US West us-west-2 prefix.iot.us-west-2.amazonaws.com MQTT

(Oregon)
Version 1.0
110
Asia Pacific ap-east-1 prefix.iot.ap-east-1.amazonaws.com MQTT

(Hong Kong)
Asia Pacific ap-south-1 prefix.iot.ap-south-1.amazonaws.com MQTT

(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca-central-1 prefix.iot.ca-central-1.amazonaws.com MQTT

(Central)
China (Beijing) cn-north-1 prefix.iot.cn-north-1.amazonaws.com.cn MQTT
China (Ningxia) cn- prefix.iot.cn-northwest-1.amazonaws.com.cn MQTT

northwest-1
EU (Frankfurt) eu-central-1 prefix.iot.eu-central-1.amazonaws.com MQTT
EU (Ireland) eu-west-1 prefix.iot.eu-west-1.amazonaws.com MQTT
EU (London) eu-west-2 prefix.iot.eu-west-2.amazonaws.com MQTT
EU (Paris) eu-west-3 prefix.iot.eu-west-3.amazonaws.com MQTT
EU eu-north-1 prefix.iot.eu-north-1.amazonaws.com MQTT

(Stockholm)
Middle East me-south-1 prefix.iot.me-south-1.amazonaws.com MQTT

(Bahrain)
South America sa-east-1 prefix.iot.sa-east-1.amazonaws.com MQTT

(São Paulo)
AWS GovCloud us-gov-west-1 prefix.iot.us-gov-west-1.amazonaws.com MQTT

(US-West)
US East (Ohio) us-east-2 prefix.jobs.iot.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 prefix.jobs.iot.us-east-1.amazonaws.com HTTPS

Virginia)
US West (N. us-west-1 prefix.jobs.iot.us-west-1.amazonaws.com HTTPS

California)
Version 1.0
111
AWS IoT Events
US West us-west-2 prefix.jobs.iot.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia Pacific ap-east-1 prefix.jobs.iot.ap-east-1.amazonaws.com HTTPS

(Hong Kong)
Asia Pacific ap-south-1 prefix.jobs.iot.ap-south-1.amazonaws.com HTTPS

(Mumbai)
Asia Pacific ap-northeast-2 prefix.jobs.iot.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia Pacific ap-southeast-1 prefix.jobs.iot.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia Pacific ap-southeast-2 prefix.jobs.iot.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia Pacific ap-northeast-1 prefix.jobs.iot.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca-central-1 prefix.jobs.iot.ca-central-1.amazonaws.com HTTPS

(Central)
China (Beijing) cn-north-1 prefix.jobs.iot.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn- prefix.jobs.iot.cn-northwest-1.amazonaws.com.cn HTTPS

northwest-1
EU (Frankfurt) eu-central-1 prefix.jobs.iot.eu-central-1.amazonaws.com HTTPS
EU (Ireland) eu-west-1 prefix.jobs.iot.eu-west-1.amazonaws.com HTTPS
EU (London) eu-west-2 prefix.jobs.iot.eu-west-2.amazonaws.com HTTPS
EU (Paris) eu-west-3 prefix.jobs.iot.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 prefix.jobs.iot.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle East me-south-1 prefix.jobs.iot.me-south-1.amazonaws.com HTTPS

(Bahrain)
South America sa-east-1 prefix.jobs.iot.sa-east-1.amazonaws.com HTTPS

(São Paulo)
AWS GovCloud us-gov-west-1 prefix.jobs.iot.us-gov-west-1.amazonaws.com HTTPS

(US-West)
AWS IoT Events

The following table provides a list of Region-specific endpoints that AWS IoT Events supports.
Version 1.0
112
AWS IoT Greengrass

Name
US East us-east-2 iotevents.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 iotevents.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 iotevents.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- iotevents.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- iotevents.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- iotevents.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- iotevents.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- iotevents.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 iotevents.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 iotevents.eu-west-2.amazonaws.com HTTPS

(London)
AWS IoT Greengrass

Control Plane Operations
The following table contains AWS Region-specific endpoints that AWS IoT Greengrass supports for group
management operations.

Name
US East us-east-2 greengrass.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 greengrass.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 greengrass.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
113
AWS IoT Device Operations

Name
Asia ap- greengrass.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- greengrass.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- greengrass.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- greengrass.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- greengrass.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
China cn-north-1 greengrass.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
EU eu- greengrass.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 greengrass.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 greengrass.eu-west-2.amazonaws.com HTTPS

(London)
AWS us-gov- greengrass.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS IoT Greengrass in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS IoT Greengrass in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
AWS IoT Device Operations

The following table contains AWS Region-specific Amazon Trust Services (ATS) endpoints for AWS IoT
device management operations, such as shadow sync. This is a data plane API.
To look up your account-specific endpoint, use the aws iot describe-endpoint --endpoint-type iot:Data-
ATS command.
US East (Ohio) us-east-2 prefix-ats.iot.us-east-2.amazonaws.com HTTPS, MQTT
Version 1.0
114
Discovery Operations
US East (N. us-east-1 prefix-ats.iot.us-east-1.amazonaws.com HTTPS, MQTT

Virginia)
US West us-west-2 prefix-ats.iot.us-west-2.amazonaws.com HTTPS, MQTT

(Oregon)
Asia Pacific ap-south-1 prefix-ats.iot.ap-south-1.amazonaws.com HTTPS, MQTT

(Mumbai)
Asia Pacific ap-northeast-2 prefix-ats.iot.ap-northeast-2.amazonaws.com HTTPS, MQTT

(Seoul)
Asia Pacific ap-southeast-1 prefix-ats.iot.ap-southeast-1.amazonaws.com HTTPS, MQTT

(Singapore)
Asia Pacific ap-southeast-2 prefix-ats.iot.ap-southeast-2.amazonaws.com HTTPS, MQTT

(Sydney)
Asia Pacific ap-northeast-1 prefix-ats.iot.ap-northeast-1.amazonaws.com HTTPS, MQTT

(Tokyo)
China (Beijing) cn-north-1 prefix.ats.iot.cn-north-1.amazonaws.com.cn HTTPS, MQTT
EU (Frankfurt) eu-central-1 prefix-ats.iot.eu-central-1.amazonaws.com HTTPS, MQTT
EU (Ireland) eu-west-1 prefix-ats.iot.eu-west-1.amazonaws.com HTTPS, MQTT
EU (London) eu-west-2 prefix-ats.iot.eu-west-2.amazonaws.com HTTPS, MQTT
AWS GovCloud us-gov-west-1 prefix-ats.iot.us-gov-west-1.amazonaws.com HTTPS, MQTT

(US-West)
Note
Legacy Verisign endpoints are currently supported for some Regions (p. 116), but we
recommend that you use ATS endpoints with ATS root CA certificates. For more information, see
Server Authentication in the AWS IoT Developer Guide.
Discovery Operations
The following table contains AWS Region-specific ATS endpoints for device discovery operations using
the AWS IoT Greengrass Discovery API. This is a data plane API.
US East (Ohio) us-east-2 greengrass-ats.iot.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 greengrass-ats.iot.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 greengrass-ats.iot.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia Pacific ap-south-1 greengrass-ats.iot.ap-south-1.amazonaws.com HTTPS

(Mumbai)
Version 1.0
115
Supported Legacy Endpoints
Asia Pacific ap-northeast-2 greengrass-ats.iot.ap- HTTPS

(Seoul) northeast-2.amazonaws.com
Asia Pacific ap-southeast-1 greengrass-ats.iot.ap- HTTPS

(Singapore) southeast-1.amazonaws.com
Asia Pacific ap-southeast-2 greengrass-ats.iot.ap- HTTPS

(Sydney) southeast-2.amazonaws.com
Asia Pacific ap-northeast-1 greengrass-ats.iot.ap- HTTPS

(Tokyo) northeast-1.amazonaws.com
China (Beijing) cn-north-1 greengrass.ats.iot.cn-north-1.amazonaws.com.cn HTTPS
EU (Frankfurt) eu-central-1 greengrass-ats.iot.eu-central-1.amazonaws.com HTTPS
EU (Ireland) eu-west-1 greengrass-ats.iot.eu-west-1.amazonaws.com HTTPS
EU (London) eu-west-2 greengrass-ats.iot.eu-west-2.amazonaws.com HTTPS
AWS GovCloud us-gov-west-1 greengrass-ats.iot.us-gov-west-1.amazonaws.com HTTPS

(US-West)
Note
Legacy Verisign endpoints are currently supported for some Regions (p. 116), but we
recommend that you use ATS endpoints with ATS root CA certificates. For more information, see
Server Authentication in the AWS IoT Developer Guide.
Supported Legacy Endpoints

We recommend that you use the ATS endpoints in the preceding tables with ATS root CA certificates.
For backward compatibility, AWS IoT Greengrass currently supports legacy Verisign endpoints in the
following AWS Regions. This support is expected to end in the future. For more information, see Server
Authentication in the AWS IoT Developer Guide.
When using legacy Verisign endpoints, you must use Verisign root CA certificates.
AWS IoT Device Operations (Legacy Endpoints)
US East (N. us-east-1 prefix.iot.us-east-1.amazonaws.com HTTPS, MQTT

Virginia)
US West us-west-2 prefix.iot.us-west-2.amazonaws.com HTTPS, MQTT

(Oregon)
Asia Pacific ap- prefix.iot.ap-southeast-2.amazonaws.com HTTPS, MQTT

Asia Pacific ap- prefix.iot.ap-northeast-1.amazonaws.com HTTPS, MQTT

(Tokyo) northeast-1
EU (Frankfurt) eu-central-1 prefix.iot.eu-central-1.amazonaws.com HTTPS, MQTT
EU (Ireland) eu-west-1 prefix.iot.eu-west-1.amazonaws.com HTTPS, MQTT
Version 1.0
116
AWS IoT Things Graph
To look up your account-specific legacy endpoint, use the aws iot describe-endpoint --endpoint-type
iot:Data command.
Discovery Operations (Legacy Endpoints)
US East (N. us-east-1 greengrass.iot.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 greengrass.iot.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia Pacific ap- greengrass.iot.ap-southeast-2.amazonaws.com HTTPS

Asia Pacific ap- greengrass.iot.ap-northeast-1.amazonaws.com HTTPS

(Tokyo) northeast-1
EU (Frankfurt) eu-central-1 greengrass.iot.eu-central-1.amazonaws.com HTTPS
EU (Ireland) eu-west-1 greengrass.iot.eu-west-1.amazonaws.com HTTPS

The following table provides a list of Region-specific endpoints that AWS IoT Things Graph supports.

Name
US East (N. us-east-1 iotthingsgraph.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 iotthingsgraph.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- iotthingsgraph.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- iotthingsgraph.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- iotthingsgraph.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 iotthingsgraph.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
117
AWS Key Management Service
AWS Key Management Service

Name
US East us-east-2 kms.us-east-2.amazonaws.com HTTPS

(Ohio)
kms-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 kms.us-east-1.amazonaws.com HTTPS

Virginia)
kms-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 kms.us-west-1.amazonaws.com HTTPS

West (N.
California) kms-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 kms.us-west-2.amazonaws.com HTTPS

(Oregon)
kms-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 kms.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong kms-fips.ap-east-1.amazonaws.com HTTPS
Kong)
Asia ap- kms.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai) kms-fips.ap-south-1.amazonaws.com HTTPS
Asia ap- kms.ap-northeast-3.amazonaws.com HTTPS

(Osaka- kms-fips.ap-northeast-3.amazonaws.com HTTPS
Local)

(Seoul) kms-fips.ap-northeast-2.amazonaws.com HTTPS
Asia ap- kms.ap-southeast-1.amazonaws.com HTTPS

(Singapore) kms-fips.ap-southeast-1.amazonaws.com HTTPS
Asia ap- kms.ap-southeast-2.amazonaws.com HTTPS

(Sydney) kms-fips.ap-southeast-2.amazonaws.com HTTPS

(Tokyo) kms-fips.ap-northeast-1.amazonaws.com HTTPS
Canada ca- kms.ca-central-1.amazonaws.com HTTPS

(Central) central-1
kms-fips.ca-central-1.amazonaws.com HTTPS
China cn-north-1 kms.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
Version 1.0
118
Amazon Kinesis Data Analytics

Name
China cn- kms.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- kms.eu-central-1.amazonaws.com HTTPS

kms-fips.eu-central-1.amazonaws.com HTTPS
EU eu-west-1 kms.eu-west-1.amazonaws.com HTTPS

(Ireland)
kms-fips.eu-west-1.amazonaws.com HTTPS
EU eu-west-2 kms.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 kms.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 kms.eu-north-1.amazonaws.com HTTPS

(Stockholm)
kms-fips.eu-north-1.amazonaws.com HTTPS
Middle me- kms.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain) kms-fips.me-south-1.amazonaws.com HTTPS
South sa-east-1 kms.sa-east-1.amazonaws.com HTTPS

America
(Sao kms-fips.sa-east-1.amazonaws.com HTTPS
Paulo)
AWS us-gov- kms.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East) kms-fips.us-gov-east-1.amazonaws.com HTTPS
AWS us-gov- kms.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) kms-fips.us-gov-west-1.amazonaws.com HTTPS
For information about using AWS Key Management Service in the AWS GovCloud (US-East) Region, see
AWS GovCloud (US-East) Endpoints.
For information about using AWS Key Management Service in the AWS GovCloud (US-West) Region, see

Name
US East us-east-2 kinesisanalytics.us-east-2.amazonaws.com HTTPS

(Ohio)
Version 1.0
119
Amazon Kinesis Data Firehose

Name
US East (N. us-east-1 kinesisanalytics.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 kinesisanalytics.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- kinesisanalytics.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- kinesisanalytics.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- kinesisanalytics.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- kinesisanalytics.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- kinesisanalytics.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- kinesisanalytics.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 kinesisanalytics.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 kinesisanalytics.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 kinesisanalytics.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 kinesisanalytics.eu-north-1.amazonaws.com HTTPS

(Stockholm)

Name
US East us-east-2 firehose.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 firehose.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 firehose.us-west-1.amazonaws.com HTTPS

West (N.
California)
Version 1.0
120

Name
US West us-west-2 firehose.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 firehose.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- firehose.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- firehose.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- firehose.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- firehose.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- firehose.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- firehose.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 firehose.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- firehose.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- firehose.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 firehose.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 firehose.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 firehose.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 firehose.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- firehose.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
Version 1.0
121
Amazon Kinesis Data Streams

Name
South sa-east-1 firehose.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- firehose.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- firehose.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)

Name
US East us-east-2 kinesis.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 kinesis.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 kinesis.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 kinesis.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 kinesis.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- kinesis.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- kinesis.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- kinesis.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
122

Name
Asia ap- kinesis.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- kinesis.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 kinesis.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- kinesis.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- kinesis.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 kinesis.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 kinesis.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 kinesis.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 kinesis.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- kinesis.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 kinesis.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- kinesis.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- kinesis.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon Kinesis Data Streams in the AWS GovCloud (US-West) Region, see
For information about using Amazon Kinesis Data Streams in the China (Beijing) Region, see China
Version 1.0
123
Amazon Kinesis Video Streams

Name
US East (N. us-east-1 kinesisvideo.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 kinesisvideo.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- kinesisvideo.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- kinesisvideo.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- kinesisvideo.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 kinesisvideo.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS Lake Formation

Name
US East us-east-2 lakeformation.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 lakeformation.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 lakeformation.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- lakeformation.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- lakeformation.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- lakeformation.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- lakeformation.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Version 1.0
124
AWS Lambda

Name
EU eu-west-1 lakeformation.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS Lambda
Name
US East us-east-2 lambda.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 lambda.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 lambda.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 lambda.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 lambda.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- lambda.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- lambda.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- lambda.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- lambda.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- lambda.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- lambda.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 lambda.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- lambda.cn-northwest-1.amazonaws.com.cn HTTPS

Version 1.0
125
Amazon Lex

Name
EU eu- lambda.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 lambda.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 lambda.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 lambda.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 lambda.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- lambda.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 lambda.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- lambda.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- lambda.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Lambda in the AWS GovCloud (US-West) Region, see AWS GovCloud
Amazon Lex
Model Building Endpoints

Name
US East (N. us-east-1 models.lex.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 models.lex.us-west-2.amazonaws.com HTTPS

(Oregon)
EU eu-west-1 models.lex.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
126
Runtime Endpoints
Runtime Endpoints

Name
US East (N. us-east-1 runtime.lex.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 runtime.lex.us-west-2.amazonaws.com HTTPS

(Oregon)
EU eu-west-1 runtime.lex.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS License Manager

Name
US East us-east-2 license-manager.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 license-manager.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 license-manager.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 license-manager.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 license-manager.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- license-manager.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- license-manager.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- license-manager.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- license-manager.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
127
AWS License Manager

Name
Asia ap- license-manager.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- license-manager.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 license-manager.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- license-manager.cn- HTTPS

EU eu- license-manager.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 license-manager.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 license-manager.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 license-manager.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 license-manager.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- license-manager.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 license-manager.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- license-manager.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- license-manager.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon EC2 in the AWS GovCloud (US-West) Region, see AWS GovCloud
For information about using Amazon EC2 in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Version 1.0
128
Amazon Lightsail
Amazon Lightsail
Name
US East us-east-2 lightsail.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 lightsail.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 lightsail.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- lightsail.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- lightsail.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- lightsail.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- lightsail.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- lightsail.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- lightsail.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- lightsail.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 lightsail.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 lightsail.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 lightsail.eu-west-3.amazonaws.com HTTPS
Amazon Macie
Name
US East (N. us-east-1 macie.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
129
Amazon Machine Learning

Name
US West us-west-2 macie.us-west-2.amazonaws.com HTTPS

(Oregon)
Amazon Machine Learning

Name
US East (N. us-east-1 machinelearning.us-east-1.amazonaws.com HTTPS

Virginia)
EU eu-west-1 machinelearning.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Managed Blockchain

US East (N. Virginia) us-east-1 managedblockchain.us- HTTPS

east-1.amazonaws.com
AWS Marketplace
AWS Marketplace is a curated digital catalog that makes it easy for customers to find, buy, deploy,
and manage third-party software and services that customers need to build solutions and run their
businesses. The AWS Marketplace website is available globally. The AWS Marketplace console is available
in the US East (N. Virginia) Region. The product vendor determines which Regions their products are
available in. The following are additional AWS Marketplace services and features with information for the
Region and endpoints used to access them.
AWS Marketplace Commerce Analytics

Name
US East (N. us-east-1 marketplacecommerceanalytics.us- HTTPS

Virginia) east-1.amazonaws.com
Version 1.0
130
AWS Marketplace Entitlement Service
AWS Marketplace Entitlement Service

Name
US East (N. us-east-1 entitlement.marketplace.us- HTTPS

AWS Marketplace Metering Service

Name
US East us-east-2 metering.marketplace.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 metering.marketplace.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 metering.marketplace.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 metering.marketplace.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 metering.marketplace.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- metering.marketplace.ap- HTTPS

(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- metering.marketplace.ca- HTTPS

EU eu- metering.marketplace.eu- HTTPS

Version 1.0
131
Amazon Mechanical Turk

Name
EU eu-west-1 metering.marketplace.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 metering.marketplace.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 metering.marketplace.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 metering.marketplace.eu- HTTPS

(Stockholm) north-1.amazonaws.com
Middle me- metering.marketplace.me- HTTPS

(Bahrain)
South sa-east-1 metering.marketplace.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- metering.marketplace.us-gov- HTTPS

(US-East)
AWS us-gov- metering.marketplace.us-gov- HTTPS

(US-West)
Amazon Mechanical Turk

Region Endpoint Protocol
Sandbox endpoint mturk-requester-sandbox.us-east-1.amazonaws.com HTTPS

for Amazon
Mechanical Turk
actions.
Production mturk-requester.us-east-1.amazonaws.com HTTPS

endpoint for
Amazon Mechanical
Turk actions.
Version 1.0
132
Amazon Managed Streaming
for Apache Kafka (Amazon MSK)
Amazon Managed Streaming for Apache Kafka

(Amazon MSK)
Name
US East us-east-2 kafka.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 kafka.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 kafka.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 kafka.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 kafka.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- kafka.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- kafka.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- kafka.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- kafka.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- kafka.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- kafka.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- kafka.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 kafka.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 kafka.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 kafka.eu-west-3.amazonaws.com HTTPS
Version 1.0
133
AWS Elemental MediaConnect

Name
EU eu-north-1 kafka.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 kafka.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

Name
US East us-east-2 mediaconnect.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 mediaconnect.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 mediaconnect.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 mediaconnect.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- mediaconnect.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- mediaconnect.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- mediaconnect.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- mediaconnect.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- mediaconnect.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- mediaconnect.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mediaconnect.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 mediaconnect.eu-west-2.amazonaws.com HTTPS

(London)
Version 1.0
134
AWS Elemental MediaConvert

Name
EU (Paris) eu-west-3 mediaconnect.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 mediaconnect.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 mediaconnect.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

Name
US East us-east-2 mediaconvert.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 mediaconvert.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 mediaconvert.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 mediaconvert.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- mediaconvert.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- mediaconvert.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- mediaconvert.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- mediaconvert.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- mediaconvert.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- mediaconvert.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn- subscribe.mediaconvert.cn- HTTPS

Version 1.0
135
AWS Elemental MediaLive

Name
EU eu- mediaconvert.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mediaconvert.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 mediaconvert.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 mediaconvert.eu-west-3.amazonaws.com HTTPS
South sa-east-1 mediaconvert.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- mediaconvert.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Note
Use these public AWS Elemental MediaConvert endpoints only to request an account-specific
endpoint, using the DescribeEndpoints operation. Send all your transcoding requests to the
account-specific endpoint that the service returns. For more information about using account-
specific endpoints to send requests to MediaConvert, see Getting Started with the API in the
MediaConvert API Reference.
AWS Elemental MediaPackage

AWS Elemental MediaPackage Live
These are the endpoints for live content workflows in AWS Elemental MediaPackage.

Name
US East (N. us-east-1 mediapackage.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 mediapackage.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 mediapackage.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- mediapackage.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
136

Name
Asia ap- mediapackage.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- mediapackage.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- mediapackage.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- mediapackage.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- mediapackage.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mediapackage.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 mediapackage.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 mediapackage.eu-west-3.amazonaws.com HTTPS
South sa-east-1 mediapackage.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Elemental MediaPackage VOD
These are the endpoints for video on demand (VOD) content workflows in AWS Elemental MediaPackage.

Name
US East (N. us-east-1 mediapackage-vod.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 mediapackage-vod.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 mediapackage-vod.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- mediapackage-vod.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
137
AWS Elemental MediaStore

Name
Asia ap- mediapackage-vod.ap- HTTPS

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
EU eu- mediapackage-vod.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mediapackage-vod.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 mediapackage-vod.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 mediapackage-vod.eu-west-3.amazonaws.com HTTPS
South sa-east-1 mediapackage-vod.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

Name
US East (N. us-east-1 mediastore.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 mediastore.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- mediastore.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- mediastore.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- mediastore.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Version 1.0
138
AWS Elemental MediaTailor

Name
EU eu- mediastore.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mediastore.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-north-1 mediastore.eu-north-1.amazonaws.com HTTPS

(Stockholm)

Name
US East (N. us-east-1 api.mediatailor.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US West us-west-2 api.mediatailor.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap- api.mediatailor.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- api.mediatailor.ap-southeast-2.amazonaws.com HTTP and

(Sydney)
Asia ap- api.mediatailor.ap-northeast-1.amazonaws.com HTTP and

(Tokyo)
EU eu- api.mediatailor.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 api.mediatailor.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
AWS Migration Hub

AWS Migration Hub helps you monitor the status of your migrations in all AWS public Regions, provided
your migration tools are available in that Region. The migration tools that integrate with Migration Hub
send migration status to the Migration Hub in US West (Oregon). There, the status is aggregated and
visible in a single location.

Name
US West us-west-2 mgh.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
139
Amazon MQ
Amazon MQ
Name
US East us-east-2 mq.us-east-2.amazonaws.com HTTPS

(Ohio)
mq-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 mq.us-east-1.amazonaws.com HTTPS

Virginia)
mq-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 mq.us-west-1.amazonaws.com HTTPS

West (N.
California) mq-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 mq.us-west-2.amazonaws.com HTTPS

(Oregon)
mq-fips.us-west-2.amazonaws.com HTTPS
Asia ap- mq.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- mq.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- mq.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- mq.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- mq.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- mq.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- mq.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 mq.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 mq.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 mq.eu-west-3.amazonaws.com HTTPS
Version 1.0
140
Amazon Neptune
Amazon Neptune
Name
US East us-east-2 rds.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 rds.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US West us-west-2 rds.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap- rds.ap-south-1.amazonaws.com HTTP and

(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- rds.ca-central-1.amazonaws.com HTTP and

EU eu- rds.eu-central-1.amazonaws.com HTTP and


(Ireland) HTTPS

(London) HTTPS
EU eu-north-1 rds.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- rds.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
AWS us-gov- rds.us-gov-east-1.amazonaws.com HTTP and

(US-East)
Version 1.0
141
AWS OpsWorks

Name
AWS us-gov- rds.us-gov-west-1.amazonaws.com HTTP and

(US-West)
AWS OpsWorks
AWS OpsWorks uses the following Regional endpoints.
AWS OpsWorks CM
You can create and manage AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet
Enterprise servers in the following Regions. Resources can be managed only in the Region in which
they are created. Resources that are created in one Regional endpoint are not available, nor can they be
cloned to, another Regional endpoint.

Name
US East us-east-2 opsworks-cm.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 opsworks-cm.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 opsworks-cm.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 opsworks-cm.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- opsworks-cm.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- opsworks-cm.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- opsworks-cm.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- opsworks-cm.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 opsworks-cm.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
142
AWS OpsWorks Stacks
AWS OpsWorks Stacks

You can create and manage AWS OpsWorks resources in all Regions except AWS GovCloud (US-West) and
the China (Beijing) Region. The Canada (Central) Region Region is API-only; you cannot create stacks in
Canada (Central) Region by using the AWS Management Console. Resources can be managed only in the
Region in which they are created. Resources that are created in one Regional endpoint are not available,
nor can they be cloned to, another Regional endpoint.

Name
US East us-east-2 opsworks.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 opsworks.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 opsworks.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 opsworks.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- opsworks.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- opsworks.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- opsworks.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- opsworks.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- opsworks.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- opsworks.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- opsworks.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 opsworks.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 opsworks.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 opsworks.eu-west-3.amazonaws.com HTTPS
Version 1.0
143
AWS Organizations

Name
South sa-east-1 opsworks.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Organizations
Name
US East us-east-2 organizations.us-east-1.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 organizations.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 organizations.us-east-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 organizations.us-east-1.amazonaws.com HTTPS

(Oregon)
Asia ap- organizations.us-east-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- organizations.us-east-1.amazonaws.com HTTPS

(Central) central-1
EU eu- organizations.us-east-1.amazonaws.com HTTPS

EU eu-west-1 organizations.us-east-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 organizations.us-east-1.amazonaws.com HTTPS

(London)
Version 1.0
144
Amazon Personalize

Name
South sa-east-1 organizations.us-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- organizations.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon Personalize
Amazon Personalize

Name
US East us-east-2 personalize.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 personalize.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 personalize.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- personalize.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- personalize.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 personalize.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Personalize Events
US East (N. Virginia) us-east-1 personalize-events.us- HTTPS

US East (Ohio) us-east-2 personalize-events.us- HTTPS

US West (Oregon) us-west-2 personalize-events.us- HTTPS

Version 1.0
145
Amazon Personalize Runtime
Asia Pacific (Tokyo) ap-northeast-1 personalize-events.ap- HTTPS

northeast-1.amazonaws.com
Asia Pacific (Singapore) ap-southeast-1 personalize-events.ap- HTTPS

southeast-1.amazonaws.com
EU (Ireland) eu-west-1 personalize-events.eu- HTTPS

Amazon Personalize Runtime

US East (N. Virginia) us-east-1 personalize-runtime.us- HTTPS

US East (Ohio) us-east-2 personalize-runtime.us- HTTPS

US West (Oregon) us-west-2 personalize-runtime.us- HTTPS

Asia Pacific (Tokyo) ap-northeast-1 personalize-runtime.ap- HTTPS

Asia Pacific (Singapore) ap-southeast-1 personalize-runtime.ap- HTTPS

EU (Ireland) eu-west-1 personalize-runtime.eu- HTTPS

Amazon Pinpoint
Amazon Pinpoint includes the Amazon Pinpoint API, the Amazon Pinpoint Email API, and the Amazon
Pinpoint SMS and Voice API.
Amazon Pinpoint API

Name
US East (N. us-east-1 pinpoint.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 pinpoint.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- pinpoint.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
146
Amazon Pinpoint Email API

Name
Asia ap- pinpoint.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
EU eu- pinpoint.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 pinpoint.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Pinpoint Email API

Name
US East (N. us-east-1 email.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 email.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- email.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- email.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
EU eu- email.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 email.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Pinpoint SMS and Voice API

Name
US East (N. us-east-1 sms-voice.pinpoint.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 sms-voice.pinpoint.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- sms-voice.pinpoint.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Version 1.0
147
Amazon Polly

Name
Asia ap- sms-voice.pinpoint.ap- HTTPS

(Sydney)
EU eu- sms-voice.pinpoint.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 sms-voice.pinpoint.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon Polly
Name
US East us-east-2 polly.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 polly.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 polly.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 polly.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- polly.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- polly.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- polly.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- polly.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- polly.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- polly.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn- polly.cn-northwest-1.amazonaws.com.cn HTTPS

Version 1.0
148
Amazon QLDB

Name
EU eu- polly.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 polly.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 polly.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 polly.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 polly.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 polly.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- polly.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon QLDB
Amazon QLDB Control Plane

Name
US East us-east-2 qldb.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 qldb.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 qldb.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- qldb.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 qldb.eu-west-1.amazonaws.com HTTPS

(Ireland)
Version 1.0
149
Amazon QLDB Transactional Data Plane
Amazon QLDB Transactional Data Plane

Name
US East us-east-2 session.qldb.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 session.qldb.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 session.qldb.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- session.qldb.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 session.qldb.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon QuickSight
QuickSight Websites
Region Name Region Endpoint
US East (Ohio) us-east-2 https://us-east-2.quicksight.amazonaws.com
US East (N. Virginia) us-east-1 https://us-east-1.quicksight.amazonaws.com
US West (Oregon) us-west-2 https://us-west-2.quicksight.aws.amazon.com
Asia Pacific ap-southeast-1 https://ap-southeast-1.quicksight.aws.amazon.com

(Singapore)
Asia Pacific (Sydney) ap-southeast-2 https://ap-southeast-2.quicksight.aws.amazon.com
Asia Pacific (Tokyo) ap-northeast-1 https://ap-northeast-1.quicksight.aws.amazon.com
EU (Frankfurt) eu-central-1 https://eu-central-1.quicksight.aws.amazon.com
EU (Ireland) eu-west-1 https://eu-west-1.quicksight.aws.amazon.com
EU (London) eu-west-2 https://eu-west-2.quicksight.aws.amazon.com
QuickSight Endpoints

Name
US East us-east-2 quicksight.us-east-2.amazonaws.com HTTPS

(Ohio)
Version 1.0
150
AWS Resource Access Manager

Name
US East (N. us-east-1 quicksight.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 quicksight.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- quicksight.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- quicksight.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- quicksight.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- quicksight.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- quicksight.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 quicksight.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 quicksight.eu-west-2.amazonaws.com HTTPS

(London)
For information about using Amazon QuickSight in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon QuickSight in the China (Beijing) Region, see China (Beijing) Region
Endpoints.

Name
US East us-east-2 ram.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ram.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ram.us-west-1.amazonaws.com HTTPS

West (N.
California)
Version 1.0
151

Name
US West us-west-2 ram.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- ram.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ram.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- ram.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ram.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- ram.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- ram.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- ram.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ram.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 ram.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 ram.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 ram.eu-north-1.amazonaws.com HTTPS

(Stockholm)
AWS us-gov- ram.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- ram.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Version 1.0
152
Amazon Redshift
Amazon Redshift
Name
US East us-east-2 redshift.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 redshift.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 redshift.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 redshift.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 redshift.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- redshift.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- redshift.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- redshift.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- redshift.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- redshift.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 redshift.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- redshift.cn-northwest-1.amazonaws.com.cn HTTPS

Version 1.0
153
Amazon Rekognition

Name
EU eu- redshift.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 redshift.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 redshift.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 redshift.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 redshift.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- redshift.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 redshift.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- redshift.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- redshift.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon Redshift in the AWS GovCloud (US-West) Region, see AWS
For information about using Amazon Redshift in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
Amazon Rekognition
The Amazon Rekognition Video streaming API is available in the following regions only: US East (N.
Virginia), US West (Oregon), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland).

Name
US East us-east-2 rekognition.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 rekognition.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
154
Amazon Relational Database Service (Amazon RDS)

Name
US us-west-1 rekognition.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 rekognition.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- rekognition.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- rekognition.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- rekognition.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- rekognition.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- rekognition.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu- rekognition.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 rekognition.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 rekognition.eu-west-2.amazonaws.com HTTPS

(London)
AWS us-gov- rekognition.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon Rekognition in the AWS GovCloud (US-West) Region, see AWS
Amazon Relational Database Service (Amazon

RDS)
Name

(Ohio)
Version 1.0
155

Name

Virginia)

West (N.
California)

(Oregon)

Pacific
(Hong
Kong)

Pacific south-1
(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)

(Central) central-1
China cn-north-1 rds.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)



(Ireland)

(London)
Version 1.0
156
Amazon RDS Performance Insights

Name

(Stockholm)

East south-1
(Bahrain)
South sa-east-1 rds.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

GovCloud east-1
(US-East)

GovCloud west-1
(US-West)
For information about using Amazon Relational Database Service in the AWS GovCloud (US-West)
For information about using Amazon Relational Database Service in the China (Beijing) Region, see China

RDS) Performance Insights
Name
US East us-east-2 pi.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 pi.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 pi.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 pi.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 pi.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Version 1.0
157
AWS Resource Groups

Name
Asia ap- pi.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- pi.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- pi.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- pi.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- pi.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- pi.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- pi.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 pi.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 pi.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 pi.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 pi.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 pi.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS Resource Groups

AWS Resource Groups and Tag Editor are available in all commercial AWS Regions.

Name
US East us-east-2 resource-groups.us-east-2.amazonaws.com HTTPS

(Ohio)
resource-groups-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 resource-groups.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
158
AWS Resource Groups

Name
resource-groups-fips.us-east-1.amazonaws.com HTTPS
US us-west-1 resource-groups.us-west-1.amazonaws.com HTTPS

West (N.
California) resource-groups-fips.us-west-1.amazonaws.com HTTPS
US West us-west-2 resource-groups.us-west-2.amazonaws.com HTTPS

(Oregon)
resource-groups-fips.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 resource-groups.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- resource-groups.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- resource-groups.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- resource-groups.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- resource-groups.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- resource-groups.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- resource-groups.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 resource-groups.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 resource-groups.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 resource-groups.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 resource-groups.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Version 1.0
159
Resource Groups Tagging API

Name
Middle me- resource-groups.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 resource-groups.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- resource-groups.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East) resource-groups.us-gov-east-1.amazonaws.com HTTPS
AWS us-gov- resource-groups.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) resource-groups.us-gov-west-1.amazonaws.com HTTPS

Name
US East us-east-2 tagging.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 tagging.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 tagging.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 tagging.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 tagging.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- tagging.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- tagging.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Version 1.0
160

Name
Asia ap- tagging.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- tagging.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- tagging.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 tagging.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- tagging.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- tagging.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 tagging.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 tagging.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 tagging.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 tagging.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- tagging.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 tagging.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- tagging.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- tagging.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Version 1.0
161
AWS RoboMaker
AWS RoboMaker
Name
US East (N. us-east-1 robomaker.us-east-1.amazonaws.com HTTPS

Virginia)
US East us-east-2 robomaker.us-east-2.amazonaws.com HTTPS

(Ohio)
US West us-west-2 robomaker.us-west-2.amazonaws.com HTTPS

(Oregon)
EU (Ireland) eu-west-1 robomaker.eu-west-1.amazonaws.com HTTPS
EU eu-central-1 robomaker.eu-central-1.amazonaws.com HTTPS

(Frankfurt)
Asia Pacific ap- robomaker.ap-southeast-1.amazonaws.com HTTPS

(Singapore) southeast-1
Asia Pacific ap- robomaker.ap-northeast-1.amazonaws.com HTTPS

(Tokyo) northeast-1
Amazon Route 53
The endpoint that you use depends on the operation that you want to perform.
Topics
• Requests for hosted zones, records, health checks, DNS query logs, reusable delegation sets, traffic
policies, and cost allocation tags for hosted zones and health checks (p. 162)
• Requests for domain registration (p. 164)
• Requests for Route 53 Resolver (p. 164)
• Requests for Route 53 Auto Naming (p. 165)
Requests for hosted zones, records, health checks,

DNS query logs, reusable delegation sets, traffic
policies, and cost allocation tags for hosted zones
and health checks
These requests use the following endpoint.
Note
When you submit requests using the AWS CLI or SDKs, either leave the Region and endpoint
unspecified, or specify us-east-1 as the Region. When you submit requests using the Route 53
API, use the us-east-1 Region to sign requests. For more information about signing Route 53 API
requests, see Signature Version 4 Signing Process (p. 352).
Version 1.0
162
Requests for hosted zones, records, health checks, DNS
query logs, reusable delegation sets, traffic policies, and
cost allocation tags for hosted zones and health checks

Name
US East us-east-2 route53.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 route53.amazonaws.com HTTPS

Virginia)
US us-west-1 route53.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 route53.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 route53.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- route53.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Osaka-
Local)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- route53.amazonaws.com HTTPS

(Central) central-1
EU eu- route53.amazonaws.com HTTPS

EU eu-west-1 route53.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 route53.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 route53.amazonaws.com HTTPS
Version 1.0
163
Requests for domain registration

Name
EU eu-north-1 route53.amazonaws.com HTTPS

(Stockholm)
Middle me- route53.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 route53.amazonaws.com HTTPS

America
(Sao
Paulo)
Requests for domain registration

Requests for domain registration use the following endpoint.

Name
US East (N. us-east-1 route53domains.us-east-1.amazonaws.com HTTPS

Virginia)
Requests for Route 53 Resolver

Requests for Route 53 Resolver use the following endpoints.

Name
US East us-east-2 route53resolver.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 route53resolver.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 route53resolver.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 route53resolver.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- route53resolver.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- route53resolver.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
164
Requests for Route 53 Auto Naming

Name
Asia ap- route53resolver.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- route53resolver.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- route53resolver.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- route53resolver.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- route53resolver.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 route53resolver.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 route53resolver.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 route53resolver.eu-west-3.amazonaws.com HTTPS
AWS us-gov- route53resolver.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- route53resolver.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Requests for Route 53 Auto Naming

Amazon Route 53 auto naming has been released as a separate service, AWS Cloud Map. For a list of
service endpoints, see AWS Cloud Map (p. 33). For AWS Cloud Map documentation, see AWS Cloud
Map Documentation.
Amazon SageMaker
The following table provides a list of Region-specific endpoints that Amazon SageMaker supports for
training and deploying models. This include creating and managing notebook instances, training jobs,
model, endpoint configurations, and endpoints.

Name
US East us-east-2 api.sagemaker.us-east-2.amazonaws.com HTTPS

(Ohio)
api-fips.sagemaker.us-east-2.amazonaws.com HTTPS
Version 1.0
165
Amazon SageMaker

Name
US East (N. us-east-1 api.sagemaker.us-east-1.amazonaws.com HTTPS

Virginia)
api-fips.sagemaker.us-east-1.amazonaws.com HTTPS
US us-west-1 api.sagemaker.us-west-1.amazonaws.com HTTPS

West (N.
California) api-fips.sagemaker.us-west-1.amazonaws.com HTTPS
US West us-west-2 api.sagemaker.us-west-2.amazonaws.com HTTPS

(Oregon)
api-fips.sagemaker.us-west-2.amazonaws.com HTTPS
Asia ap-east-1 api.sagemaker.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- api.sagemaker.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- api.sagemaker.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- api.sagemaker.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- api.sagemaker.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- api.sagemaker.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- api.sagemaker.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- api.sagemaker.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 api.sagemaker.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 api.sagemaker.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 api.sagemaker.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 api.sagemaker.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- api.sagemaker.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
Version 1.0
166
Amazon SageMaker

Name
South sa-east-1 api.sagemaker.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- api.sagemaker.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
The following table provides a list of Region-specific endpoints that Amazon SageMaker supports for
making inference requests against models hosted in Amazon SageMaker.

Name
US East us-east-2 runtime.sagemaker.us-east-2.amazonaws.com HTTPS

(Ohio)
runtime-fips.sagemaker.us- HTTPS
US East (N. us-east-1 runtime.sagemaker.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 runtime.sagemaker.us-west-1.amazonaws.com HTTPS

West (N.
California) runtime-fips.sagemaker.us- HTTPS
US West us-west-2 runtime.sagemaker.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 runtime.sagemaker.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- runtime.sagemaker.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- runtime.sagemaker.ap- HTTPS

(Seoul)

(Singapore)

(Sydney)
Version 1.0
167
AWS Secrets Manager

Name

(Tokyo)
Canada ca- runtime.sagemaker.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- runtime.sagemaker.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 runtime.sagemaker.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 runtime.sagemaker.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 runtime.sagemaker.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 runtime.sagemaker.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- runtime.sagemaker.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 runtime.sagemaker.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- runtime.sagemaker.us-gov- HTTPS

(US-West)
For information about using Amazon SageMaker in the AWS GovCloud (US-West) Region, see AWS
AWS Secrets Manager

Name
US East us-east-2 secretsmanager.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 secretsmanager.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 secretsmanager.us-west-1.amazonaws.com HTTPS

West (N.
California)
Version 1.0
168
AWS Secrets Manager

Name
US West us-west-2 secretsmanager.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 secretsmanager.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- secretsmanager.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- secretsmanager.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- secretsmanager.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- secretsmanager.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- secretsmanager.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- secretsmanager.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- secretsmanager.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 secretsmanager.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 secretsmanager.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 secretsmanager.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 secretsmanager.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- secretsmanager.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 secretsmanager.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- secretsmanager.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
Version 1.0
169
AWS Security Hub

Name
AWS us-gov- secretsmanager.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Security Hub

Name
US East us-east-2 securityhub.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 securityhub.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 securityhub.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 securityhub.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 securityhub.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- securityhub.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- securityhub.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- securityhub.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- securityhub.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- securityhub.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- securityhub.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- securityhub.eu-central-1.amazonaws.com HTTPS

Version 1.0
170
AWS Security Token Service (AWS STS)

Name
EU eu-west-1 securityhub.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 securityhub.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 securityhub.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 securityhub.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- securityhub.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 securityhub.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)

By default, the AWS Security Token Service (AWS STS) is available as a global service, and all STS
requests go to a single endpoint at https://sts.amazonaws.com. AWS recommends using Regional
STS endpoints to reduce latency, build in redundancy, and increase session token validity. Most Regional
endpoints are active by default, but you must manually enable endpoints for some Regions, such as Asia
Pacific (Hong Kong). You can deactivate STS endpoints for any Regions that are enabled by default if you
do not intend to use those Regions.
For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.
The following table provides a list of Regional STS endpoints that you can use.

Name
US East us-east-2 sts.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 sts.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 sts.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 sts.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 sts.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Version 1.0
171

Name
Asia ap- sts.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- sts.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- sts.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- sts.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- sts.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 sts.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- sts.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- sts.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 sts.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 sts.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 sts.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 sts.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- sts.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 sts.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
172
AWS Server Migration Service

Name
AWS us-gov- sts.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- sts.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Security Token Service in the AWS GovCloud (US-West) Region, see
For information about using AWS Security Token Service in the China (Beijing) Region, see China (Beijing)
Region Endpoints.

Name
US East us-east-2 sms.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 sms.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 sms.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 sms.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 sms.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- sms.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- sms.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- sms.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- sms.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
173
AWS Serverless Application Repository

Name
Asia ap- sms.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- sms.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 sms.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- sms.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- sms.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 sms.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 sms.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 sms.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 sms.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- sms.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 sms.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- sms.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- sms.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)

Name
US East us-east-2 serverlessrepo.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 serverlessrepo.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
174

Name
US us-west-1 serverlessrepo.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 serverlessrepo.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 serverlessrepo.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- serverlessrepo.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- serverlessrepo.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- serverlessrepo.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- serverlessrepo.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- serverlessrepo.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- serverlessrepo.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- serverlessrepo.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 serverlessrepo.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 serverlessrepo.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 serverlessrepo.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 serverlessrepo.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- serverlessrepo.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 serverlessrepo.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
175
AWS Service Catalog

Name
AWS us-gov- serverlessrepo.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- serverlessrepo.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Serverless Application Repository in the AWS GovCloud (US-West)
AWS Service Catalog

Name
US East us-east-2 servicecatalog.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 servicecatalog.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 servicecatalog.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 servicecatalog.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- servicecatalog.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- servicecatalog.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- servicecatalog.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- servicecatalog.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- servicecatalog.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- servicecatalog.ca-central-1.amazonaws.com HTTPS

(Central) central-1
Version 1.0
176
AWS Shield Advanced

Name
EU eu- servicecatalog.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 servicecatalog.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 servicecatalog.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 servicecatalog.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 servicecatalog.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 servicecatalog.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- servicecatalog.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Shield Advanced

AWS Shield Advanced has the following endpoints:

Name
US East (N. us-east-1 shield.us-east-1.amazonaws.com HTTPS

Virginia)
Amazon Simple Email Service (Amazon SES)

Email Sending Endpoints
Region Name Region API (HTTPS) SMTP Endpoint

Endpoint
US East (N. us-east-1 email.us- email-smtp.us-

US West (Oregon) us-west-2 email.us- email-smtp.us-

Asia Pacific ap-south-1 email.ap- email-smtp.ap-

(Mumbai) south-1.amazonaws.com
south-1.amazonaws.com
Asia Pacific ap-southeast-2 email.ap- email-smtp.ap-

(Sydney) southeast-2.amazonaws.com
Version 1.0
177
Amazon Simple Notification Service (Amazon SNS)
Region Name Region API (HTTPS) SMTP Endpoint

Endpoint
EU (Ireland) eu-west-1 email.eu- email-smtp.eu-

EU (Frankfurt) eu-central-1 email.eu- email-smtp.eu-

central-1.amazonaws.com
Email Receiving Endpoints
Region Name Region Receiving

Endpoint
US East (N. us-east-1 inbound-smtp.us-

US West (Oregon) us-west-2 inbound-smtp.us-

EU (Ireland) eu-west-1 inbound-smtp.eu-

Note
Currently, Amazon SES doesn't support email receiving in the following Regions: Asia Pacific
(Mumbai), Asia Pacific (Sydney), and EU (Frankfurt).

Name
US East us-east-2 sns.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
US East (N. us-east-1 sns.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 sns.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 sns.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap-east-1 sns.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- sns.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Version 1.0
178

Name
Asia ap- sns.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Asia ap- sns.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- sns.ap-southeast-2.amazonaws.com HTTP and

(Sydney)

(Tokyo)
Canada ca- sns.ca-central-1.amazonaws.com HTTP and

China cn-north-1 sns.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- sns.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- sns.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 sns.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 sns.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 sns.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 sns.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- sns.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 sns.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- sns.us-gov-east-1.amazonaws.com HTTP and

(US-East)
Version 1.0
179
Amazon Simple Queue Service (Amazon SQS)

Name
AWS us-gov- sns.us-gov-west-1.amazonaws.com HTTP and

(US-West)
For information about using Amazon Simple Notification Service in the AWS GovCloud (US-West) Region,
see AWS GovCloud (US-West) Endpoints.
For information about using Amazon Simple Notification Service in the China (Beijing) Region, see China

Name
US East us-east-2 sqs.us-east-2.amazonaws.com HTTP and

(Ohio) HTTPS
sqs-fips.us-east-2.amazonaws.com
HTTPS
US East (N. us-east-1 sqs.us-east-1.amazonaws.com HTTP and

Virginia) HTTPS
sqs-fips.us-east-1.amazonaws.com
HTTPS
US us-west-1 sqs.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California) sqs-fips.us-west-1.amazonaws.com
HTTPS
US West us-west-2 sqs.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
sqs-fips.us-west-2.amazonaws.com
HTTPS
Asia ap-east-1 sqs.ap-east-1.amazonaws.com HTTP and

Pacific HTTPS
(Hong
Kong)
Asia ap- sqs.ap-south-1.amazonaws.com HTTP and

(Mumbai)
Asia ap- sqs.ap-northeast-3.amazonaws.com HTTP and

(Osaka-
Local)

(Seoul)
Version 1.0
180

Name
Asia ap- sqs.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- sqs.ap-southeast-2.amazonaws.com HTTP and

(Sydney)

(Tokyo)
Canada ca- sqs.ca-central-1.amazonaws.com HTTP and

China cn-north-1 sqs.cn-north-1.amazonaws.com.cn HTTP and

(Beijing) HTTPS
China cn- sqs.cn-northwest-1.amazonaws.com.cn HTTP and

EU eu- sqs.eu-central-1.amazonaws.com HTTP and

EU eu-west-1 sqs.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
EU eu-west-2 sqs.eu-west-2.amazonaws.com HTTP and

(London) HTTPS
EU (Paris) eu-west-3 sqs.eu-west-3.amazonaws.com HTTP and

HTTPS
EU eu-north-1 sqs.eu-north-1.amazonaws.com HTTP and

(Stockholm) HTTPS
Middle me- sqs.me-south-1.amazonaws.com HTTP and

East south-1 HTTPS
(Bahrain)
South sa-east-1 sqs.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS us-gov- sqs.us-gov-east-1.amazonaws.com HTTP and

(US-East)
AWS us-gov- sqs.us-gov-west-1.amazonaws.com HTTP and

(US-West)
For information about using Amazon Simple Queue Service in the AWS GovCloud (US-West) Region, see
Version 1.0
181
Amazon SQS Legacy Endpoints
For information about using Amazon Simple Queue Service in the China (Beijing) Region, see China
Amazon SQS Legacy Endpoints

If you use the AWS CLI or SDK for Python, you can use the following legacy endpoints.
US East (Ohio) us-east-2 us- HTTP and HTTPS

east-2.queue.amazonaws.com
US East (N. Virginia) us-east-1 queue.amazonaws.com HTTP and HTTPS
US West (N. California) us-west-1 us- HTTP and HTTPS

west-1.queue.amazonaws.com
US West (Oregon) us-west-2 us- HTTP and HTTPS

Asia Pacific (Mumbai) ap-south-1 ap- HTTP and HTTPS

south-1.queue.amazonaws.com
Asia Pacific (Osaka- ap-northeast-3 ap- HTTP and HTTPS

Local) northeast-3.queue.amazonaws.com
Asia Pacific (Seoul) ap-northeast-2 ap- HTTP and HTTPS

northeast-2.queue.amazonaws.com
Asia Pacific (Singapore) ap-southeast-1 ap- HTTP and HTTPS

southeast-1.queue.amazonaws.com
Asia Pacific (Sydney) ap-southeast-2 ap- HTTP and HTTPS

southeast-2.queue.amazonaws.com
Asia Pacific (Tokyo) ap-northeast-1 ap- HTTP and HTTPS

northeast-1.queue.amazonaws.com
Canada (Central) ca-central-1 ca- HTTP and HTTPS

central-1.queue.amazonaws.com
China (Beijing) cn-north-1 cn- HTTP and HTTPS

north-1.queue.amazonaws.com
China (Ningxia) cn-northwest-1 cn- HTTP and HTTPS

northwest-1.queue.amazonaws.com
EU (Frankfurt) eu-central-1 eu- HTTP and HTTPS

central-1.queue.amazonaws.com
EU (Ireland) eu-west-1 eu- HTTP and HTTPS

EU (London) eu-west-2 eu- HTTP and HTTPS

EU (Paris) eu-west-3 eu- HTTP and HTTPS

Version 1.0
182
Amazon Simple Storage Service (Amazon S3)
EU (Stockholm) eu-north-1 eu- HTTP and HTTPS

north-1.queue.amazonaws.com
South America (São sa-east-1 sa- HTTP and HTTPS

Paulo) east-1.queue.amazonaws.com

When sending requests to these endpoints using the REST API, you can use the virtual-hosted style and
path-style methods. For more information, see Virtual Hosting of Buckets.
Region Region Endpoint Location Protocol Signature

Name Constraint Version(s)
Support
US East us-east-2 Valid endpoint names for this us-east-2 HTTP and Versions 4
(Ohio) Region: HTTPS only
• s3.us-east-2.amazonaws.com
• s3.dualstack.us-
east-2.amazonaws.com**
• account-id.s3-control.us-
• account-id.s3-
control.dualstack.us-
US East (N. us-east-1 Valid endpoint names for this (none HTTP and Versions 2
Virginia) Region: required) HTTPS and 4
• s3.amazonaws.com
• s3.us-east-1.amazonaws.com
• account-id.s3-
US West (N. us-west-1 Valid endpoint names for this us-west-1 HTTP and Versions 2
California) Region: HTTPS and 4
• s3.us-west-1.amazonaws.com
west-1.amazonaws.com**
• account-id.s3-
Version 1.0
183

Support
US West us-west-2 Valid endpoint names for this us-west-2 HTTP and Versions 2
(Oregon) Region: HTTPS and 4
• s3.us-west-2.amazonaws.com
• account-id.s3-
Asia Pacific ap-east-1 Valid endpoint names for this ap-east-1 HTTP and Version 4
(Hong Region: HTTPS only
Kong)***
• s3.ap-east-1.amazonaws.com
• s3.dualstack.ap-
• account-id.ap-
• account-id.s3-
control.dualstack.ap-
Asia Pacific ap-south-1 Valid endpoint names for this ap-south-1 HTTP and Version 4
(Mumbai) Region: HTTPS only
• s3.ap-
south-1.amazonaws.com**
• account-id.s3-control.ap-
• account-id.s3-
Asia Pacific ap- Valid endpoint names for this ap- HTTP and Version 4
(Osaka- northeast-3 Region: northeast-3 HTTPS only
Local)****
• s3.ap-
northeast-3.amazonaws.com**
• account-id.s3-
Version 1.0
184

Support
Asia Pacific ap- Valid endpoint names for this ap- HTTP and Version 4
(Seoul) northeast-2 Region: northeast-2 HTTPS only
• s3.ap-
• account-id.s3-
Asia Pacific ap- Valid endpoint names for this ap- HTTP and Versions 2
(Singapore) southeast-1 Region: southeast-1 HTTPS and 4
• s3.ap-
southeast-1.amazonaws.com**
• account-id.s3-
(Sydney) southeast-2 Region: southeast-2 HTTPS and 4
• s3.ap-
• account-id.s3-
(Tokyo) northeast-1 Region: northeast-1 HTTPS and 4
• s3.ap-
• account-id.s3-
Version 1.0
185

Support
Canada ca- Valid endpoint names for this ca- HTTP and Version 4
(Central) central-1 Region: central-1 HTTPS only
• s3.ca-
• s3.dualstack.ca-
central-1.amazonaws.com**
• account-id.s3-control.ca-
• account-id.s3-
control.dualstack.ca-
China cn-north-1 Valid endpoint name for this cn-north-1 HTTP and Version 4
(Beijing) Region: HTTPS only
• s3.cn-
north-1.amazonaws.com.cn
• account-id.s3-control.cn-
north-1.amazonaws.com.cn
China cn- Valid endpoint name for this cn- HTTP and Version 4
(Ningxia) northwest-1 Region: northwest-1 HTTPS only
• s3.cn-
northwest-1.amazonaws.com.cn
• account-id.s3-control.cn-
northwest-1.amazonaws.com.cn
EU eu- Valid endpoint names for this eu- HTTP and Version 4
(Frankfurt) central-1 Region: central-1 HTTPS only
• s3.eu-
• s3.dualstack.eu-
• account-id.s3-control.eu-
• account-id.s3-
control.dualstack.eu-
Version 1.0
186

Support
EU (Ireland) eu-west-1 Valid endpoint names for this EU or eu- HTTP and Versions 2
Region: west-1 HTTPS and 4
• s3.eu-west-1.amazonaws.com
• account-id.s3-
EU eu-west-2 Valid endpoint names for this eu-west-2 HTTP and Version 4
(London) Region: HTTPS only
• account-id.s3-
EU (Paris) eu-west-3 Valid endpoint names for this eu-west-3 HTTP and Version 4
Region: HTTPS only
• account-id.s3-
EU eu-north-1 Valid endpoint names for this eu-north-1 HTTP and Version 4
(Stockholm) Region: HTTPS only
• s3.eu-
north-1.amazonaws.com
• account-id.s3-
north-1.amazonaws.com**
Version 1.0
187

Support
South sa-east-1 Valid endpoint names for this sa-east-1 HTTP and Versions 2
America Region: HTTPS and 4
(São Paulo)
• s3.sa-east-1.amazonaws.com
• s3.dualstack.sa-
• account-id.s3-control.sa-
• account-id.s3-
control.dualstack.sa-
Middle East me-south-1 Valid endpoint names for this me-south-1 HTTP and Versions 4
(Bahrain) Region: HTTPS only
• s3.me-
• s3.dualstack.me-
• account-id.s3-control.me-
• account-id.s3-
control.dualstack.me-
**Amazon S3 dual-stack endpoints support requests to S3 buckets over IPv6 and IPv4. For more
information, see Using Dual-Stack Endpoints.
***You must enable this Region before you can use it.
****You can use the Asia Pacific (Osaka-Local) Region only in conjunction with the Asia Pacific (Tokyo)
Region. To request access to the Asia Pacific (Osaka-Local) Region, contact your sales representative.
Note
The s3-control endpoints are used with Amazon S3 account-level operations.
When using the preceding endpoints the following additional considerations apply:
• Amazon S3 renamed the US Standard Region to the US East (N. Virginia) Region to be consistent with
AWS Regional naming conventions. There is no change to the endpoint and you do not need to make
any changes to your application.
• If you use a Region other than the US East (N. Virginia) endpoint to create a bucket, you must set the
LocationConstraint bucket parameter to the same Region. Both the AWS SDK for Java and AWS SDK
for .NET use an enumeration for setting location constraints (Region for Java, S3Region for .NET). For
more information, see PUT Bucket in the Amazon Simple Storage Service API Reference.
Version 1.0
188
Amazon Simple Storage Service Website Endpoints
Amazon Simple Storage Service Website Endpoints

When you configure your bucket as a website, the website is available using the following Region-specific
website endpoints. Note that the website endpoints are different than the REST API endpoints listed in
the preceding table. For more information about hosting websites on Amazon S3, see Hosting Websites
on Amazon S3 in the Amazon Simple Storage Service Developer Guide. You need the hosted zone IDs
when using the Amazon Route 53 API to add an alias record to your hosted zone.
Note
The website endpoints do not support https.
Region Name Website Endpoint Route 53 Hosted

Zone ID
US East (Ohio) s3-website.us-east-2.amazonaws.com Z2O1EMRO9K5GLX
US East (N. s3-website-us-east-1.amazonaws.com Z3AQBSTGFYJSTF

Virginia)
US West (N. s3-website-us-west-1.amazonaws.com Z2F56UZL2M1ACD

California)
US West s3-website-us-west-2.amazonaws.com Z3BJ6K6RIION7M

(Oregon)
Asia Pacific s3-website.ap-east-1.amazonaws.com ZNB98KWMFR0R6

(Hong Kong)
Asia Pacific s3-website.ap-south-1.amazonaws.com Z11RGJOFQNVJUP

(Mumbai)
Asia Pacific s3-website.ap-northeast-3.amazonaws.com Z2YQB5RD63NC85

(Osaka-Local)
Asia Pacific s3-website.ap-northeast-2.amazonaws.com Z3W03O7B5YMIYP

(Seoul)
Asia Pacific s3-website-ap-southeast-1.amazonaws.com Z3O0J2DXBE1FTB

(Singapore)
Asia Pacific s3-website-ap-southeast-2.amazonaws.com Z1WCIGYICN2BYD

(Sydney)
Asia Pacific s3-website-ap-northeast-1.amazonaws.com Z2M4EHUR26P7ZW

(Tokyo)
Canada (Central) s3-website.ca-central-1.amazonaws.com Z1QDHH18159H29
China (Ningxia) s3-website.cn-northwest-1.amazonaws.com.cn Not supported
EU (Frankfurt) s3-website.eu-central-1.amazonaws.com Z21DNDUVLTQW6Q
EU (Ireland) s3-website-eu-west-1.amazonaws.com Z1BKCTXD74EZPE
EU (London) s3-website.eu-west-2.amazonaws.com Z3GKZC51ZF0DB4
EU (Paris) s3-website.eu-west-3.amazonaws.com Z3R1K369G5AVDG
EU (Stockholm) s3-website.eu-north-1.amazonaws.com Z3BAZG2TWCNX0D
Version 1.0
189
Amazon Simple Workflow Service (Amazon SWF)
Region Name Website Endpoint Route 53 Hosted

Zone ID
South America s3-website-sa-east-1.amazonaws.com Z7KQH4QJS55SO

(São Paulo)
Middle East s3-website.me-south-1.amazonaws.com Z1MPMWCPA7YB62

(Bahrain)
For information about using Amazon Simple Storage Service in the AWS GovCloud (US-West) Region, see
For information about using Amazon Simple Storage Service in the China (Beijing) Region, see China

Name
US East us-east-2 swf.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 swf.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 swf.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 swf.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 swf.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- swf.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- swf.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- swf.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
190

Name
Asia ap- swf.ap-southeast-2.amazonaws.com HTTPS

(Sydney)

(Tokyo)
Canada ca- swf.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 swf.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- swf.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- swf.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 swf.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 swf.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 swf.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 swf.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- swf.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 swf.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- swf.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- swf.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using Amazon Simple Workflow Service in the AWS GovCloud (US-West) Region,
see AWS GovCloud (US-West) Endpoints.
For information about using Amazon Simple Workflow Service in the China (Beijing) Region, see China
Version 1.0
191
Amazon SimpleDB
Amazon SimpleDB
Name
US East (N. us-east-1 sdb.amazonaws.com HTTP and

Virginia) HTTPS
US us-west-1 sdb.us-west-1.amazonaws.com HTTP and

West (N. HTTPS
California)
US West us-west-2 sdb.us-west-2.amazonaws.com HTTP and

(Oregon) HTTPS
Asia ap- sdb.ap-southeast-1.amazonaws.com HTTP and

(Singapore)
Asia ap- sdb.ap-southeast-2.amazonaws.com HTTP and

(Sydney)
Asia ap- sdb.ap-northeast-1.amazonaws.com HTTP and

(Tokyo)
EU eu-west-1 sdb.eu-west-1.amazonaws.com HTTP and

(Ireland) HTTPS
South sa-east-1 sdb.sa-east-1.amazonaws.com HTTP and

America HTTPS
(Sao
Paulo)
AWS Single Sign-On

Name
US East us-east-2 sso.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 sso.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 sso.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- sso.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
192
AWS Snowball

Name
Asia ap- sso.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Canada ca- sso.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- sso.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 sso.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 sso.eu-west-2.amazonaws.com HTTPS

(London)
AWS Snowball
AWS Snowball is available in the following AWS Regions and includes these endpoints. Note that while
Snowball devices are available in the Asia Pacific (Mumbai) AWS Region, Snowball Edge devices are not.

Name
US East us-east-2 snowball.us-east-2.amazonaws.com

(Ohio)
US East (N. us-east-1 snowball.us-east-1.amazonaws.com

Virginia)
US us-west-1 snowball.us-west-1.amazonaws.com
West (N.
California)
US West us-west-2 snowball.us-west-2.amazonaws.com

(Oregon)
Asia ap-east-1 snowball.ap-east-1.amazonaws.com

Pacific
(Hong
Kong)
Asia ap- snowball.ap-south-1.amazonaws.com

Pacific south-1
(Mumbai)
Asia ap- snowball.ap-northeast-2.amazonaws.com

(Seoul)
Asia ap- snowball.ap-southeast-1.amazonaws.com

(Singapore)
Version 1.0
193
AWS Step Functions

Name
Asia ap- snowball.ap-southeast-2.amazonaws.com

(Sydney)
Asia ap- snowball.ap-northeast-1.amazonaws.com

(Tokyo)
Canada ca- snowball.ca-central-1.amazonaws.com

(Central) central-1
China cn-north-1 snowball.cn-north-1.amazonaws.com.cn

(Beijing)
EU eu- snowball.eu-central-1.amazonaws.com
EU eu-west-1 snowball.eu-west-1.amazonaws.com
(Ireland)
EU eu-west-2 snowball.eu-west-2.amazonaws.com
(London)
EU (Paris) eu-west-3 snowball.eu-west-3.amazonaws.com
South sa-east-1 snowball.sa-east-1.amazonaws.com

America
(Sao
Paulo)
AWS us-gov- snowball.us-gov-east-1.amazonaws.com

GovCloud east-1
(US-East)
AWS us-gov- snowball.us-gov-west-1.amazonaws.com

GovCloud west-1
(US-West)
For information about using AWS Snowball in the AWS GovCloud (US-West) Region, see AWS GovCloud
AWS Step Functions

Name
US East us-east-2 states.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 states.us-east-1.amazonaws.com HTTPS

Virginia)
Version 1.0
194
AWS Step Functions

Name
US us-west-1 states.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 states.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 states.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- states.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- states.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- states.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- states.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- states.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- states.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 states.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- states.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- states.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 states.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 states.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 states.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 states.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Version 1.0
195
AWS Storage Gateway

Name
Middle me- states.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 states.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- states.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- states.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS Storage Gateway

Name
US East us-east-2 storagegateway.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 storagegateway.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 storagegateway.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 storagegateway.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 storagegateway.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- storagegateway.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- storagegateway.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- storagegateway.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Version 1.0
196
AWS Storage Gateway Hardware Appliance Regions

Name
Asia ap- storagegateway.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- storagegateway.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- storagegateway.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 storagegateway.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
EU eu- storagegateway.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 storagegateway.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 storagegateway.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 storagegateway.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 storagegateway.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- storagegateway.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 storagegateway.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- storagegateway.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Note
For AWS Regions that Hardware Appliance is supported in, see AWS Storage Gateway Hardware
Appliance Regions (p. 197).
For information about using AWS Storage Gateway in the China (Beijing) Region, see China
AWS Storage Gateway Hardware Appliance Regions

Note
The AWS Storage Gateway Hardware Appliance is available for purchase in the U S and Europe.
AWS Storage Gateway Hardware Appliance is supported in the following AWS Regions.
• US East (N. Virginia)
Version 1.0
197
AWS Support
• US East (Ohio)
• US West (N. California)
• US West (Oregon)
• EU (Ireland)
• EU (London)
• EU (Paris)
• EU (Frankfurt)
• EU (Stockholm)
AWS Support
AWS Support has a single endpoint: support.us-east-1.amazonaws.com (HTTPS).
AWS Systems Manager

Name
US East us-east-2 ssm.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ssm.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ssm.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 ssm.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 ssm.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- ssm.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ssm.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- ssm.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ssm.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
198
AWS Systems Manager

Name
Asia ap- ssm.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- ssm.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 ssm.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- ssm.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- ssm.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ssm.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 ssm.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 ssm.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 ssm.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- ssm.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 ssm.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- ssm.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- ssm.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
For information about using AWS Systems Manager in the AWS GovCloud (US-West) Region, see AWS
For information about using AWS Systems Manager in the China (Beijing) Region, see China (Beijing)
Region Endpoints.
AWS Systems Manager Distributor is available in all commercial Regions except the China (Beijing)
Region and the China (Ningxia) Region. Distributor is not available in the AWS GovCloud (US-West)
Endpoints.
Version 1.0
199
Amazon Textract
Amazon Textract
Name
US East us-east-2 textract.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 textract.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 textract.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- textract.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
EU eu-west-1 textract.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 textract.eu-west-2.amazonaws.com HTTPS

(London)
Amazon Transcribe
Name
US East us-east-2 transcribe.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 transcribe.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 transcribe.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 transcribe.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 transcribe.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- transcribe.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- transcribe.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Version 1.0
200
Amazon Transcribe Streaming

Name
Asia ap- transcribe.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- transcribe.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Canada ca- transcribe.ca-central-1.amazonaws.com HTTPS

(Central) central-1
China cn-north-1 cn.transcribe.cn-north-1.amazonaws.com.cn HTTPS

(Beijing)
China cn- cn.transcribe.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- transcribe.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 transcribe.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 transcribe.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 transcribe.eu-west-3.amazonaws.com HTTPS
Middle me- transcribe.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 transcribe.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- transcribe.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon Transcribe Streaming

Name
US East us-east-2 transcribestreaming.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 transcribestreaming.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 transcribestreaming.us-west-2.amazonaws.com HTTPS

(Oregon)
Version 1.0
201
AWS Transfer for SFTP

Name
Asia ap- transcribestreaming.ap- HTTPS

(Sydney)
Canada ca- transcribestreaming.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu-west-1 transcribestreaming.eu-west-1.amazonaws.com HTTPS

(Ireland)

Name
US East us-east-2 transfer.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 transfer.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 transfer.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 transfer.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- transfer.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- transfer.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- transfer.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- transfer.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- transfer.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- transfer.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- transfer.eu-central-1.amazonaws.com HTTPS

Version 1.0
202
Amazon Translate

Name
EU eu-west-1 transfer.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 transfer.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 transfer.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 transfer.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 transfer.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Amazon Translate
Name
US East us-east-2 translate.us-east-2.amazonaws.com HTTPS

(Ohio)
translate-fips.us-east-2.amazonaws.com HTTPS
US East (N. us-east-1 translate.us-east-1.amazonaws.com HTTPS

Virginia)
translate-fips.us-east-1.amazonaws.com HTTPS
US West us-west-2 translate.us-west-2.amazonaws.com HTTPS

(Oregon)
translate-fips.us-west-2.amazonaws.com HTTPS
Asia ap- translate.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- translate.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- translate.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- translate.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- translate.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- translate.eu-central-1.amazonaws.com HTTPS

Version 1.0
203
Amazon VPC

Name
EU eu-west-1 translate.eu-west-1.amazonaws.com HTTPS

(Ireland)
AWS us-gov- translate.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West) translate-fips.us-gov-west-1.amazonaws.com HTTPS
Amazon VPC
Name
US East us-east-2 ec2.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 ec2.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 ec2.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 ec2.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 ec2.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- ec2.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- ec2.ap-northeast-3.amazonaws.com HTTPS

(Osaka-
Local)

(Seoul)
Asia ap- ec2.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- ec2.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Version 1.0
204
AWS WAF

Name

(Tokyo)
Canada ca- ec2.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- ec2.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 ec2.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 ec2.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 ec2.eu-west-3.amazonaws.com HTTPS
EU eu-north-1 ec2.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- ec2.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 ec2.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- ec2.us-gov-east-1.amazonaws.com HTTPS

GovCloud east-1
(US-East)
AWS us-gov- ec2.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
If you specify the general endpoint (ec2.amazonaws.com), Amazon VPC directs your request to the us-
east-1 endpoint.
For information about using Amazon VPC in the AWS GovCloud (US-West) Region, see AWS GovCloud
For information about using Amazon VPC in the China (Beijing) Region, see China (Beijing) Region
Endpoints.
AWS WAF
AWS WAF for CloudFront distributions has a single endpoint: waf.amazonaws.com. It supports HTTPS
requests only.
Version 1.0
205
AWS WAF

Name
US East us-east-2 waf.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 waf.amazonaws.com HTTPS

Virginia)
US us-west-1 waf.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 waf.amazonaws.com HTTPS

(Oregon)
Asia ap- waf.amazonaws.com HTTPS

Pacific south-1
(Mumbai)

(Seoul)

(Singapore)

(Sydney)

(Tokyo)
Canada ca- waf.amazonaws.com HTTPS

(Central) central-1
EU eu- waf.amazonaws.com HTTPS

EU eu-west-1 waf.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 waf.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 waf.amazonaws.com HTTPS
EU eu-north-1 waf.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 waf.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
206
AWS WAF

Name
AWS us-gov- waf.amazonaws.com HTTPS

GovCloud west-1
(US-West)
AWS WAF for Application Load Balancers has the following endpoints:

Name
US East us-east-2 waf-regional.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 waf-regional.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 waf-regional.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 waf-regional.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- waf-regional.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- waf-regional.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- waf-regional.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- waf-regional.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- waf-regional.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- waf-regional.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- waf-regional.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 waf-regional.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 waf-regional.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 waf-regional.eu-west-3.amazonaws.com HTTPS
Version 1.0
207
Amazon WorkDocs

Name
EU eu-north-1 waf-regional.eu-north-1.amazonaws.com HTTPS

(Stockholm)
South sa-east-1 waf-regional.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- waf-regional.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Amazon WorkDocs
Name
US East (N. us-east-1 workdocs.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 workdocs.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- workdocs.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- workdocs.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- workdocs.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
EU eu-west-1 workdocs.eu-west-1.amazonaws.com HTTPS

(Ireland)
Amazon WorkLink
US East (N. Virginia) us-east-1 worklink.us- HTTPS

US East (Ohio) us-east-2 worklink.us- HTTPS

US West (Oregon) us-west-2 worklink.us- HTTPS

Version 1.0
208
Amazon WorkMail
EU (Ireland) eu-west-1 worklink.eu- HTTPS

Amazon WorkMail
Region Name Region Service Endpoint
US East (N. Virginia) us-east-1 Amazon WorkMail https://workmail.us-

SDK east-1.amazonaws.com
US East (N. Virginia) us-east-1 Autodiscover autodiscover-service.mail.us-

east-1.awsapps.com
US East (N. Virginia) us-east-1 Exchange Web ews.mail.us-east-1.awsapps.com

Service
US East (N. Virginia) us-east-1 Exchange Active mobile.mail.us-east-1.awsapps.com

Sync
US East (N. Virginia) us-east-1 MAPI Proxy outlook.mail.us-east-1.awsapps.com
US East (N. Virginia) us-east-1 IMAPS imap.mail.us-east-1.awsapps.com
US East (N. Virginia) us-east-1 SMTP via TLS (port smtp.mail.us-east-1.awsapps.com

465)
US West (Oregon) us-west-2 Amazon WorkMail https://workmail.us-

SDK west-2.amazonaws.com
US West (Oregon) us-west-2 Autodiscover autodiscover-service.mail.us-

west-2.awsapps.com
US West (Oregon) us-west-2 Exchange Web ews.mail.us-west-2.awsapps.com

Service
US West (Oregon) us-west-2 Exchange Active mobile.mail.us-west-2.awsapps.com

Sync
US West (Oregon) us-west-2 MAPI Proxy outlook.mail.us-west-2.awsapps.com
US West (Oregon) us-west-2 IMAPS imap.mail.us-west-2.awsapps.com
US West (Oregon) us-west-2 SMTP via TLS (port smtp.mail.us-west-2.awsapps.com

465)
EU (Ireland) eu-west-1 Amazon WorkMail https://workmail.eu-

SDK west-1.amazonaws.com
EU (Ireland) eu-west-1 Autodiscover autodiscover-service.mail.eu-

west-1.awsapps.com
EU (Ireland) eu-west-1 Exchange Web ews.mail.eu-west-1.awsapps.com

Service
EU (Ireland) eu-west-1 Exchange Active mobile.mail.eu-west-1.awsapps.com

Sync
Version 1.0
209
Amazon WorkSpaces
Region Name Region Service Endpoint
EU (Ireland) eu-west-1 MAPI Proxy outlook.mail.eu-west-1.awsapps.com
EU (Ireland) eu-west-1 IMAPS imap.mail.eu-west-1.awsapps.com
EU (Ireland) eu-west-1 SMTP via TLS (port smtp.mail.eu-west-1.awsapps.com

465)
Amazon WorkSpaces
Name
US East (N. us-east-1 workspaces.us-east-1.amazonaws.com HTTPS

Virginia)
US West us-west-2 workspaces.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap- workspaces.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- workspaces.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- workspaces.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- workspaces.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- workspaces.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- workspaces.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 workspaces.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 workspaces.eu-west-2.amazonaws.com HTTPS

(London)
South sa-east-1 workspaces.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
AWS us-gov- workspaces.us-gov-west-1.amazonaws.com HTTPS

GovCloud west-1
(US-West)
Version 1.0
210
AWS X-Ray
AWS X-Ray
Name
US East us-east-2 xray.us-east-2.amazonaws.com HTTPS

(Ohio)
US East (N. us-east-1 xray.us-east-1.amazonaws.com HTTPS

Virginia)
US us-west-1 xray.us-west-1.amazonaws.com HTTPS

West (N.
California)
US West us-west-2 xray.us-west-2.amazonaws.com HTTPS

(Oregon)
Asia ap-east-1 xray.ap-east-1.amazonaws.com HTTPS

Pacific
(Hong
Kong)
Asia ap- xray.ap-south-1.amazonaws.com HTTPS

Pacific south-1
(Mumbai)
Asia ap- xray.ap-northeast-2.amazonaws.com HTTPS

(Seoul)
Asia ap- xray.ap-southeast-1.amazonaws.com HTTPS

(Singapore)
Asia ap- xray.ap-southeast-2.amazonaws.com HTTPS

(Sydney)
Asia ap- xray.ap-northeast-1.amazonaws.com HTTPS

(Tokyo)
Canada ca- xray.ca-central-1.amazonaws.com HTTPS

(Central) central-1
EU eu- xray.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 xray.eu-west-1.amazonaws.com HTTPS

(Ireland)
EU eu-west-2 xray.eu-west-2.amazonaws.com HTTPS

(London)
EU (Paris) eu-west-3 xray.eu-west-3.amazonaws.com HTTPS
Version 1.0
211
AWS X-Ray

Name
EU eu-north-1 xray.eu-north-1.amazonaws.com HTTPS

(Stockholm)
Middle me- xray.me-south-1.amazonaws.com HTTPS

East south-1
(Bahrain)
South sa-east-1 xray.sa-east-1.amazonaws.com HTTPS

America
(Sao
Paulo)
Version 1.0
212
About AWS Regions
Managing AWS Regions

AWS Regions introduced before March 20, 2019 are enabled by default. You can begin working in these
Regions immediately. Regions introduced after March 20, 2019, such as Asia Pacific (Hong Kong) and
Middle East (Bahrain), are disabled by default. You must enable these Regions before you can use them.
If an AWS Region is disabled by default, you can use the AWS Management Console to enable and
disable the Region. Enabling and disabling AWS Regions allows you to control whether users in your AWS
account can access resources in that Region.
About AWS Regions

An AWS Region is a collection of AWS resources in a geographic area. Each AWS Region is isolated and
independent of the other Regions. The resources that you create in one Region do not exist in any other
Region unless you explicitly use a replication feature offered by an AWS service.
Some services, such as AWS Identity and Access Management (IAM), do not have Regional resources.
Others, such as Amazon Simple Storage Service (Amazon S3), support cross-Region replication.
Regions provide fault tolerance, stability, and resilience, and can also reduce latency. They allow you to
create redundant resources that remain available and unaffected by a Regional outage. Administrators
can enable and disable Regions (p. 213) and use a policy condition that controls access to AWS services
in a particular AWS Region.
For a table of AWS services supported in each Region (without endpoints), see the Region Table.
Enabling a Region
To enable a Region, you must be an administrator for the account with permissions to enable Regions.
To view an example policy that includes these permissions, see AWS: Allows Enabling and Disabling AWS
Regions in the IAM User Guide.
When you enable a Region, AWS performs actions to prepare your account in that Region, such as
distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but
this can take several hours. You cannot use the Region until this process is complete.
To enable a Region
1. Sign in to the AWS Management Console using administrative credentials with a policy that allows
enabling Regions. To view an example policy that provides these permissions, see AWS: Allows
Enabling and Disabling AWS Regions in the IAM User Guide.
2. In the upper right corner of the console, choose your account name or number and then choose My
Account.
3. In the AWS Regions section, next to the name of the Region that you want to enable, choose
Enable.
4. In the dialog box, review the informational text and choose Enable Region.
5. Wait until the Region is ready to use.
Version 1.0
213
Disabling a Region
Disabling a Region
To disable a Region that you no longer want members of your account to use, you should first remove all
resources from that Region. After you disable a Region, you can no longer view or manage resources in
that Region. However, resources in that Region can continue to incur charges. For more information, see
Enabling and Disabling Regions in the AWS Billing and Cost Management User Guide.
Important
After you disable a Region, the resources in this Region are immediately unavailable.
To disable a Region
1. Sign in to the AWS Management Console using administrative credentials with a policy that allows
disabling Regions. To view an example policy that provides these permissions, see AWS: Allows
Enabling and Disabling AWS Regions in the IAM User Guide.
2. In the upper right corner of the console, choose your account name or number and then choose My
Account.
3. In the AWS Regions section, next to the name of the Region that you want to disable, choose
Disable.
4. In the dialog box, review the informational text and choose Disable Region.
Describing Your Regions Using the AWS CLI

Use the describe-regions command to describe the Regions available for your account, whether they are
enabled or disabled.
aws ec2 describe-regions --all-regions
If the Region is enabled by default, the output includes the following:
"OptInStatus": "opt-in-not-required"
If the Region is not enabled, the output includes the following:
"OptInStatus": "not-opted-in"
After an opt-in Region is enabled, the output includes the following:
"OptInStatus": "opted-in"
Version 1.0
214
AWS Account Root User Credentials
vs. IAM User Credentials
AWS Security Credentials

When you interact with AWS, you specify your AWS security credentials to verify who you are and
whether you have permission to access the resources that you are requesting. AWS uses the security
credentials to authenticate and authorize your requests.
For example, if you want to download a specific file from an Amazon Simple Storage Service (Amazon
S3) bucket, your credentials must allow that access. If your credentials aren't authorized to download the
file, AWS denies your request.
Note
In some cases, you can make calls to AWS without security credentials, such as downloading a
file that is publicly shared in an Amazon S3 bucket.
Topics
• AWS Account Root User Credentials vs. IAM User Credentials (p. 215)
• Understanding and Getting Your Security Credentials (p. 216)
• AWS Account Identifiers (p. 219)
• Best Practices for Managing AWS Access Keys (p. 221)
• Managing Access Keys for Your AWS Account Root User (p. 224)
• AWS Security Audit Guidelines (p. 225)
AWS Account Root User Credentials vs. IAM User

Credentials
All AWS accounts have root user credentials (that is, the credentials of the account owner). These
credentials allow full access to all resources in the account. You cannot use policies within your account
to explicitly deny access to the root user. You can only use an AWS Organizations service control policy
(SCP) to limit permissions to an account, including the root user, that is a member of an organization or
organizational unit (OU). Because of this, we recommend that you delete your root user access keys and
then create AWS Identity and Access Management (IAM) user credentials for everyday interaction with
AWS. For more information, see Lock away your AWS account (root) access keys in the IAM User Guide.
Note
You may need AWS account root user access for specific tasks, such as changing an AWS support
plan or closing your account. In these cases, sign in to the AWS Management Console with your
email and password. See Email and Password (Root User) (p. 217).
For a list of tasks that require root user access, see AWS Tasks That Require AWS Account Root User
Credentials (p. 216).
With IAM, you can securely control access to AWS services and resources for users in your AWS account.
For example, if you require administrator-level permissions, you can create an IAM user, grant that user
full access, and then use those credentials to interact with AWS. If you need to modify or revoke your
permissions, you can delete or modify the policies that are associated with that IAM user.
If you have multiple users that require access to your AWS account, you can create unique credentials
for each user and define who has access to which resources. You don't need to share credentials. For
example, you can create IAM users with read-only access to resources in your AWS account and distribute
those credentials to your users.
Note
Any activity or costs that are associated with the IAM user are billed to the AWS account owner.
Version 1.0
215
AWS Tasks That Require AWS
Account Root User Credentials
AWS Tasks That Require AWS Account Root User

Credentials
The following tasks require you to sign in as the AWS account root user. We recommend that you use
a standard IAM user with appropriate permissions to perform all normal user or administrative tasks.
However, you can perform the tasks listed below only when you sign in as the root user of an account.
Important
If you cannot complete any of the following tasks using your root user credentials, your
account might be a member of an organization in AWS Organizations. If your organizational
administrator used a service control policy (SCP) to limit the permissions of your account, then
your root user permissions are affected. For more information, see Service Control Policies in the
AWS Organizations User Guide.
• Modify root user details (p. 217). This includes changing the root user's password.
• Change your AWS support plan.
• View Billing tax invoices. An IAM user with the aws-portal:ViewBilling permission can also view
and download VAT invoices from AWS Europe but not AWS Inc or Amazon Internet Services Pvt. Ltd
(AISPL). You must be signed in as root to view or download AWS Inc. or AISPL VAT invoices.
• Close an AWS account.
• Sign up for GovCloud.
• Submit a Reverse DNS for Amazon EC2 request. The "this form" link on that page to submit a request
works only if you sign in with root user credentials.
• Create a CloudFront key pair.
• Change the Amazon EC2 setting for longer resource IDs. Changing this setting as the root user affects
all users and roles in the account. Changing it as an IAM user or IAM role affects only that user or role.
• Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.
• Editing or deleting an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.
• Request removal of the port 25 email throttle on your EC2 instance.
• Find your AWS account canonical user ID in the console (p. 220). You can view your canonical user ID
from the AWS Management Console only while signed in as the AWS account root user. You can view
your canonical user ID as an IAM user with the AWS API or AWS CLI.
• Restoring IAM user permissions. If an IAM user accidentally revokes their own permissions, you can sign
in as the root user to edit policies and restore those permissions.
• Change your account settings using the Billing and Cost Management console. You can view and edit
your contact and alternate contact information, the currency that you pay your bills in, the Regions
that you can create resources in, and your tax registration numbers.
Understanding and Getting Your Security

Credentials
You use different types of security credentials depending on how you interact with AWS. For example,
you use a user name and password to sign in to the AWS Management Console. You use access keys to
make programmatic calls to AWS API operations or to use AWS CLI commands.
If you forget or lose your credentials, you can't recover them. For security reasons, AWS doesn't allow you
to retrieve your passwords or secret access keys and does not store the private keys that are part of a key
pair. However, you can create new credentials and then disable or delete the old credentials.
Version 1.0
216
Email and Password (Root User)
Note
Security credentials are account-specific. If you have access to multiple AWS accounts, use the
credentials that are associated with the account that you want to access.
Getting AWS account root user credentials is different than getting IAM user credentials. For root user
credentials, you get credentials, such as access keys or key pairs, from the Security Credentials page in
the AWS Management Console. For IAM user credentials, you get credentials from the IAM console.
The following list describes the types of AWS security credentials, when you might use them, and how to
get each type of credential for the AWS account root user or for an IAM user.
Topics
• Email and Password (Root User) (p. 217)
• IAM User Name and Password (p. 217)
• Multi-Factor Authentication (MFA) (p. 218)
• Access Keys (Access Key ID and Secret Access Key) (p. 218)
• Key Pairs (p. 219)
Email and Password (Root User)

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity
that has complete access to all AWS services and resources in the account. This identity is called the AWS
account root user and is accessed by signing in with the email address and password that you used to
create the account.
Important
We strongly recommend that you do not use the root user for your everyday tasks, even the
administrative ones. Instead, adhere to the best practice of using the root user only to create
your first IAM user. Then securely lock away the root user credentials and use them to perform
only a few account and service management tasks. To view the tasks that require you to sign in
as the root user, see AWS Tasks That Require Root User.
Use your AWS account email address and password to sign in to the AWS Management Console as the
AWS account root user.
Note
If you previously signed in to the console with IAM user credentials, your browser might
remember this preference and open your account-specific sign-in page. You cannot use the
IAM user sign-in page to sign in with your AWS account root user credentials. If you see the IAM
user sign-in page, choose Sign-in using root user credentials near the bottom of the page to
return to the main sign-in page. From there, you can enter your AWS account email address and
password.
You can change the email address and password on the Security Credentials page. You can also choose
Forgot password? on the AWS sign-in page to reset your password.
IAM User Name and Password

Use AWS Identity and Access Management (IAM) to create unique user identities in AWS. IAM users
provide their user names and passwords when they sign in to the AWS Management Console, AWS
discussion forums, or AWS Support center. In some cases, an IAM user name and password are required
to use a service, such as sending email with SMTP by using Amazon Simple Email Service (Amazon SES).
For more information about IAM users, see Identities (Users, Groups, and Roles) in the IAM User Guide.
You specify user names when you create them. Optionally, you can create passwords for each user. For
more information, see Managing Passwords for IAM Users in the IAM User Guide.
Version 1.0
217
Multi-Factor Authentication (MFA)
Note
IAM users can manage their own password but only if they have been given permission. For
more information, see Permitting IAM Users to Change Their Own Password in the IAM User
Guide.
Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can apply to your AWS
account. For additional security, we recommend that you require MFA on the AWS account root user
credentials and highly privileged IAM users. For more information, see Using Multi-Factor Authentication
(MFA) in AWS in the IAM User Guide.
With MFA enabled, when you sign in to the AWS website, you are prompted for your user name and
password, and an authentication code from an MFA device. Together, they provide increased security for
your AWS account settings and resources.
By default, MFA (multi-factor authentication) is not enabled. You can enable and manage MFA devices
for the AWS account root user by going to the Security Credentials page or the IAM dashboard in the
AWS Management Console. For more information about enabling MFA for IAM users, see Enabling MFA
Devices in the IAM User Guide.
Access Keys (Access Key ID and Secret Access Key)

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret
access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to
sign programmatic requests that you make to AWS if you use AWS CLI commands (using the SDKs) or
using AWS API operations. For more information, see Signing AWS API Requests (p. 350). Like a user
name and password, you must use both the access key ID and secret access key together to authenticate
your requests. Manage your access keys as securely as you do your user name and password.
When you create access keys, you create the access key ID and secret access key as a set. During access
key creation, AWS gives you one opportunity to view and download the secret access key part of the
access key. If you don't download it or if you lose it, you can delete the access key and then create a
new one. You can create IAM user or root user access keys with the IAM console, AWS CLI, or AWS API.
To learn how to create IAM user access keys, see Managing Access Keys for IAM Users in the IAM User
Guide. To create access keys for your root user, see Managing Access Keys for Your AWS Account Root
User (p. 224) in the IAM User Guide. We strongly recommend that you do not use the root user for your
everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user
only to create your first IAM user. Then securely lock away the root user credentials and use them to
perform only a few account and service management tasks. To view the tasks that require you to sign in
as the root user, see AWS Tasks That Require Root User.
Important
Do not provide your access keys to a third party, even to help find your canonical user
ID (p. 220). By doing this, you might give someone full access to your account.
A newly created access key has the status of active, which means that you can use the access key for CLI
and API calls. You are limited to two access keys for each IAM user, which is useful when you want to
rotate the access keys. You can also assign up to two access keys to the root user. When you disable an
access key, you can't use it for API calls, and inactive keys do count toward your limit. You can create or
delete an access key any time. However, when you delete an access key, it's gone forever and can't be
retrieved.
You can also create and use temporary access keys, known as temporary security credentials. In addition
to the access key ID and secret access key, temporary security credentials include a security token that
you must send to AWS when you use temporary security credentials. The advantage of temporary
security credentials is that they are short term. After they expire, they're no longer valid. You can use
Version 1.0
218
Key Pairs
temporary access keys in less secure environments or distribute them to grant users temporary access
to resources in your AWS account. For example, you can grant entities from other AWS accounts access
to resources in your AWS account (cross-account access). You can also grant users who don't have AWS
security credentials access to resources in your AWS account (federation). For more information, see
Temporary Security Credentials in the IAM User Guide. For information on the unique IDs that IAM
creates, including their prefixes (like the AKIA used in AKIAIOSFODNN7EXAMPLE, above), see IAM
Identifiers in the IAM User Guide.
Key Pairs
Key pairs are unrelated to access keys, and consist of a public key and a private key. You use the private
key to create a digital signature, and then AWS uses the corresponding public key to validate the
signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.
For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH to log in
to a Linux instance. For more information, see Connect to Your Linux Instances in the Amazon EC2 User
Guide for Linux Instances.
For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when you
want to distribute restricted content that someone paid for. For more information, see Serving Private
Content through CloudFront in the Amazon CloudFront Developer Guide.
AWS does not provide key pairs for your account; you must create them. You can create Amazon EC2 key
pairs from the Amazon EC2 console, CLI, or API. For more information, see Amazon EC2 Key Pairs in the
Amazon EC2 User Guide for Linux Instances.
You create Amazon CloudFront key pairs from the Security Credentials page. Only the AWS account root
user (not IAM users) can create CloudFront key pairs. For more information, see Serving Private Content
through CloudFront in the Amazon CloudFront Developer Guide.
AWS Account Identifiers

AWS assigns two unique IDs to each AWS account:
• An AWS account ID
• A canonical user ID
The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon
Resource Names (ARNs). When you refer to resources, such as an IAM user or an Glacier vault, the
account ID distinguishes your resources from resources in other AWS accounts.
The canonical user ID is a long string, such as

79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
You can use canonical user IDs in an Amazon S3 bucket policy for cross-account access, which means
an AWS account can access resources in another AWS account. For example, to grant another AWS
account access to your bucket, you specify the account's canonical user ID in the bucket's policy. For more
information, see Bucket Policy Examples in the Amazon Simple Storage Service Developer Guide.
Finding Your AWS Account ID

You can find the AWS account ID from AWS Management Console. The method that you use to find the
account ID depends on how you are logged in to the console.
Version 1.0
219
Finding Your Account Canonical User ID
To view your AWS account ID when signed in as an AWS account root user
1. Use your AWS account email address and password to sign in to the AWS Management Console as
the root user.
Important
If you are signed in to the AWS Management Console with IAM user credentials, you must
sign out and then sign in as the root user. If you see the account-specific IAM user sign-in
page, choose Sign-in using root account credentials near the bottom of the page to return
to the main sign-in page. From there, you can type your AWS account email address and
password to sign in as the root user.
2. In the top right of the console, choose your account name or number. Then choose My Security
Credentials.
3. If necessary, in the dialog box, choose Continue to Security Credentials. You can choose the box
next to Don’t show me this message again to stop the dialog box from appearing in the future.
4. Expand the Account Identifiers section to view your AWS account ID.
To view your AWS account ID when signed in as a federated user or an IAM user
1. Sign in to the AWS Management Console as an IAM user or federated user.

2. Choose Support in the upper-right corner of the console and choose Support Center.
3. Your AWS account number (ID) appears in the Support Center title bar. The account ID for an AWS
account is the same for the AWS account root user and its IAM users. For more information, see Your
AWS Account ID and Its Alias in the IAM User Guide.
Finding Your Account Canonical User ID

The canonical user ID is an identifier for your account. Because this identifier is used by Amazon S3, only
this service provides IAM users with access to the canonical user ID. You can also view the canonical user
ID for your account from the AWS Management Console while signed in as the AWS account root user. To
learn about the differences between root user credentials and IAM user credentials, see the section called
“AWS Account Root User Credentials vs. IAM User Credentials” (p. 215).
To use the the AWS API or AWS CLI to view the canonical user ID, the IAM user must have permissions
to perform the s3:ListAllMyBuckets action. To use the Amazon S3 console, the IAM user must
have permissions to perform the s3:ListAllMyBuckets and s3:GetBucketAcl actions. For more
information about permissions, see Permissions Related to Buckets and Managing Access Permissions to
Your Amazon S3 Resources ( ) in the Amazon Simple Storage Service Developer Guide.
Important
Do not provide your Access Keys (Access Key ID and Secret Access Key) (p. 218) to a third
party to help find your canonical user ID. By doing this, you might give them full access to your
account.
To view your canonical user ID as an IAM user (console)
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the
Amazon S3 Console.
2. Choose the name of an Amazon S3 bucket to view the details about that bucket.
3. Choose the Permissions tab and then choose Access Control List.
4. In the Access for your AWS account section, in the Account column is a long identifier, such as
c1daexampleaaf850ea79cf0430f33d72579fd1611c97f7ded193374c0b163b6. This is your
canonical user ID.
Version 1.0
220
Best Practices for Managing AWS Access Keys
To view your canonical user ID as an IAM user (API)
• You can use the Amazon S3 ListBuckets API with your IAM user credentials to return the AWS
account owner ID, which is the canonical user ID. For more information, see GET Service Response
Elements in the Amazon Simple Storage Service API Reference.
To view your canonical user ID as an IAM user (CLI)
• You can use the list-buckets command with your IAM user credentials to return the AWS account
owner ID, which is the canonical user ID. For more information, see s3api list-buckets in the AWS CLI
Command Reference.
To view your canonical user ID when signed in as an AWS account root user (console)
1. Sign in as the root user using your AWS account email address and password.
Important
If you are signed in to the AWS Management Console with IAM user credentials, then you
must sign out and then sign in as the root user. If you see the account-specific IAM user
sign-in page, choose Sign-in using root account credentials near the bottom of the page
to return to the main sign-in page. From there, you can type your AWS account email
address and password to sign in as the root user.
2. In the top right of the console, choose your account name or number. Then choose My Security
Credentials.
3. If necessary, in the dialog box, choose Continue to Security Credentials. You can choose the box
next to Don’t show me this message again to stop the dialog box from appearing in the future.
4. Expand the Account Identifiers section to view your canonical user ID.
Note
If you do not see the Account Identifiers section, then you are not signed in as the root
user. Return to Step 1 above. If you do not have access to the root user credentials, contact
your AWS account administrator and ask them to retrieve the canonical user ID.
Best Practices for Managing AWS Access Keys

When you access AWS programmatically, you use an access key to verify your identity and the identity of
your applications. An access key consists of an access key ID (something like AKIAIOSFODNN7EXAMPLE)
and a secret access key (something like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Anyone who has your access key has the same level of access to your AWS resources that you do.
Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our
shared-responsibility model, you should as well.
The steps that follow can help you protect access keys. For general background, see AWS Security
Note
Your organization may have different security requirements and policies than those described in
this topic. The suggestions provided here are intended to be general guidelines.
Remove (or Don't Generate) Account Access Key

An access key is required in order to sign requests that you make using the AWS Command Line Tools,
the AWS SDKs, or direct API calls. Anyone who has the access key for your AWS account root user has
Version 1.0
221
Use Temporary Security Credentials (IAM
Roles) Instead of Long-Term Access Keys
unrestricted access to all the resources in your account, including billing information. You cannot restrict
the permissions for your AWS account root user.
One of the best ways to protect your account is to not have an access key for your AWS account root
user. Unless you must have a root user access key (which is very rare), it is best not to generate one.
Instead, the recommended best practice is to create one or more AWS Identity and Access Management
(IAM) users, give them the necessary permissions, and use IAM users for everyday interaction with AWS.
If you already have an access key for your account, we recommend the following: Find places in your
applications where you are currently using that key (if any), replace the root user access key with an
IAM user access key, and then disable and remove the root user access key. For details about how to
substitute one access key for another, see the post How to Rotate Access Keys for IAM Users on the AWS
Security Blog.
By default, AWS does not generate an access key for new accounts.
For information about how to create an IAM user with administrative permissions, see Creating Your First
IAM Admin User and Group in the IAM User Guide.
Use Temporary Security Credentials (IAM Roles)

Instead of Long-Term Access Keys
In many scenarios, you don't need a long-term access key that never expires (as you have with an IAM
user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security
credentials consist of an access key ID and a secret access key, but they also include a security token that
indicates when the credentials expire.
Long-term access keys, such as those associated with IAM users and AWS account root users, remain valid
until you manually revoke them. However, temporary security credentials obtained through IAM roles
and other features of the AWS Security Token Service expire after a short period of time. Use temporary
security credentials to help reduce your risk in case credentials are accidentally exposed.
Use an IAM role and temporary security credentials in these scenarios:
• You have an application or AWS CLI scripts running on an Amazon EC2 instance. Do not pass an
access key to the application, embed it in the application, or have the application read a key from a
source such as an Amazon S3 bucket (even if the bucket is encrypted). Instead, define an IAM role that
has appropriate permissions for your application and launch the Amazon EC2 instance with roles for
EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get temporary
security credentials that it can in turn use to make AWS calls. The AWS SDKs and the AWS CLI can get
temporary credentials from the role automatically.
• You need to grant cross-account access. Use an IAM role to establish trust between accounts,
and then grant users in one account limited permissions to access the trusted account. For more
information, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.
• You have a mobile app. Do not embed an access key with the app, even in encrypted storage. Instead,
use Amazon Cognito to manage user identity in your app. This service lets you authenticate users using
Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity provider.
You can then use the Amazon Cognito credentials provider to manage credentials that your app uses
to make requests to AWS. For more information, see Using the Amazon Cognito Credentials Provider
on the AWS Mobile Blog.
• You want to federate into AWS and your organization supports SAML 2.0. If you work for an
organization that has an identity provider that supports SAML 2.0, configure the provider to use
SAML to exchange authentication information with AWS and get back a set of temporary security
credentials. For more information, see About SAML 2.0-based Federation in the IAM User Guide.
• You want to federate into AWS and your organization has an on-premises identity store. If users
can authenticate inside your organization, you can write an application that can issue them temporary
Version 1.0
222
Manage IAM User Access Keys Properly
security credentials for access to AWS resources. For more information, see Creating a URL that
Enables Federated Users to Access the AWS Management Console (Custom Federation Broker) in the
IAM User Guide.
Manage IAM User Access Keys Properly

If you do need to create access keys for programmatic access to AWS, create an IAM user and grant that
user only the permissions he or she needs. Then generate an access key for that user. For details, see
Managing Access Keys for IAM Users in the IAM User Guide.
Note
Remember that if you are running an application on an Amazon EC2 instance and the
application needs access to AWS resources, you should use IAM roles for EC2, as described in the
previous section.
Observe these precautions when using access keys:
• Don't embed access keys directly into code. The AWS SDKs and the AWS Command Line Tools allow
you to put access keys in known locations so that you do not have to keep them in code.
Put access keys in one of the following locations:

• The AWS credentials file. The AWS SDKs and AWS CLI automatically use the credentials that you
store in the AWS credentials file.
For information about using the AWS credentials file, see the documentation for your SDK. Examples
include Set up AWS Credentials and Region for Development in the AWS SDK for Java Developer
Guide and Configuration and Credential Files in the AWS Command Line Interface User Guide.
Note
To store credentials for the AWS SDK for .NET and the AWS Tools for Windows PowerShell,
we recommend that you use the SDK Store. For more information, see Using the SDK Store
in the AWS SDK for .NET Developer Guide.
• Environment variables. On a multitenant system, choose user environment variables, not system
environment variables.
For more information about using environment variables to store credentials, see Environment
Variables in the AWS Command Line Interface User Guide.
• Use different access keys for different applications. Do this so that you can isolate the permissions
and revoke the access keys for individual applications if an access key is exposed. Having separate
access keys for different applications also generates distinct entries in AWS CloudTrail log files, which
makes it easier for you to determine which application performed specific actions.
• Rotate access keys periodically. Change access keys on a regular basis. For details, see Rotating Access
Keys (AWS CLI, Tools for Windows PowerShell, and AWS API) in the IAM User Guide and How to Rotate
Access Keys for IAM Users on the AWS Security Blog.
• Remove unused access keys. If a user leaves your organization, remove the corresponding IAM user so
that the user's access to your resources is removed. To find out when an access key was last used, use
the GetAccessKeyLastUsed API (AWS CLI command: aws iam get-access-key-last-used).
• Configure multi-factor authentication for your most sensitive operations. For details, see Using
Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.
More Resources
For more information about best practices for keeping your AWS account secure, see the following
resources:
Version 1.0
223
Managing Access Keys for Your AWS Account Root User
• IAM Best Practices. This topic presents a list of suggestions for using the AWS Identity and Access
Management (IAM) service to help secure your AWS resources.
• The following pages provide guidance for setting up the AWS SDKs and the AWS CLI to use access
keys.
• Set up AWS Credentials and Region for Development in the AWS SDK for Java Developer Guide.
• Using the SDK Store in the AWS SDK for .NET Developer Guide.
• Providing Credentials to the SDK in the AWS SDK for PHP Developer Guide.
• Configuration in the Boto 3 (AWS SDK for Python) documentation.
• Using AWS Credentials in the AWS Tools for Windows PowerShell guide.
• Configuration and Credential Files in the AWS Command Line Interface User Guide.
• Granting Access Using an IAM Role. This walkthrough discusses how programs written using the .NET
SDK can automatically get temporary security credentials when running on an Amazon EC2 instance. A
similar topic is available for the AWS SDK for Java.
Managing Access Keys for Your AWS Account Root

User
We strongly recommend that you do not use the AWS account root user for your everyday tasks, even
the administrative ones. Instead, adhere to the best practice of using the root user only to create your
first IAM user. Then securely lock away the root user credentials and use them to perform only a few
account and service management tasks. To view the tasks that require you to sign in as the root user, see
AWS Tasks That Require Root User.
You can create, rotate, disable, or delete access keys (access key IDs and secret access keys) for your AWS
account root user. Anyone who has root user access keys for your AWS account has unrestricted access to
all the resources in your account, including billing information.
When you create access keys, you create the access key ID and secret access key as a set. During access
key creation, AWS gives you one opportunity to view and download the secret access key part of the
access key. If you don't download it or if you lose it, you can delete the access key and then create a
new one. You can create IAM user access keys with the IAM console, AWS CLI, or AWS API. For more
information, see Managing Access Keys for IAM Users in the IAM User Guide. To create access keys for
your AWS account root user, you must use the AWS Management Console.
A newly created access key has the status of active, which means that you can use the access key for CLI
and API calls. You are limited to two access keys for each IAM user, which is useful when you want to
rotate the access keys. You can also assign up to two access keys to the root user. When you disable an
access key, you can't use it for API calls, and inactive keys do count toward your limit. You can create or
delete an access key any time. However, when you delete an access key, it's gone forever and can't be
retrieved.
Creating, Disabling, and Deleting Access Keys for Your

AWS Account Root User
Follow these steps to manage access keys for your AWS account. For information about managing access
keys for IAM users, see Managing Access Keys for IAM Users in the IAM User Guide.
To create, disable, or delete an access key for your AWS account root user
1. Use your AWS account email address and password to sign in to the AWS Management Console as
the AWS account root user.
Version 1.0
224
AWS Security Audit Guidelines
Note
If you previously signed in to the console with IAM user credentials, your browser might
remember this preference and open your account-specific sign-in page. You cannot use the
IAM user sign-in page to sign in with your AWS account root user credentials. If you see the
IAM user sign-in page, choose Sign-in using root user credentials near the bottom of the
page to return to the main sign-in page. From there, you can enter your AWS account email
address and password.
2. Choose your account name in the navigation bar, and then choose My Security Credentials.
3. If you see a warning about accessing the security credentials for your AWS account, choose Continue
to Security Credentials.
4. Expand the Access keys (access key ID and secret access key) section.
5. Then do any of the following:
To create an access key
Choose Create New Access Key. If this feature is disabled, then you must delete one of the
existing access keys before you can create a new key. For more information, see IAM Entity
Object Limits in the IAM User Guide.
A warning explains that you have only this one opportunity to view or download the secret
access key. It cannot be retrieved later.
• Choose Show Access Key to copy the access key ID and secret key from your browser window
and paste it somewhere else.
• Choose Download Key File to download the rootkey.csv file that contains the access key
ID and the secret key. Save the file somewhere safe.
To disable an existing access key
Choose Make Inactive next to the access key that you are disabling. To reenable an inactive
access key, choose Make Active.
To delete an existing access key
Before you delete an access key, make sure it's no longer in use. For more information, see
Finding unused access keys in the IAM User Guide. You can't recover an access key after deleting
it. To delete your access key, choose Delete next to the access key that you you want to delete.
AWS Security Audit Guidelines

You should periodically audit your security configuration to make sure it meets your current business
needs. An audit gives you an opportunity to remove unneeded IAM users, roles, groups, and policies, and
to make sure that your users and software have only the permissions that are required.
Following are guidelines for systematically reviewing and monitoring your AWS resources for security
best practices.
Topics
• When Should You Perform a Security Audit? (p. 226)
• General Guidelines for Auditing (p. 226)
• Review Your AWS Account Credentials (p. 226)
• Review Your IAM Users (p. 226)
• Review Your IAM Groups (p. 227)
• Review Your IAM Roles (p. 227)
• Review Your IAM Providers for SAML and OpenID Connect (OIDC) (p. 227)
Version 1.0
225
When Should You Perform a Security Audit?
• Review Your Mobile Apps (p. 227)

• Review Your Amazon EC2 Security Configuration (p. 228)
• Review AWS Policies in Other Services (p. 228)
• Monitor Activity in Your AWS Account (p. 228)
• Tips for Reviewing IAM Policies (p. 229)
• More Information (p. 230)
When Should You Perform a Security Audit?

You should audit your security configuration in the following situations:
• On a periodic basis. You should perform the steps described in this document at regular intervals as a
best practice for security.
• If there are changes in your organization, such as people leaving.
• If you have stopped using one or more individual AWS services. This is important for removing
permissions that users in your account no longer need.
• If you've added or removed software in your accounts, such as applications on Amazon EC2 instances,
AWS OpsWorks stacks, AWS CloudFormation templates, etc.
• If you ever suspect that an unauthorized person might have accessed your account.
General Guidelines for Auditing

As you review your account's security configuration, follow these guidelines:
• Be thorough. Look at all aspects of your security configuration, including those you might not use
regularly.
• Don't assume. If you are unfamiliar with some aspect of your security configuration (for example, the
reasoning behind a particular policy or the existence of a role), investigate the business need until you
are satisfied.
• Keep things simple. To make auditing (and management) easier, use IAM groups, consistent naming
schemes, and straightforward policies.
Review Your AWS Account Credentials

Take these steps when you audit your AWS account credentials:
1. If you're not using the root access keys for your account, remove them. We strongly recommend that
you do not use root access keys for everyday work with AWS, and that instead you create IAM users.
2. If you do need to keep the access keys for your account, rotate them regularly.
Review Your IAM Users

Take these steps when you audit your existing IAM users:
1. Delete users that are not active.

2. Remove users from groups that they don't need to be a part of.
3. Review the policies attached to the groups the user is in. See Tips for Reviewing IAM Policies (p. 229).
4. Delete security credentials that the user doesn't need or that might have been exposed. For example,
an IAM user that is used for an application does not need a password (which is necessary only to sign
Version 1.0
226
Review Your IAM Groups
in to AWS websites). Similarly, if a user does not use access keys, there's no reason for the user to have
one. For more information, see Managing Passwords for IAM Users and Managing Access Keys for IAM
Users in the IAM User Guide.
You can generate and download a credential report that lists all IAM users in your account and the
status of their various credentials, including passwords, access keys, and MFA devices. For passwords
and access keys, the credential report shows how recently the password or access key has been
used. Credentials that have not been used recently might be good candidates for removal. For more
information, see Getting Credential Reports for your AWS Account in the IAM User Guide.
5. Rotate (change) user security credentials periodically, or immediately if you ever share them with an
unauthorized person. For more information, see Managing Passwords for IAM Users and Managing
Access Keys for IAM Users in the IAM User Guide.
Review Your IAM Groups

Take these steps when you audit your IAM groups:
1. Delete unused groups.

2. Review users in each group and remove users who don't belong. See Review Your IAM Users (p. 226)
earlier.
3. Review the policies attached to the group. See Tips for Reviewing IAM Policies (p. 229).
Review Your IAM Roles

Take these steps when you audit your IAM roles:
1. Delete roles that are not in use.

2. Review the role's trust policy. Make sure that you know who the principal is and that you understand
why that account or user needs to be able to assume the role.
3. Review the access policy for the role to be sure that it grants suitable permissions to whoever assumes
the role—see Tips for Reviewing IAM Policies (p. 229).
Review Your IAM Providers for SAML and OpenID

Connect (OIDC)
If you have created an IAM entity for establishing trust with a SAML or OIDC identity provider, take these
steps:
1. Delete unused providers.

2. Download and review the AWS metadata documents for each SAML provider and make sure the
documents reflect your current business needs. Alternatively, get the latest metadata documents from
the SAML IdPs that you want to establish trust with and update the provider in IAM.
Review Your Mobile Apps

If you have created a mobile app that makes requests to AWS, take these steps:
1. Make sure that the mobile app does not contain embedded access keys, even if they are in encrypted
storage.
Version 1.0
227
Review Your Amazon EC2 Security Configuration
2. Get temporary credentials for the app by using APIs that are designed for that purpose. We
recommend that you use Amazon Cognito to manage user identity in your app. This service lets you
authenticate users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–
compatible identity provider. You can then use the Amazon Cognito credentials provider to manage
credentials that your app uses to make requests to AWS.
If your mobile app doesn't support authentication using Login with Amazon, Facebook, Google, or any
other OIDC-compatible identity provider, you can create a proxy server that can dispense temporary
credentials to your app.
Review Your Amazon EC2 Security Configuration

Take the following steps for each AWS Region:
1. Delete Amazon EC2 key pairs that are unused or that might be known to people outside your
organization.
2. Review your Amazon EC2 security groups:
• Remove security groups that no longer meet your needs.
• Remove rules from security groups that no longer meet your needs. Make sure you know why the
ports, protocols, and IP address ranges they permit have been allowed.
3. Terminate instances that aren't serving a business need or that might have been started by someone
outside your organization for unapproved purposes. Remember that if an instance is started with a
role, applications that run on that instance can access AWS resources using the permissions that are
granted by that role.
4. Cancel spot instance requests that aren't serving a business need or that might have been made by
someone outside your organization.
5. Review your Auto Scaling groups and configurations. Shut down any that no longer meet your needs
or that might have been configured by someone outside your organization.
Review AWS Policies in Other Services

Review the permissions for services that use resource-based policies or that support other security
mechanisms. In each case, make sure that only users and roles with a current business need have access
to the service's resources, and that the permissions granted on the resources are the fewest necessary to
meet your business needs.
• Review your Amazon S3 bucket policies and ACLs.

• Review your Amazon SQS queue policies.
• Review your Amazon SNS topic policies.
• Review your AWS OpsWorks permissions.
• Review your AWS KMS key policies.
Monitor Activity in Your AWS Account

Follow these guidelines for monitoring AWS activity:
• Turn on AWS CloudTrail in each account and use it in each supported Region.
• Periodically examine CloudTrail log files. (CloudTrail has a number of partners who provide tools for
reading and analyzing log files.)
• Enable Amazon S3 bucket logging to monitor requests made to each bucket.
Version 1.0
228
Tips for Reviewing IAM Policies
• If you believe there has been unauthorized use of your account, pay particular attention to temporary
credentials that have been issued. If temporary credentials have been issued that you don't recognize,
disable their permissions.
• Enable billing alerts in each account and set a cost threshold that lets you know if your charges exceed
your normal usage.
Tips for Reviewing IAM Policies

Policies are powerful and subtle, so it's important to study and understand the permissions that are
granted by each policy. Use the following guidelines when reviewing policies:
• As a best practice, attach policies to groups instead of to individual users. If an individual user has a
policy, make sure you understand why that user needs the policy.
• Make sure that IAM users, groups, and roles have only the permissions that they need.
• Use the IAM Policy Simulator to test policies that are attached to users or groups.
• Remember that a user's permissions are the result of all applicable policies—user policies, group
policies, and resource-based policies (on Amazon S3 buckets, Amazon SQS queues, Amazon SNS
topics, and AWS KMS keys). It's important to examine all the policies that apply to a user and to
understand the complete set of permissions granted to an individual user.
• Be aware that allowing a user to create an IAM user, group, role, or policy and attach a policy to the
principal entity is effectively granting that user all permissions to all resources in your account. That is,
users who are allowed to create policies and attach them to a user, group, or role can grant themselves
any permissions. In general, do not grant IAM permissions to users or roles whom you do not trust
with full access to the resources in your account. The following list contains IAM permissions that you
should review closely:
• iam:PutGroupPolicy
• iam:PutRolePolicy
• iam:PutUserPolicy
• iam:CreatePolicy
• iam:CreatePolicyVersion
• iam:AttachGroupPolicy
• iam:AttachRolePolicy
• iam:AttachUserPolicy
• Make sure policies don't grant permissions for services that you don't use. For example, if you use
AWS managed policies, make sure the AWS managed policies that are in use in your account are for
services that you actually use. To find out which AWS managed policies are in use in your account, use
the IAM GetAccountAuthorizationDetails API (AWS CLI command: aws iam get-account-
authorization-details).
• If the policy grants a user permission to launch an Amazon EC2 instance, it might also allow the
iam:PassRole action, but if so it should explicitly list the roles that the user is allowed to pass to the
Amazon EC2 instance.
• Closely examine any values for the Action or Resource element that include *. It's a best practice
to grant Allow access to only the individual actions and resources that users need. However, the
following are reasons that it might be suitable to use * in a policy:
• The policy is designed to grant administrative-level privileges.
• The wildcard character is used for a set of similar actions (for example, Describe*) as a
convenience, and you are comfortable with the complete list of actions that are referenced in this
way.
• The wildcard character is used to indicate a class of resources or a resource path (e.g.,
arn:aws:iam::account-id:users/division_abc/*), and you are comfortable granting access
to all of the resources in that class or path.
Version 1.0
229
More Information
• A service action does not support resource-level permissions, and the only choice for a resource is *.
• Examine policy names to make sure they reflect the policy's function. For example, although a
policy might have a name that includes "read only," the policy might actually grant write or change
permissions.
More Information
For information about managing IAM resources, see the following:
• IAM Users and Groups in the IAM User Guide.

• Permissions and Policies in the IAM User Guide.
• IAM Roles (Delegation and Federation) in the IAM User Guide.
• IAM Policy Simulator in the Using IAM Policy Simulator guide.
For more information about Amazon EC2 security, see the following:
• Network and Security in the Amazon EC2 User Guide for Linux Instances.
• Demystifying EC2 Resource-Level Permissions on the AWS Security Blog.
For more information about monitoring an AWS account, see the re:Invent 2013 presentation "Intrusion
Detection in the Cloud" (video, PDF of slide presentation). You can also download a sample Python
program that shows how to automate security auditing functions.
Version 1.0
230
ARN Format
Amazon Resource Names (ARNs)

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to
specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database
Service (Amazon RDS) tags, and API calls.
Contents
• ARN Format (p. 231)
• Resource ARNs (p. 232)
ARN Format
The following are the general formats for ARNs; the specific components and values used depend on the
AWS service. To use an ARN, replace the italicized text in the example with your own information.
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
partition
The partition that the resource is in. For standard AWS Regions, the partition is aws. If you have
resources in other partitions, the partition is aws-partitionname. For example, the partition for
resources in the China (Beijing) Region is aws-cn.
service
The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon
RDS).
region
The Region that the resource resides in. The ARNs for some resources do not require a Region, so this
component might be omitted.
account-id
The ID of the AWS account that owns the resource, without the hyphens. For example,
123456789012. The ARNs for some resources don't require an account number, so this component
might be omitted.
resource or resource-type
The content of this part of the ARN varies by service. A resource identifier can be the name or ID of
the resource (for example, user/Bob or instance/i-1234567890abcdef0) or a resource path (p. 231).
For example, some resource identifiers include a parent resource (sub-resource-type/parent-
resource/sub-resource) or a qualifier such as a version (resource-type:resource-name:qualifier).
Paths in ARNs
Some resource ARNs can include a path. For example, in Amazon S3, the resource identifier is an object
name that can include slashes (/) to form a path. Similarly, IAM user names and group names can include
paths.
Version 1.0
231
Resource ARNs
In some circumstances, paths can include a wildcard character, namely an asterisk (*). For example, if
you are writing an IAM policy, you can specify all IAM users that have the path product_1234 using a
wildcard like this:
arn:aws:iam::123456789012:user/Development/product_1234/*
Similarly, you can specify user/* to mean all users or group/* to mean all groups, as in the following
examples:
"Resource":"arn:aws:iam::123456789012:user/*"
"Resource":"arn:aws:iam::123456789012:group/*"
You cannot use a wildcard to specify all users in the Principal element in a resource-based policy or a
role trust policy. Groups are not supported as principals in any policy.
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a
path:
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as the term
user in an IAM ARN.
The following is not allowed:
arn:aws:iam::123456789012:u*
Resource ARNs
The documentation for AWS Identity and Access Management (IAM) lists the ARNs supported by each
service, as well as whether the API actions support resource-level permissions. For more information, see
Actions, Resources, and Condition Keys for AWS Services in the IAM User Guide.
The following resources are defined by AWS services, as documented in the IAM User Guide.
• Resources Defined by Alexa for Business

• Resources Defined by AWS Amplify
• Resources Defined by Amazon API Gateway
• Resources Defined by AWS App Mesh
• Resources Defined by Application Auto Scaling
• Resources Defined by Amazon AppStream 2.0
• Resources Defined by AWS AppSync
• Resources Defined by AWS Artifact
• Resources Defined by Amazon Athena
• Resources Defined by AWS Backup
• Resources Defined by AWS Batch
• Resources Defined by AWS Certificate Manager
• Resources Defined by Amazon Cloud Directory
• Resources Defined by AWS Cloud Map
Version 1.0
232
Resource ARNs
• Resources Defined by AWS Cloud9

• Resources Defined by AWS CloudFormation
• Resources Defined by Amazon CloudSearch
• Resources Defined by AWS CloudTrail
• Resources Defined by Amazon CloudWatch
• Resources Defined by Amazon CloudWatch Logs
• Resources Defined by Amazon FreeRTOS
• Resources Defined by AWS CodeBuild
• Resources Defined by AWS CodeCommit
• Resources Defined by AWS CodeDeploy
• Resources Defined by AWS CodePipeline
• Resources Defined by AWS CodeStar
• Resources Defined by AWS CodeStar Notifications
• Resources Defined by Amazon Cognito Identity
• Resources Defined by Amazon Cognito User Pools
• Resources Defined by Amazon Comprehend
• Resources Defined by AWS Config
• Resources Defined by Amazon Connect
• Resources Defined by Amazon Data Lifecycle Manager
• Resources Defined by AWS Database Migration Service
• Resources Defined by AWS DataSync
• Resources Defined by AWS DeepLens
• Resources Defined by AWS Device Farm
• Resources Defined by AWS Direct Connect
• Resources Defined by AWS Directory Service
• Resources Defined by Amazon DynamoDB
• Resources Defined by DynamoDB Accelerator
• Resources Defined by Amazon EC2
• Resources Defined by Amazon EC2 Auto Scaling
• Resources Defined by AWS Elastic Beanstalk
• Resources Defined by Amazon Elastic Container Registry
• Resources Defined by Amazon Elastic Container Service
• Resources Defined by Amazon Elastic Kubernetes Service
• Resources Defined by Amazon Elastic File System
• Resources Defined by Elastic Load Balancing
• Resources Defined by Elastic Load Balancing V2
• Resources Defined by Amazon EMR
• Resources Defined by Amazon Elastic Transcoder
• Resources Defined by Amazon Elasticsearch Service
• Resources Defined by Amazon EventBridge
• Resources Defined by AWS Firewall Manager
• Resources Defined by Amazon FreeRTOS
• Resources Defined by Amazon FSx
• Resources Defined by Amazon S3 Glacier
• Resources Defined by AWS Global Accelerator
• Resources Defined by AWS Glue
Version 1.0
233
Resource ARNs
• Resources Defined by AWS Ground Station

• Resources Defined by Amazon GuardDuty
• Resources Defined by AWS Health
• Resources Defined by AWS Identity and Access Management
• Resources Defined by AWS IoT
• Resources Defined by AWS IoT 1-Click
• Resources Defined by AWS IoT Analytics
• Resources Defined by AWS IoT Events
• Resources Defined by AWS IoT Greengrass
• Resources Defined by AWS IoT SiteWise
• Resources Defined by AWS IoT Things Graph
• Resources Defined by AWS Key Management Service
• Resources Defined by Amazon Kinesis
• Resources Defined by Amazon Kinesis Data Analytics
• Resources Defined by Amazon Kinesis Data Analytics V2
• Resources Defined by Amazon Kinesis Data Firehose
• Resources Defined by Amazon Kinesis Video Streams
• Resources Defined by AWS Lambda
• Resources Defined by Amazon Lex
• Resources Defined by AWS License Manager
• Resources Defined by Amazon Lightsail
• Resources Defined by Amazon Machine Learning
• Resources Defined by Amazon Managed Blockchain
• Resources Defined by Amazon Managed Streaming for Apache Kafka
• Resources Defined by AWS Migration Hub
• Resources Defined by Amazon MQ
• Resources Defined by Amazon Neptune
• Resources Defined by AWS OpsWorks
• Resources Defined by AWS Organizations
• Resources Defined by Amazon Personalize
• Resources Defined by Amazon Pinpoint
• Resources Defined by Amazon Pinpoint Email Service
• Resources Defined by Amazon Polly
• Resources Defined by Amazon QLDB
• Resources Defined by Amazon QuickSight
• Resources Defined by Amazon RDS
• Resources Defined by Amazon Redshift
• Resources Defined by Amazon Rekognition
• Resources Defined by AWS Resource Access Manager
• Resources Defined by AWS Resource Groups
• Resources Defined by Amazon Route 53
• Resources Defined by Amazon S3
• Resources Defined by Amazon SageMaker
• Resources Defined by AWS Secrets Manager
• Resources Defined by AWS Security Hub
• Resources Defined by AWS Security Token Service
Version 1.0
234
Resource ARNs
• Resources Defined by AWS Serverless Application Repository

• Resources Defined by AWS Service Catalog
• Resources Defined by Service Quotas
• Resources Defined by Amazon SES
• Resources Defined by AWS Shield
• Resources Defined by Amazon Simple Workflow Service
• Resources Defined by Amazon SimpleDB
• Resources Defined by Amazon SNS
• Resources Defined by Amazon SQS
• Resources Defined by AWS Step Functions
• Resources Defined by AWS Storage Gateway
• Resources Defined by Amazon Sumerian
• Resources Defined by AWS Systems Manager
• Resources Defined by AWS WAF
• Resources Defined by AWS WAF Regional
• Resources Defined by Amazon WorkLink
• Resources Defined by Amazon WorkSpaces
• Resources Defined by AWS X-Ray
Version 1.0
235
Alexa for Business
AWS Service Limits

The following tables provide the default limits, also referred to as quotas, for AWS services for an AWS
account. Unless otherwise noted, each limit is Region-specific. Many services contain limits that cannot
be changed. For more information about the limits for a specific service, see the documentation for that
service, or check out the Service Quotas console.
Service Quotas is an AWS service that helps you manage your quotas, or limits, for over 90 AWS services
from one location. Along with looking up the quota values, you can request quota increase from the
Service Quotas console.
AWS Trusted Advisor offers a Service Limits check (in the Performance category) that displays your usage
and limits for some aspects of some services. For more information, see Service Limits Check Questions
in the Trusted Advisor FAQs.
We recommend you use the Service Quotas console to request limit, or quota, increases. If your service
is not yet available in Service Quotas, use the following steps to request an increase. These increases are
not granted immediately, so it may take a couple of days for your increase to become effective.
To request a limit increase
1. Open the AWS Support Center page, sign in if necessary, and choose Create case.
2. Choose Service limit increase.
3. Complete the form. If this request is urgent, choose Phone as the method of contact instead of Web.
4. Choose Submit.
Alexa for Business

Resource Default
Maximum number of conference appliances 10,000
Maximum number of gateways 100
Maximum number of rooms 10,000
Maximum number of devices 100,000 (10 per room)
Maximum number of users 10,000
Maximum number of skills 100 (25 per skill group)
Maximum number of skill groups 1,000
Maximum number of profiles 100
Amazon API Gateway

For more information, see Limits in Amazon API Gateway in the API Gateway Developer Guide.
Version 1.0
236

Item Default Notes
Maximum number of scalable targets Amazon Make sure that you specify the type of
per resource type DynamoDB: 3000 resource with your request for a limit
increase, for example, Amazon ECS or
All other resource DynamoDB.*
types: 500
Maximum number of scaling policies 50

per scalable target
Maximum number of scheduled actions 200

per scalable target
Maximum number of step adjustments 20

per scaling policy
* For a complete list of resource types, see the Application Auto Scaling User Guide.

Resource Default
Inactive agents heartbeating but not collecting data 10,000
Active agents sending data to the service 250
Total collected data for all agents, per day 10 GB
Data storage duration before being purged 90 days
AWS App Mesh Service

Resource Default
Maximum number of meshes per account 15
Maximum number of virtual services per mesh 200
Maximum number of virtual nodes per mesh 200
Maximum number of backends per virtual node 50
Maximum number of connected Envoys per virtual 10

node
Maximum number of virtual routers per mesh 200
Maximum number of routes per virtual router 50
Version 1.0
237
Resource Default
Maximum number of weighted targets per route 10

Resource Default
Stacks 5
Fleets 5
Streaming instances 5*
Images 5
Image builders 5†
Users 5
* This is the total limit across all instance families. Certain instance families have additional limits. For
the Graphics Desktop and Graphics Pro instance families, the default limit is 0. For the Graphics Design
instance family, the default limit is 2.
† This is the total limit across all instance families. Certain instance families have additional limits. For
the Graphics Desktop and Graphics Pro instance families, the default limit is 0. For the Graphics Design
instance family, the default limit is 1.
AWS AppSync
Resource Default
Maximum number of APIs per Region 25 per account
You can request a limit increase.
Maximum number of API keys 50 per API
Maximum schema document size 1 MB
Functions per pipeline resolver 10
Throttle rate per GraphQL API 1,000 queries per second
Maximum GraphQL query execution timeout 30 seconds
Maximum evaluated resolver template size 5 MB
Maximum request/response mapping template size 64 KB
Maximum subscription payload size 128 KB
Version 1.0
238
Amazon Athena
Resource Default
Maximum number of iterations in #foreach...#end loop in 1000

mapping templates
Amazon Athena
Resource Default
Number of DDL queries you can submit at the same time. DDL 20
queries include CREATE TABLE and CREATE TABLE ADD
PARTITION queries.
Number of DML queries you can submit at the same time. DML 20
queries include SELECT and CREATE TABLE AS (CTAS) queries.
Query timeout 30 minutes
Maximum allowed query string length 262144 bytes
Athena APIs have the following default limits for the number of calls to the API per account (not per
query):
API Name Default Number of Burst Capacity

Calls per Second
BatchGetNamedQuery, ListNamedQueries, 5 up to 10
ListQueryExecutions
CreateNamedQuery, DeleteNamedQuery, 5 up to 20
GetNamedQuery
BatchGetQueryExecution 20 up to 40
StartQueryExecution, StopQueryExecution 20 up to 80
GetQueryExecution, GetQueryResults 100 up to 200
For example, for StartQueryExecution, you can make up to 20 calls per second. In addition, if this API
is not called for 4 seconds, your account accumulates a burst capacity of up to 80 calls. In this case, your
application can make up to 80 calls to this API in burst mode.
If you use any of these APIs and exceed the default limit for the number of calls per second, or the burst
capacity in your account, the Athena API issues an error similar to the following: ""ClientError: An error
occurred (ThrottlingException) when calling the <API_name> operation: Rate exceeded." Reduce the
number of calls per second, or the burst capacity for the API for this account. You can contact AWS
Support to request a limit increase.
For information about limits for databases, tables, and partitions, see AWS Glue (p. 269). If you have
not migrated to AWS Glue Data Catalog, the number of partitions per table is 20,000.
Version 1.0
239
AWS Auto Scaling
AWS Auto Scaling

Following are the limits for AWS Auto Scaling. To request a limit increase, use the Auto Scaling Limits
form.
Item Default Notes
Maximum number of scalable resources Amazon Make sure that you specify the type
per resource type DynamoDB: 2000 of resource with your request for a
limit increase, for example, Amazon
Amazon EC2 Auto EC2 Auto Scaling, Amazon ECS, or
Scaling groups: DynamoDB.*
200
All other resource

types: 500
Maximum number of scaling plans 100
Maximum number of scaling 500

instructions per scaling plan
Maximum number of target tracking 10

configurations per scaling instruction
* For a complete list of resource types, see the AWS Auto Scaling User Guide.

Following are the limits for Amazon EC2 Auto Scaling. To request a limit increase, use the Auto Scaling
Limits form.
Resource Default
Maximum number of launch configurations per Region 200
Maximum number of Auto Scaling groups per Region 200
Maximum number of scaling policies per Auto Scaling group 50
Maximum number of scheduled actions per Auto Scaling group 125
Maximum number of lifecycle hooks per Auto Scaling group 50
Maximum number of SNS topics per Auto Scaling group 10
Maximum number of classic load balancers per Auto Scaling group 50
Maximum number of target groups per Auto Scaling group 50
Maximum number of step adjustments per scaling policy 20
For additional limits and information about viewing your current limits, see Amazon EC2 Auto Scaling
Limits in the Amazon EC2 Auto Scaling User Guide.
Version 1.0
240
AWS Backup
AWS Backup
API Name Default Number of Calls Per Second
CreateBackupPlan 5
CreateBackupSelection
DeleteBackupPlan
DeleteBackupSelection
DeleteBackupVault
DeleteBackupVaultAccessPolicy
DeleteBackupVaultNotifications
DescribeBackupVault
ExportBackupPlanTemplate
GetBackupPlanFromJSON
GetBackupPlanFromTemplate
PutBackupVaultNotifications
StartBackupJob
StartRestoreJob
StopBackupJob
TagResource
UntagResource
UpdateBackupPlan
UpdateRecoveryPointLifecycle
DeleteRecoveryPoint 10
DescribeProtectedResource
DescribeBackupJob 15
DescribeRecoveryPoint
DescribeRestoreJob
GetBackupPlan
GetBackupSelection
GetBackupVaultAccessPolicy
GetBackupVaultNotifications
Version 1.0
241
AWS Batch
API Name Default Number of Calls Per Second

GetRecoveryPointRestoreMetadata
GetSupportedResourceTypes
ListBackupJobs 20
ListBackupPlans
ListBackupPlanTemplates
ListBackupPlanVersions
ListBackupSelections
ListBackupVaults
ListProtectedResources
ListRecoveryPointByResource
ListRecoveryPointsByBackupVault
ListRecoveryPointsByResource
ListRestoreJobs
ListTags
Sum of All API Calls 50
If you regularly receive throttling exceptions, consider using a rate limiter.
To request an increase in these limits, create a case with the AWS Support Center.
For additional information, see Limits in the AWS Backup Developer Guide.
AWS Batch
AWS Batch does not have any default service limits that you can increase. For more information about
service limits for AWS Batch, see Service Limits in the AWS Batch User Guide.
Billing and Cost Management

Billing and Cost Management has no increasable limits. For more information, see Limits in AWS Billing
and Cost Management.
AWS Certificate Manager (ACM)

Item Default
Number of ACM certificates 1000
Version 1.0
242
AWS Certificate Manager Private
Certificate Authority (ACM PCA)
Item Default
Number of ACM certificates per year (last 365 Twice your account limit
days)
Number of imported certificates 1000
Number of imported certificates per year (last 365 Twice your account limit
days)
Number of domain names per ACM certificate 10
Number of private CAs 10
Number of private certificates per CA (lifetime) 1,000,000
For more information, see Limits in the AWS Certificate Manager User Guide.
AWS Certificate Manager Private Certificate

Authority (ACM PCA)
Item Default
Number of private CAs 10
Number of private certificates per CA (lifetime) 1,000,000
Number of revoked private certificates per private 1,000,000

CA (lifetime)
For more information, see Limits in the AWS Certificate Manager User Guide.
Amazon Chime
Resource Default
Amazon Chime Voice Connectors per account 3
Amazon Chime Voice Connector groups per 3

account
Amazon Chime Voice Connectors per Amazon 3

Chime Voice Connector group
Amazon Chime provisioned phone numbers per 25

account
Calls per second for each Amazon Chime Voice 1

Connector
Version 1.0
243
AWS Cloud9
AWS Cloud9
Resource Default Adjustable
Maximum number of AWS • 100 per user Yes

Cloud9 EC2 development • 200 per account
environments
Maximum number of SSH • 100 per user Yes

environments • 200 per account
1
Maximum number of members The maximum number of No
in an environment members is equal to the
memory of the instance for that
environment divided by 60 MB,
with results rounded down. For
example, an instance with 1 GiB
of memory can have a maximum
of 17 members (which is 1 GiB
divided by 60 MB, rounded
down).
If AWS Cloud9 cannot determine

the memory of an instance,
it defaults to a maximum of
8 users for each environment
associated with that instance.
The absolute maximum number

of members for an environment
is 25.
1
You can move an environment to attempt to increase the maximum number of members. However, the
absolute maximum number of members for an environment is still 25. For more information, see Moving
an Environment in the AWS Cloud9 User Guide.
For more information, see Limits in the AWS Cloud9 User Guide.
AWS CloudFormation
Resource Default
Stacks 200
Stack sets 20
Stack instances per stack set 500
For more information, see AWS CloudFormation Limits in the AWS CloudFormation User Guide.
Version 1.0
244
Amazon CloudFront
Amazon CloudFront
General
Resource Default
Data transfer rate per distribution 40 Gbps
Requests per second per distribution 100,000
Web distributions per account 200
RTMP distributions per account 100
Alternate domain names (CNAMEs) per distribution 100
Origins per distribution 25
Origin access identities per account 100
Cache behaviors per distribution 25
Whitelisted headers per cache behavior 10
Whitelisted cookies per cache behavior 10
SSL certificates per account when serving HTTPS requests using dedicated IP addresses (no limit 2
when serving HTTPS requests using SNI)
Custom headers that you can have Amazon CloudFront forward to the origin 10 name–value
Whitelisted query strings per cache behavior For more inform

CloudFront to C
String Paramet
CloudFront Dev
Response timeout per origin For more inform

Timeout in the
Developer Guide
Lambda@Edge
Resource Default
Distributions per AWS account that you can create triggers for 25
Triggers per distribution 25
Requests per second 10,000
Concurrent executions 1,000
For more information, see Limits in the Amazon CloudFront Developer Guide.
Version 1.0
245
AWS CloudHSM
AWS CloudHSM
Resource Default
Clusters 4
HSMs 6
For more information, see Limits in the AWS CloudHSM User Guide.

Resource Default
HSM appliances 3
High-availability partition groups 20
For more information, see Limits in the AWS CloudHSM Classic User Guide.
AWS Cloud Map

Resource Default
Namespaces 50 per AWS Region *
Services 1,000 per namespace
Instances 2,000 per namespace
Instances 1,000 per service
* When you create a namespace, we automatically create a Route 53 hosted zone. This hosted zone
counts against the limit on the number of hosted zones that you can create with an AWS account. See
Amazon Route 53 (p. 312).
For more information, see AWS Cloud Map Limits in the AWS Cloud Map Developer Guide.
Amazon CloudSearch
Resource Default
Partitions 10
Search instances 50
Version 1.0
246
AWS CloudTrail
For more information, see Understanding Amazon CloudSearch Limits in the Amazon CloudSearch
Developer Guide.
AWS CloudTrail
CloudTrail has no increasable limits. For more information, see Limits in AWS CloudTrail.
Amazon CloudWatch
Resource Default
Actions 5/alarm. This limit cannot be changed.
Alarms 10/month/customer for free. 5000 per Region per account.
API requests 1,000,000/month/customer for free.
Custom metrics No limit.
Dashboards Up to 100 metrics per dashboard widget.
Up to 500 metrics per dashboard, across all widgets.
These cannot be changed.
DescribeAlarms 9 transactions per second (TPS). The maximum number of

operation requests you can make per second without being
throttled.
DeleteAlarms request 3 transactions per second (TPS) for each of these operations.
The maximum number of operation requests you can make
DescribeAlarmHistory request per second without being throttled.
DescribeAlarmsForMetric request These limits cannot be changed.
DisableAlarmActions request
EnableAlarmActions request
SetAlarmState request
DeleteDashboards request 10 transactions per second (TPS) for each of these

operations. The maximum number of operation requests you
GetDashboard request can make per second without being throttled.
ListDashboards request These limits cannot be changed.
PutDashboard request
Dimensions 10/metric. This limit cannot be changed.
GetMetricData 50 transactions per second (TPS). The maximum number of

throttled. You can request a limit increase.
Version 1.0
247
Resource Default
180,000 Datapoints Per Second (DPS) if the StartTime
used in the API request is less than or equal to three hours
from current time. 90,000 DPS if the StartTime is more
than three hours from current time. This is the maximum
number of datapoints you can request per second using one
or more API calls without being throttled. This limit cannot
be changed.
GetMetricData A single GetMetricData call can include as many as 100

MetricDataQuery structures.
This limit cannot be changed.
GetMetricStatistics 400 transactions per second (TPS). The maximum number of

throttled.
ListMetrics 25 transactions per second (TPS). The maximum number of

throttled.
Metric data 15 months. This limit cannot be changed.
MetricDatum items 20/PutMetricData request. A MetricDatum object can

contain a single value or a StatisticSet object representing
many values. This limit cannot be changed.
Metrics 10/month/customer for free.
Period Maximum value is one day (86,400 seconds). This limit

cannot be changed.
PutMetricAlarm request 3 transactions per second (TPS). The maximum number of

throttled.
PutMetricData request 40 KB for HTTP POST requests. PutMetricData can handle

150 transactions per second (TPS), which is the maximum
number of operation requests you can make per second
without being throttled.
Amazon SNS email notifications 1,000/month/customer for free.
For more information, see CloudWatch Limits in the Amazon CloudWatch User Guide.

For more information, see CloudWatch Events Limits in the Amazon CloudWatch Events User Guide.
Version 1.0
248

Resource Default
Batch size 1 MB (maximum). This limit cannot be changed.
Data archiving Up to 5 GB of data archiving for free. This limit cannot be

changed.
DescribeLogStreams 5 transactions per second (TPS/account/Region).
Discovered log fields CloudWatch Logs Insights can discover a maximum of 1000
log event fields in a log group. This limit cannot be changed.
Event size 256 KB (maximum). This limit cannot be changed.
Export task One active (running or pending) export task at a time, per
account. This limit cannot be changed.
FilterLogEvents 5 transactions per second (TPS)/account/Region. This limit

cannot be changed.
GetLogEvents 10 requests per second per account per Region. This limit
cannot be changed.
We recommend subscriptions if you are continuously

processing new data. If you need historical data, we
recommend exporting your data to Amazon S3.
Incoming data Up to 5 GB of incoming data for free. This limit cannot be

changed.
Log groups 20,000 log groups per account per Region. You can request a
limit increase.
There is no limit on the number of log streams that can

belong to one log group.
Metrics filters 100 per log group. This limit cannot be changed.
PutLogEvents 5 requests per second per log stream. Additional requests

are throttled. This limit cannot be changed.
The maximum batch size of a PutLogEvents request is 1MB.
1500 transactions per second per account per Region,

except for the following Regions where the limit is 800
transactions per second per account per Region: ap-south-1,
ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-
southeast-2, eu-central-1, eu-west-2, sa-east-1, us-east-2,
and us-west-1. You can request a limit increase.
Query concurrency A maximum of 4 concurrent CloudWatch Logs Insights

queries, including queries that have been added to
dashboards. You can request a limit increase.
Query results displayed in console In CloudWatch Logs Insights query results, a maximum of
10000 log events are displayed on the console. This limit
cannot be changed.
Version 1.0
249
CodeBuild
Resource Default
Subscription filters 1 per log group. This limit cannot be changed.
For more information, see CloudWatch Logs Limits in the Amazon CloudWatch Logs User Guide.
CodeBuild
Resource Default
Maximum number of build 1,000

projects
Maximum number of concurrent 20

running builds *
* Limits for the maximum number of concurrent running builds vary, depending on the compute type.
For some compute types, the default is 20. To request a higher concurrent build limit or if you get a
"Cannot have more than X active builds for the account" error, contact AWS support.
For more information, see Limits for CodeBuild in the AWS CodeBuild User Guide.
CodeCommit
Resource Default
Number of repositories 1,000 per AWS account
For more information, see Limits in CodeCommit in the AWS CodeCommit User Guide.
CodeDeploy
Resource Default
Maximum number of applications associated with an AWS account 100

in a single Region
Maximum number of concurrent deployments associated with an 100

AWS account
Maximum number of deployment groups associated with a single 100

application
Maximum number of instances in a single deployment 500
Maximum number of event notification triggers in a deployment 10

group
Version 1.0
250
CodePipeline
For more information, see Limits in CodeDeploy in the AWS CodeDeploy User Guide.
CodePipeline
This table lists the configurable limits for CodePipeline.
Resource Default
Maximum number of total pipelines per Region in an AWS account 300
Maximum number of pipelines per Region with change detection set 60

to periodically checking for source changes
Note
Instead of using
periodic checks,
configure your
pipeline to use the
recommended change-
detection method for
your source type. For
example, configure
your AWS CodeCommit
pipeline to use
Amazon CloudWatch
Events for change
detection. See Change-
detection Methods for
instructions specific to
your source type.
Number of stages in a pipeline Minimum of 2, maximum of 10
Number of actions in a stage Minimum of 1, maximum of 50
Maximum number of parallel actions in a stage 50
Maximum number of sequential actions in a stage 50
Maximum number of webhooks per Region in an AWS account 300
Number of custom actions per Region in an AWS account 50
It may take up to two weeks to process requests for a limit increase.
For more information, see Limits in CodePipeline in the AWS CodePipeline User Guide.
Amazon Cognito User Pools

Resource Default
Maximum number of apps per user pool 1000
Version 1.0
251
Amazon Cognito Federated Identities Limits
Resource Default
Maximum number of user pools per account 1000
Maximum number of user import jobs per user 50

pool
Maximum number of groups per user pool 300
Maximum number of identity providers per user 300

pool
Maximum number of resource servers per user 25

pool
For more information, see Limits in Amazon Cognito in the Amazon Cognito Developer Guide.
Amazon Cognito Federated Identities Limits

Resource Default
Maximum number of identity pools per account 1000
Amazon Cognito Sync

Resource Default
Maximum number of datasets per identity 20
Maximum number of records per dataset 1024
Maximum size of a single dataset 1 MB
Amazon Comprehend
Resource Default
Transactions per second for the 20

DetectDominantLanguage, DetectEntities,
DetectKeyPhrases, and DetectSentiment
operations
Version 1.0
252
Resource Default

BatchDetectDominantLanguage,
BatchDetectEntities,
BatchDetectKeyPhrases, and
BatchDetectSentiment operations

StartTopicsDetectionJob operation

DescribeTopicsDetectionJob and
ListTopicDetectionJobs operations
Maximum concurrent jobs 10
You can request an increase for any of the limits using the Amazon Comprehend service limits increase
form.
For more information, see Guidelines and Limits in the Amazon Comprehend Developer Guide.

Resource Default
Transactions per second (TPS) for the DetectEntities and 10

DetectPHI operations
You can request an increase for any of the limits using the Comprehend Medical service limits.
For more information, see Guidelines and Limits in the Amazon Comprehend Medical Developer Guide.
AWS Config
Resource Default Notes
Number of AWS Config rules per Region 150 You can request a
in your account limit increase.
Maximum Number of Configuration 50 You can request a

Aggregators limit increase.
Amazon Connect
The following are the defaults for new Amazon Connect instances. The limits for your account may
differ from the defaults described here. For more information, see Amazon Connect Service Limits in the
Amazon Connect Administrator Guide.
Version 1.0
253
Amazon Connect
Item Default
Amazon Connect instances 5
Users per instance 500
Phone numbers per instance 10
Queues per instance 50
Queues per routing profile 50
Routing profiles per instance 100
Hours of operation per instance 100
Quick connects per instance 100
Prompts per instance 500
Agent status per instance 50
Security profiles per instance 100
Contact flows per instance 100
Agent hierarchy groups per instance 50
Reports per instance 500
Scheduled reports per instance 50
Concurrent active calls per instance 100
Phone Number Porting You can port your US phone numbers from
your current carrier to Amazon Connect. For
information about how to port your phone
number, see Port Your Current Phone Number.
Country code whitelisting for Outbound Calls You can place calls to the following dialing codes
when you create a new instance:
• Australia
• Canada
• China
• Germany
• Hong Kong
• Israel
• Japan
• Mexico
• Singapore
• Sweden
• United States
• United Kingdom †
† UK numbers with a 447 prefix are not allowed by default. Before you can dial these UK mobile
numbers, you must submit a service limit increase request.
Version 1.0
254
AWS Data Pipeline
AWS Data Pipeline

Attribute Limit Adjustable
Number of pipelines 100 Yes
Number of objects per pipeline 100 Yes
Number of active instances per object 5 Yes
Number of fields per object 50 No
Number of UTF8 bytes per field name 256 No

or identifier
Number of UTF8 bytes per field 10,240 No
Number of UTF8 bytes per object 15,360 (including field names) No
Rate of creation of an instance from an 1 per 5 minutes No

object
Retries of a pipeline activity 5 per task No
Minimum delay between retry attempts 2 minutes No
Minimum scheduling interval 15 minutes No
Maximum number of roll-ups into a 32 No

single object
Maximum number of EC2 instances per 1 No

Ec2Resource object
For more additional, see AWS Data Pipeline Limits in the AWS Data Pipeline Developer Guide.

Resource Default
Replication instances 20
Total amount of storage 6 TB
Replication subnet groups 20
Subnets per replication subnet group 20
Endpoints 100
Tasks 200
Endpoints per instance 20
Version 1.0
255
AWS DataSync
AWS DataSync
Resource Limit
Maximum number of tasks you can create in account per 10

AWS Region
Note
You can make a request for this limit to be increased
to 64.
Maximum number of files for per task 20 million
Maximum throughput per task 10 Gbps
These limits can be increased upon request.
AWS DeepLens
upon
Request
Devices per account 200 Yes
Projects per account 200 Yes
Models per account 200 Yes
Versions per project 100 No
AWS Device Farm

Resource Default Comments
App file size you can upload 4 GB
Number of devices that AWS Device Farm can test during a 5 This limit can be
run increased to 100
upon request.
Number of devices you can include in a test run None
Number of runs you can schedule None
Duration of a remote access session 60 minutes
AWS Direct Connect

For more information, see AWS Direct Connect Limits in the AWS Direct Connect User Guide.
Version 1.0
256

Resource Default
AD Connector directories 10
AWS Directory Service for Microsoft Active 10

Directory directories
Simple AD directories 10
Manual snapshots 5 per AWS Managed Microsoft AD
Manual snapshots 5 per Simple AD
For more information, see AWS Directory Service Limits in the AWS Directory Service Administration
Guide.
Amazon DynamoDB
Resource Default
US East (N. Virginia), US East (Ohio), US West (N. California), US 40,000 read capacity units and
West (Oregon), South America (São Paulo), EU (Frankfurt), EU 40,000 write capacity units
(Ireland), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific
(Singapore), Asia Pacific (Sydney), China (Beijing) Regions:
Maximum capacity units per table or global secondary index
US East (N. Virginia), US East (Ohio), US West (N. California), US 80,000 read capacity units and
West (Oregon), South America (São Paulo), EU (Frankfurt), EU 80,000 write capacity units
(Ireland), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific
(Singapore), Asia Pacific (Sydney), China (Beijing) Regions:
Maximum capacity units per account
All other Regions: 10,000 read capacity units and

10,000 write capacity units
Maximum capacity units per table or global secondary index
All other Regions: 20,000 read capacity units and

20,000 write capacity units
Maximum capacity units per account
Maximum number of tables 256
For more information, see Limits in Amazon DynamoDB in the Amazon DynamoDB Developer Guide.
Version 1.0
257

Resource Default
Applications 75
Application Versions 1000
Configuration Templates 2000
Environments 200
Amazon Elastic Block Store (Amazon EBS)

Resource Default
Number of EBS snapshots 100,000
Concurrent snapshot copies to a single destination Region 5
Total provisioned IOPS 300,000
General Purpose SSD (gp2) volumes
Resource Default
Concurrent snapshots for a single volume 5
Total volume storage 300 TiB
Maximum modifying storage 100 TiB
Provisioned IOPS SSD (io1) volumes
Resource Default
Maximum modifying IOPS 100,000
Throughput Optimized HDD (st1) volumes
Resource Default
Version 1.0
258
Resource Default
Cold HDD (sc1) volumes
Resource Default
Magnetic (standard) volumes
Resource Default

Resource Default
On-Demand Instances Limits vary depending on instance type. For more

information, see On-Demand Instance Limits.
Spot Instances Limit of 20 per Region. For more information, see

Spot Instance Limits.
Reserved Instances Limit of 20 regional and 20 zonal per month

per Availability Zone. For more information, see
Reserved Instance Limits.
Elastic IP addresses for EC2-Classic 5
Security groups for EC2-Classic per instance 500
Rules per security group for EC2-Classic 100
Key pairs 5,000
Launch Templates Up to 5,000 launch templates per Region and

10,000 versions per launch template.
Dedicated Hosts Up to two Dedicated Hosts per instance family,

per Region.
Placement groups 500
Concurrent AMI copies Destination Regions are limited to 50 concurrent

AMI copies.
Version 1.0
259
Amazon Elastic Container Registry (Amazon ECR)
Resource Default
Throttle on the emails that can be sent from your Throttle applied
Amazon EC2 account
Amazon Elastic Container Registry (Amazon ECR)

Service quota Description Default quota value
Registered repositories The maximum number of 10,000

repositories that you can create
in this account in the current
Region.
Image per repository The maximum number of 10,000

images per repository.
Rate of The sustain rate of 20 *

GetAuthorizationToken API GetAuthorizationToken API
requests requests that you can make per
second in the current Region.
Your account receives a bucket
that can store up to 200 credits
to use for this API transaction
and the bucket gets replenishes
at this sustain rate.
GetAuthorizationToken API The maximum number of 200

throttle burst limit GetAuthorizationToken
API requests you can make in
one burst in the current Region.
Your bucket replenishes at the
sustain rate of 20 transactions
per second.
Rate of image pulls The sustain rate of docker 200

pull transactions that you can
make per second in the current
Region. Your account receives
a bucket that can store up to
400 credits to use for this API
transaction and the bucket gets
replenishes at this sustain rate.
Image pull throttle burst limit The maximum number of 400

docker pull transactions you
can make in one burst in the
current Region. Your bucket
replenishes at the sustain rate of
200 transactions per second.
Rate of image pull layers The sustain rate of docker 200

pull layer transactions that
you can make per second in the
current Region. Your account
Version 1.0
260
Amazon Elastic Container Service (Amazon ECS)

receives a bucket that can store
up to 400 credits to use for this
API transaction and the bucket
gets replenishes at this sustain
rate.
Image pull layer throttle burst The maximum number of 400

limit docker pull layer transactions
you can make in one burst in
the current Region. Your bucket
Rate of image pushes The maximum number of 10

docker push transactions that
you can make per second in the
current Region. Your account
receives a bucket that can store
up to 40 credits to use for this
API transaction and the bucket
gets replenishes at this sustain
rate.
Image push throttle burst limit The maximum number of 40

docker push transactions you
can make in one burst in the
current Region. Your bucket
For more information, see Amazon ECR Service Quotas in the Amazon Elastic Container Registry User
Guide.
Amazon Elastic Container Service (Amazon ECS)

Clusters per account The maximum number of 2000

clusters per Region, per account.
Container instances per cluster The maximum number of 2000

container instances per cluster.
Services per cluster The maximum number of 1000

services per cluster.
Tasks using the EC2 launch type The maximum number of tasks 1000
per service (the desired count) using the EC2 launch type per
service (the desired count).
Tasks using the Fargate launch The maximum number of tasks 50

type, per Region, per account using the Fargate launch type,
per Region.
Version 1.0
261
Public IP addresses for tasks The maximum number of public 50

using the Fargate launch type IP addresses used by tasks using
the Fargate launch type, per
Region.
For more information, see Amazon ECS Service Limits in the Amazon Elastic Container Service Developer
Guide.

Resource Default
Maximum number of Amazon EKS clusters per 50

Region, per account
For more information, see Amazon EKS Service Limits in the Amazon EKS User Guide.

Following can be increased by contacting AWS Support.
Resource Default
Number of file systems for each customer account 1,000

in an AWS Region
Total bursting throughput for all connected US East (Ohio) Region – 3 GB/s
clients
US East (N. Virginia) Region – 3 GB/s
US West (N. California) Region – 1 GB/s
US West (Oregon) Region – 3 GB/s
Asia Pacific (Mumbai) – 1 GB/s
Asia Pacific (Seoul) – 1 GB/s
Asia Pacific (Singapore) – 1 GB/s
Asia Pacific (Tokyo) – 1 GB/s
Canada (Central) – 1 GB/s
EU (Frankfurt) Region – 1 GB/s
EU (Ireland) Region – 3 GB/s
EU (London) Region – 1 GB/s
Version 1.0
262
Amazon Elastic Inference
Resource Default
EU (Paris) Region – 1 GB/s
Asia Pacific (Sydney) Region – 3 GB/s
AWS GovCloud (US-West) – 1 GB/s
Total provisioned throughput for all connected All AWS Regions – 1 GB/s
clients
For more information, see Amazon EFS Limits in the Amazon Elastic File System User Guide.

Maximum number of Elastic Inference accelerators 5 Yes

Elastic Load Balancing supports three types of load balancers: Application Load Balancers, Network Load
Balancers, and Classic Load Balancers.
Application Load Balancers
Resource Default
Load balancers per Region 50
Target groups per Region 3000 *
Listeners per load balancer 50
Targets per load balancer 1000
Subnets per Availability Zone per load balancer 1
Security groups per load balancer 5
Rules per load balancer (not counting default rules) 100
Certificates per load balancer (not counting default certificates) 25
Number of times a target can be registered per load balancer 100
Load balancers per target group 1
Targets per target group (instances or IP addresses) 1000
Targets per target group (Lambda functions) 1
Version 1.0
263
Network Load Balancers
Resource Default
Network Load Balancers per Region 50
Target groups per Region 3000 *
Targets per load balancer per Availability Zone 500
Targets per load balancer 500
Load balancers per target group 1
* This limit is shared by target groups for your Application Load Balancers and Network Load Balancers.
Classic Load Balancers
Resource Default
Load balancers per Region 20
Security groups per load balancer 5
Registered instances per load balancer 1,000

Resource Default
Pipelines per Region 4
User-defined presets 50
Maximum number of jobs processed 100 per pipeline

simultaneously by each pipeline
Maximum number of jobs queued in each pipeline 1,000,000
Maximum number of outputs 30 per job
Maximum rate at which you can submit requests You can submit two requests per second per AWS
to create a job account at a sustained rate; brief bursts of 100
requests per second are allowed.
Maximum rate at which you can submit requests You can submit four requests per second per AWS
to read a job account at a sustained rate; brief bursts of 50
requests per second are allowed.
Version 1.0
264
Amazon ElastiCache
It may take up to two weeks to process requests for a limit increase.
For more information, see Amazon Elastic Transcoder limits in the Amazon Elastic Transcoder Developer
Guide.
Amazon ElastiCache
For information on ElastiCache terminology, see ElastiCache Components and Features.
Resource Default Description
Nodes per Region 300 The maximum number of nodes

across all clusters in a Region.
This limit applies to both your
reserved and nonreserved nodes
within the given Region. You can
have up to 300 reserved nodes
and 300 nonreserved nodes in
the same Region.
Nodes per cluster (Memcached) 40 The maximum number of nodes

in an individual Memcached
cluster.
Nodes per cluster per instance 90 The maximum number of nodes

type (Redis cluster mode in an individual Redis cluster.
enabled) You must also specify the
instance type with your request.
Nodes per shard (Redis) 6 The maximum number of nodes

in an individual Redis shard
(node group). One node is the
read/write Primary. All other
nodes are read-only Replicas.
This limit cannot be increased.
Shards per Cluster 1 The maximum number of shards

(Redis cluster mode disabled) (node groups) in a Redis (cluster
mode disabled) cluster.
Parameter groups per Region 150 The maximum number of

parameters groups you can
create in a Region.
Security groups per Region 50 The maximum number of

security groups you can create in
a Region.
Subnet groups per Region 150 The maximum number of subnet

groups you can create in a
Region.
Subnets per subnet group 20 The maximum number of

subnets you can define for a
subnet group.
Version 1.0
265
Amazon EventBridge
These limits are global limits per customer account. To exceed these limits, make your request using the
ElastiCache Node request form.
Amazon EventBridge
For more information, see EventBridge Limits in the Amazon EventBridge User Guide.

AWS Firewall Manager has default limits on the number of entities per account. You can request an
increase in these limits.
Resource Default
Accounts per organization in AWS Organizations Varies. An

invitation sent
to an account
counts against this
limit. The count
is returned if the
invited account
declines, the
master account
cancels the
invitation, or the
invitation expires.
Firewall Manager policies per organization in AWS Organizations 20
Tags to specified include or exclude per Firewall Manager policy 8
The following limits related to Firewall Manager can't be changed.
Resource Limit
Rule groups per AWS Firewall Manager administrator account 3
Rule groups per Firewall Manager policy 2: 1 customer-

created rule
group and 1 AWS
Marketplace rule
group
Rules per rule group 10
Amazon FSx
Following are the limits for Amazon FSx for Lustre and Amazon FSx for Windows File Server that you can
increase by contacting AWS Support.
Version 1.0
266
Amazon FSx
Amazon FSx for Lustre
Resource Default Can be increased up to
Number of file systems 100 Thousands
Total storage for all file systems US East (Ohio) Region – 100,800 Petabytes
GiB
US East (N. Virginia) Region –

100,800 GiB
US West (N. California) Region –

25,200 GiB
US West (Oregon) Region –

100,800 GiB
Asia Pacific (Singapore) – 25,200

GiB
Asia Pacific (Sydney) – 100,800

GiB
Asia Pacific (Tokyo) – 100,800

GiB
EU (Frankfurt) Region – 100,800

GiB
EU (Ireland) Region – 100,800

GiB
EU (London) Region – 25,200

GiB
EU (Stockholm) Region – 25,200

GiB
For more information, see FSx Lustre Limits in the Amazon FSx for Lustre User Guide.
Amazon FSx for Windows File Server
Resource Default Can Be Increased Up To
Number of file systems 100 Thousands
Total storage for all file systems 512 TiB Multiple PiBs
Total throughput capacity for all 10 GBps Hundreds of GBps

file systems
Total number of user-initiated 500 Thousands

backups for all file system
For more information, see FSx for Windows Limits in the Amazon FSx for Windows File Server User Guide.
Version 1.0
267
Amazon GameLift
Amazon GameLift
Resource Default
Aliases 20
Fleets 20
Builds 1000
Scripts 1000
Total combined size of uploaded builds and scripts 100 GB
Log upload size per game session 200 MB
On-demand instances Per instance type: limits vary.
Per account: 20 instances max, regardless of

instance type.
For more information, see Scaling Amazon Elastic

Compute Cloud (Amazon EC2) Instances for
Amazon GameLift.
Server processes per instance GameLift SDK v2.x: 1
GameLift SDK v3.x and up: 50
Player sessions per game session 200
Matchmakers per account 100
VPC peering connections For limits on active and pending VPC peering
connections, see Amazon Virtual Private Cloud
(Amazon VPC) (p. 333).
The expiry time for an Amazon GameLift VPC

peering authorization is 24 hours.
Amazon S3 Glacier
Resource Default
Number of vaults per account 1000
Number of provisioned capacity units 2

Resource Default
Number of accelerators for each AWS account 20
Version 1.0
268
AWS Glue
Resource Default
Number of listeners for each accelerator 10
Number of port ranges for each listener 10
Number of endpoints for each endpoint group 10
In addition, there are limits for Elastic IP addresses, Network Load Balancers, and Application Load
Balancers that are used as endpoints for an accelerator. For more information, see the following:
• Elastic IP Address Limit in the Amazon EC2 User Guide for Linux Instances.
• Limits for Your Network Load Balancers in the User Guide for Network Load Balancers.
• Limits for Your Application Load Balancers in the User Guide for Application Load Balancers.
AWS Glue
Resource Default
Number of databases per account 10,000
Number of tables per database 200,000
Number of partitions per table 10,000,000
Number of table versions per table 100,000
Number of functions per database 100
Number of tables per account 1,000,000
Number of partitions per account 20,000,000
Number of table versions per account 1,000,000
Number of connections per account 1,000
Number of functions per account 100
Number of concurrent crawlers per account 50
Number of crawlers per account 1000
Number of jobs per account 250
Number of triggers per account 250
Number of workflows per account 250
Number of concurrent job runs per account 50
Number of concurrent job runs per job 1,000
Number of jobs per trigger 50
Number of development endpoints per account 25
Number of security configurations per account 250
Version 1.0
269
AWS Ground Station
Resource Default
Maximum DPUs used by a development endpoint at one time 50
Maximum DPUs used by a role at one time 300
Number of machine learning transforms per account 100
Maximum label file size in MB 10
Number of concurrent tasks per transform 3
Number of concurrent tasks per account 30
Some of the limits for AWS Glue vary for the AWS GovCloud (US-West) Region. For more information,
see AWS Glue in the AWS GovCloud (US) User Guide.
AWS Ground Station

Resource Default
Maximum lead time allowed for scheduling a contact 7 days
Maximum contact duration permitted 20 minutes
Maximum scheduled contact duration permitted 1000 minutes
Maximum number of scheduled contacts allowed 100
Maximum number of configs allowed 100
Maximum number of dataflow endpoint groups allowed 100
Maximum number of mission profiles allowed 100
Maximum number of dataflow endpoints per group allowed 20
For more information, see the AWS Ground Station User Guide.
Amazon GuardDuty
Resource Default
Detectors 1
Filters 100
Trusted IP sets 1
Threat intel sets 6
GuardDuty member accounts 1000
Version 1.0
270
Resource Default
GuardDuty finding retention time 90 days
For more information, see the Amazon GuardDuty User Guide.

Default limits for IAM entities:
Resource Default
Customer managed policies in an AWS account 1500
Groups in an AWS account 300
Roles in an AWS account 1000
Managed policies attached to an IAM role 10
Managed policies attached to an IAM user 10
Virtual MFA devices (assigned or unassigned) in an Equal to the user quota for the account
AWS account
Instance profiles in an AWS account 1000
Server certificates stored in an AWS account 20
These default limits can be changed. For information about other limits that cannot be changed, see
Limitations on IAM Entities and Objects in the IAM User Guide.
AWS Import/Export
AWS Snowball (Snowball)
Snowball 1 To increase this limit, contact AWS Support.
Amazon Inspector
Resource Default
Running agents 500
Assessment runs 50,000
Assessment templates 500
Version 1.0
271
AWS IoT
Resource Default
Assessment targets 50
For more information, see the Amazon Inspector User Guide.
AWS IoT
Thing
Resource Limit
Thing name size 128 bytes of UTF-8 encoded characters. This limit
applies for both the thing registry and Thing
Shadow services.
Maximum number of thing attributes for a thing 50

with a thing type
Maximum number of thing attribute for a thing 3

without a thing type
Number of thing types that can be associated with 1

a thing
Maximum number of thing types in an AWS Unlimited

account
Thing Group
Resource Description Limit Adjustable
Maximum direct child The maximum number 100 No

groups of direct child groups.
Maximum dynamic The maximum number 100 No

groups of dynamic groups.
Thing Group Hierarchy The maximum depth of 7 No

a thing group hierarchy.
Thing Group Attributes The maximum number 50 No

of attributes associated
with a thing group.
Thing Group Attribute The maximum size of 128 No

Name a thing group attribute
name (in chars).
Thing Group Attribute The maximum size of 800 No

Value a thing group attribute
value (in chars).
Version 1.0
272
Message Broker
Message Broker
Maximum concurrent The maximum 500,000 Yes

client connections per number of concurrent
account connections allowed
per account.
Connect requests per AWS IoT limits an 500 Yes

second per account account to a maximum
number of MQTT
CONNECT requests per
second.
Connect requests per AWS IoT limits MQTT 1 No

second per client ID CONNECT requests from
the same accountId
and clientId to
1 MQTT CONNECT
operation per second.
Subscriptions per AWS IoT limits an 500,000 Yes

account account to a maximum
number of subscriptions
across all active
connections.
Subscriptions per AWS IoT limits 500 Yes

second per account an account to a
maximum number
of subscriptions per
second. For example,
if there are two MQTT
SUBSCRIBE requests
within a second with
3 subscriptions (topic
filters) each, AWS
IoT counts those as 6
subscriptions towards
this limit.
Subscriptions per AWS IoT supports 50 No

connection 50 subscriptions
per connection.
Subscription requests
on the same connection
in excess of this amount
may be rejected by AWS
IoT and the connection
will be closed. Clients
should validate the
SUBACK message
to ensure that their
subscription requests
Version 1.0
273
Message Broker

have been successfully
processed.
Publish requests per AWS IoT limits each 100 No

second per connection client connection to a
maximum number of
inbound and outbound
publish requests
per second. Publish
requests exceeding that
limit will be discarded.
Inbound publish Inbound publish 20,000 Yes

requests per second per requests count for all
account the messages that AWS
IoT processes before
routing the messages
to the subscribed
clients or the rules
engine. For example,
a single message
published on $aws/
things/device/
shadow/update topic
can result in publishing
three additional
messages to $aws/
things/device/
shadow/update/
accepted, $aws/
things/device/
shadow/update/
documents, and $aws/
things/device/
shadow/delta topics.
In this case, AWS
IoT counts those as
4 inbound publish
requests towards
this limit. However, a
single message to an
unreserved topic like a/
b is counted only as a
single inbound publish
request.
Version 1.0
274
Message Broker
Outbound publish Outbound publish 20,000 Yes

requests per second per requests count for
account every message that
resulted in matching
a client's subscription
or matching a rules
engine subscription. For
example, two clients
are subscribed to topic
filter a/b and a rule
is subscribed to topic
filter a/#. An inbound
publish request on topic
a/b results in a total
of 3 outbound publish
requests.
Throughput per second Data received or sent 512 KiB No

per connection over a client connection
is processed at a
maximum throughput
rate. Data exceeding
the maximum
throughput will be
delayed in processing.
Maximum inbound AWS IoT limits 100 No

unacknowledged QoS 1 the number of
publish requests unacknowledged
inbound publish
requests per client.
When this limit is
reached, no new
publish requests are
accepted from this
client until a PUBACK
message is returned by
the server.
Maximum outbound AWS IoT limits 100 No

unacknowledged QoS the number of
1publish requests unacknowledged
outbound publish
requests per client.
When this limit is
reached, no new
publish requests are
sent to the client until
the client acknowledges
the publish requests.
Version 1.0
275
Protocol
Maximum retry interval AWS IoT will 1 hour No

for delivering QoS 1 retry delivery of
messages unacknowledged
quality-of-service
1 (QoS 1) publish
requests to a client for
up to one hour. If AWS
IoT does not receive a
PUBACK message from
the client after one
hour, it will drop the
publish requests.
Persistent Session The duration of time 1 hour Yes

expiry period for which the Message
Broker will store an
MQTT persistent
session. The expiry
period begins when the
Message Broker detects
the session has become
disconnected. Once
the expiry period has
elapsed, the Message
Broker terminates the
session and discards
any associated queued
messages.
Protocol
Resource Description
Connection inactivity (keep-alive interval) For MQTT (or MQTT over WebSockets)
connections, a client can request a keep-alive
interval between 30 - 1200 seconds as part of
the MQTT CONNECT message. AWS IoT starts
the keep-alive timer for a client when sending
CONNACK in response to the CONNECT message.
This timer is reset whenever AWS IoT receives a
PUBLISH, SUBSCRIBE, PING, or PUBACK message
from the client. AWS IoT will disconnect a client
whose keep-alive timer has reached 1.5x the
specified keep-alive interval (i.e., by a factor
of 1.5).The default keep-alive interval is 1200
seconds. If a client requests a keep-alive interval
of zero, the default keep-alive interval will be
used. If a client requests a keep-alive interval
greater than 1200 seconds, the default keep-alive
interval will be used. If a client requests a keep-
alive interval shorter than 30 seconds but greater
Version 1.0
276
Device Shadow
Resource Description
than zero, the server treats the client as though it
requested a keep-alive interval of 30 seconds.
WebSocket connection duration WebSocket connections are limited to 24 hours. If

the limit is exceeded, the WebSocket connection is
automatically closed when an attempt is made to
send a message by the client or server.
Maximum subscriptions per subscribe request A single SUBSCRIBE request is limited a maximum
of eight subscriptions.
Message size The payload for every publish request is limited to

128 KB. The AWS IoT service rejects publish and
connect requests larger than this size.
Client ID size 128 bytes of UTF-8 encoded characters.
Restricted client ID prefix $ is reserved for AWS IoT generated client IDs.
Topic size The topic passed to the AWS IoT when sending a
publish request is limited to 256 bytes of UTF-8
encoded characters. This excludes the first three
mandatory segments for Basic Ingest topics
($AWS/rules/rule-name/).
Restricted topic prefix Topics beginning with $ are reserved by AWS

IoT and are not supported for publishing and
subscribing except for using the specific topic
names defined by AWS IoT services (i.e., Thing
Shadow).
Maximum number of slashes in topic and topic A topic in a publish or subscribe request is limited
filter to 7 forward slashes (/). This excludes the first
three slashes in the mandatory segments for Basic
Ingest topics ($AWS/rules/rule-name/).
Device Shadow
Maximum depth of JSON device state documents The maximum number of levels in the desired
or reported section of the JSON device state
document is 5. For example:
"desired": {
"one": {
"two": {
"three": {
"four": {
"five":{
}
}
}
}
}
}
Version 1.0
277
Security and Identity
Maximum number of in-flight, unacknowledged The Thing Shadows service supports up to 10 in-
messages per thing. flight unacknowledged messages per thing. When
this limit is reached, all new shadow requests are
rejected with a 429 error code.
Maximum number of JSON objects per AWS There is no limit on the number of JSON objects
account. per AWS account.
Maximum size of a JSON state document. 8 KB. Note that metadata do not contribute to the
document size for service limits or pricing.
Maximum size of a thing name. 128 bytes of UTF-8 encoded characters.
Maximum number of shadows in an AWS account. Unlimited.
Requests per second per thing. The Thing Shadows service supports up to 20
requests per second per thing. Note that this limit
is per thing and not per API.
Note
A thing shadow is deleted by AWS IoT after the creating account is deleted or per customer
request. For operational purposes, AWS IoT service backups are kept for 6 months.
Security and Identity
Maximum number of CA certificates with the 10

same subject field allowed per AWS account per
Region
Maximum number of policies that can be attached 10

to a certificate or Amazon Cognito identity
Maximum number of named policy versions 5
Maximum policy document size 2048 characters (excluding white space)
Maximum number of device certificates that can 15

be registered per second
Maximum number of AWS IoT role aliases 100
AWS IoT Throttling
API Transactions per Second
AcceptCertificateTransfer 10
AddThingToBillingGroup 60
AddThingToThingGroup 60
AssociateTargetsWithJob 10
AttachPrincipalPolicy 15
Version 1.0
278
AWS IoT Throttling
AttachPolicy 15
AttachThingPrincipal 15
CancelCertificateTransfer 10
CancelJob 10
CancelJobExecution 10
ClearDefaultAuthorizer 10
CreateAuthorizer 10
CreateBillingGroup 25
CreateCertificateFromCsr 15
CreateDynamicThingGroup 5
CreateJob 10
CreatePolicy 10
CreatePolicyVersion 10
CreateRoleAlias 10
CreateThing 15
CreateThingGroup 25
CreateThingType 15
DeleteAuthorizer 10
DeleteBillingGroup 15
DeleteCertificate 10
DeleteCACertificate 10
DeleteDynamicThingGroup 5
DeleteJob 10
DeleteJobExecution 10
DeletePolicy 10
DeletePolicyVersion 10
DeleteRegistrationCode 10
DeleteRoleAlias 10
DeleteThing 15
DeleteThingGroup 15
DeleteThingType 15
Version 1.0
279
AWS IoT Throttling
DeprecateThingType 15
DescribeAuthorizer 10
DescribeBillingGroup 100
DescribeCertificate 10
DescribeCACertificate 10
DescribeDefaultAuthorizer 10
DescribeJob 10
DescribeJobExecution 10
DescribeRoleAlias 10
DescribeThing 350
DescribeThingGroup 100
DescribeThingType 10
DetachThingPrincipal 15
DetachPrincipalPolicy 15
DetachPolicy 15
GetEffectivePolicies 50
GetJobDocument 10
GetPolicy 10
GetPolicyVersion 15
GetRegistrationCode 10
ListAttachedPolicies 15
ListAuthorizers 10
ListBillingGroups 10
ListCACertificates 10
ListCertificates 10
ListChildThingGroups 15
ListCertificatesByCA 10
ListJobExecutionsForJob 10
ListJobExecutionsForThing 10
ListJobs 10
ListOutgoingCertificates 10
Version 1.0
280
AWS IoT Throttling
ListPolicies 10
ListPolicyPrincipals 10
ListPolicyVersions 10
ListPrincipalPolicies 15
ListPrincipalThings 10
ListRoleAliases 10
ListTagsForResource 10
ListTargetsForPolicy 10
ListThingGroups 10
ListThingGroupsForThing 10
ListThingPrincipals 10
ListThings 10
ListThingsInBillingGroup 25
ListThingsInThingGroup 25
ListThingTypes 10
RegisterCertificate 10
RegisterCACertificate 10
RegisterThing 10
RejectCertificateTransfer 10
RemoveThingFromBillingGroup 15
RemoveThingFromThingGroup 15
SetDefaultAuthorizer 10
SetDefaultPolicyVersion 10
TagResource 10
TestAuthorization 10
TestInvokeAuthorizer 10
TransferCertificate 10
UntagResource 10
UpdateAuthorizer 10
UpdateBillingGroup 15
UpdateCertificate 10
Version 1.0
281
AWS IoT Rules Engine
UpdateCACertificate 10
UpdateDynamicThingGroup 5
UpdateJob 10
UpdateRoleAlias 10
UpdateThing 10
UpdateThingGroup 15
AWS IoT Rules Engine
Maximum number of rules per AWS account 1000
Actions per rule A maximum of 10 actions can be defined per rule.
Rule size Up to 256 KB of UTF-8 encoded characters

(including white space).
Inbound publish requests per second per account 20,000
AWS IoT Job
Resource Min Max Note
JobId 1 character 64 characters The JobId length

must not exceed 64
characters.
Document N/A 32768 bytes The maximum size of

a document that can
be sent to an AWS IoT
device is 32 KB.
DocumentSource N/A 1350 characters The maximum job

document source size is
1350 characters.
Description N/A 2028 characters The maximum job

description size is 2028
characters.
Targets 1 100 The number of targets a

job can have.
ExpiresInSec 60 seconds 3600 seconds The lifetime of pre-

signed URLs must be
configured greater than
60 seconds and less
than 1 hour.
Version 1.0
282
AWS IoT Job
Comment N/A 2028 characters The maximum

comment size is 2028
characters.
MaxResults 1 250 The maximum list result

per page is 250.
1
MaximumJobExecutionsPerMinute 1000 Configures the rollout
speed for a job.
Active snapshot jobs 0 100 The maximum number

of active snapshot jobs
is 100 (irrespective of
the number of active
continuous jobs).
Active continuous jobs 0 100 The maximum number

of active continuous
jobs is 100 (irrespective
of the number of active
snapshot jobs).
Job document variable 0 10 Up to 10 variables

substitution substitutions, including
the presign URL,
are allowed in a job
document.
Data retention N/A 730 days Job data and job

execution data for
inactive jobs (jobs that
aren't IN_PROGRESS)
will be purged after 730
days.
StatusDetail map 1 key:value pair 10 key:value pairs

key:value pairs
StatusDetail map 1 character 128 characters

key size
StatusDetail map 1 character 128 characters

value size
Version 1.0
283
AWS IoT Fleet Indexing
DescribeJobExecutionN/A 200 TPS per account If invoking one or more

and of these "read" APIs in
†
GetPendingJobExectuions the data plane causes
the associated AWS
account to exceed 200
read transactions per
second (TPS) in total,
then the offending API
invocation(s) will be
throttled to maintain
the maximum allowed
200 read TPS per AWS
account. Be aware that
†
in the control plane ,
DescribeJobExecution
is limited to 10 TPS per
invocation.
N/A
StartNextPendingJobExecution 200 TPS per account If invoking one or more
and of these "write" APIs in
†
UpdateJobExecution the data plane causes
the associated AWS
account to exceed 200
write transactions per
second (TPS) in total,
then the offending API
invocation(s) will be
throttled to maintain
the maximum allowed
200 write TPS per AWS
account.
1
inProgressTimeoutInMinutes 10080 Values are in minutes (1
property of minute to 7 days).
TimeoutConfig
stepTimeoutInMinutes1 10080 Values are in minutes

value passed with (1 minute to 7 days).
UpdateJobExecution A value of -1 is also
and valid when using the
StartNextPendingJobExecution UpdateJobExecution
API and discards a
previously set timer.
†
For definitions of data plane and control plane, see What are the ways for accessing AWS IoT Core?
AWS IoT Fleet Indexing
Resource Limit Note
Maximum number of query 5 You can have up to 5 terms per

terms per query query.
Version 1.0
284
AWS IoT Bulk Thing Registration
Resource Limit Note
Maximum query length 1000 Your queries can be up to

1000 bytes of UTF-8 encoded
characters long.
Maximum number of query 500 Fleet indexing service will return

results up to 500 results per query.
Maximum number of * wild card 2 Each query term can have up to

operators per query term 2 multi-character wildcards (*).
Maximum number of ? wild card 5 Each query term can have up to

operators per query term 5 single-character wildcards (?).
Maximum number of queries per 15 You can execute up to 15 search

second queries per second.
Maximum number of things in Unlimited There is no limit to the number

the fleet index of things that can be indexed.
Maximum number of dynamic 100 A maximum of 100 dynamic

groups in the fleet index groups can be indexed.
AWS IoT Throttling Limits
API Max Calls Per Second
UpdateIndexingConfiguration 1
GetIndexingConfiguration 20
DescribeIndex 10
ListIndices 5
SearchIndex 15
AWS IoT Bulk Thing Registration
Resource Limit Note
Registration task termination 30 days Any pending/uncompleted bulk

registration tasks are terminated
after 30 days.
Data retention policy 30 days Once the associated bulk

registration task has completed
(which can be long lived), bulk
Thing registration related data
is permanently deleted after 30
days.
Version 1.0
285
Resource Limit Note
Allowed registration tasks 1 For any given AWS account, only

one bulk registration task can
run at a time.
Maximum line length 256K Each line in an Amazon S3 input

JSON file cannot exceed 256K in
length.

Audit
Resource Limit Description
scheduled audits 5 max. You can create up to 5 scheduled

audits before a LimitExceeded
Exception occurs.
simultaneous in progress "on- 10 max. You can create up to 10 "on-

demand" audits demand" audits before a
LimitExceeded Exception
occurs.
Detect
• The maximum number of security profiles per target (thing group or user account) is 5.
• The maximum number of behaviors per security profile is 100.
• The maximum number of value elements (counts, IP addresses, ports) per security profile is 1000.
• Device metric reporting is throttled to one metric per 5 minutes per device (a device may not report
more than one metric every 5 minutes).
• Device Defender Detect violations are stored for 30 days after they have been generated.
AWS IoT Analytics

API Limit Description Adjustable?
SampleChannelData 1 transaction per second per yes

channel
CreateDatasetContent 1 transaction per second per yes

data set
RunPipelineActivity 1 transaction per second yes
other management APIs 20 transactions per second yes
BatchPutMessage 100,000 messages or 500MB yes; yes; no

total message size per second
per channel; 100 messages per
batch; 128Kb per message
Version 1.0
286
AWS IoT Events
Resource Limit Description Adjustable?
channel 50 per account yes
data store 25 per account yes
pipeline 100 per account yes
activities 25 per pipeline no
data set 100 per account yes
minimum SQL data set refresh 1 minute no

interval
minimum container data set 15 minutes yes

refresh interval
concurrent data set content 2 data sets simultaneously no

generation
container datasets that can be 10 no

triggered from a single SQL
dataset
concurrent container dataset 20 no

runs
AWS IoT Events

Detector models per The maximum number 10 no

input of detector models that
can be associated with
a single input.
Message size The maximum size of a 10 yes

message (in Kilobytes).
Messages per detector The maximum number 10 no

per second of messages that can be
sent to a detector in a
second.
Detectors per detector The maximum number 100,000 yes

model of detectors that can be
created by a detector
model.
Detector model The maximum size (in 512 no

definition size Kilobytes) of a detector
model definition.
Detector models The maximum number 50 yes

of detector models for
this account.
Version 1.0
287
AWS IoT Greengrass
Detector model The maximum number 500 yes

versions of versions of a single
detector model for this
account.
Inputs The maximum number 50 yes

of inputs for this
account.
Trigger expressions The maximum number 20 yes

of trigger expressions
per state.
State variables per The maximum number 50 yes

detector model of state variables in
definition a detector model
definition.
Timers scheduled per The maximum number 5 yes

detector of timers that can
be scheduled by a
detector.
API Limit Description Adjustable?
BatchPutMessage 1000 transactions per second yes
AWS IoT Greengrass

AWS IoT Greengrass Cloud API
Description Limit
Maximum number of AWS IoT devices per AWS 200

IoT Greengrass group.
Maximum number of Lambda functions per group. 200
Maximum number of resources per Lambda 10

function.
Maximum number of resources per group. 50
Maximum number of transactions per second See the section called “TPS” (p. 289).
(TPS) on the AWS IoT Greengrass APIs.
Maximum number of subscriptions per group. 1000
Maximum number of subscriptions that specify 50

Cloud as the source per group.
Maximum length of a core thing name. 124 bytes of UTF-8 encoded characters.
Version 1.0
288
AWS IoT Greengrass Core
TPS
The default limit for the maximum number of transactions per second on the AWS IoT Greengrass APIs
depends on the AWS Region where AWS IoT Greengrass is used.
In most supported AWS Regions (p. 113), the default limit is 30. Exceptions are noted in the following
table.
AWS Region Limit
China (Beijing) 10
AWS GovCloud (US-West) 10
This limit applies per account and per API. For example, in the US East (N. Virginia) Region, each account
has a default limit of 30 TPS, which is the aggregate of all API operation requests. Each API (such as
CreateGroupVersion or ListFunctionDefinitions) has a limit of 30 TPS. This includes control
plane and data plane operations. Requests that exceed the account or API limits are throttled. To request
account and API limit increases, including limits for specific APIs, contact your AWS Enterprise Support
representative.
AWS IoT Greengrass Core
Description Limit
Maximum number of routing table entries that 50 (matches AWS IoT subscription limit)
specify Cloud as the source.
Maximum size of messages sent by an AWS IoT 128 KB (matches AWS IoT message size limit)
device.
Maximum message queue size in the Greengrass 2.5 MB

core router.
Maximum length of a topic string. 256 bytes of UTF-8 encoded characters.
Maximum number of forward slashes (/) in a topic 7

or topic filter.
Minimum disk space needed to run the Greengrass 128 MB

Core software.
Minimum RAM to run the Greengrass Core 128 MB

software.
Automatic IP detection should not be used when: • IP address changes are frequent.
• Interruption of the Greengrass core service is
unacceptable.
• The Greengrass core is multi-homed or
Greengrass devices cannot reliably determine
which IP address to use.
• Reporting of Greengrass core IP addresses to
the cloud might raise security concerns.
Version 1.0
289
The Greengrass Core software provides a service to detect the IP addresses of your Greengrass core
devices. It sends this information to the AWS IoT Greengrass cloud service and allows AWS IoT devices to
download the IP address of the Greengrass core they need to connect to. This feature should not be used
in the following circumstances:
• The IP address of a Greengrass core device changes frequently.

• The Greengrass core device must always be available to AWS IoT devices in its group.
• The Greengrass core has multiple IP addresses and an AWS IoT device is unable to reliably determine
which address to use.
• Sending IP addresses to the cloud raises security concerns.

Description Limit Adjustable?
Flow (workflow) definition 10 KB yes

document size.
Maximum number of flows 5 per second yes

triggered.
Maximum number of steps 50 per second yes

executed per flow configuration
deployment.
Total flow configurations in a 100 yes

namespace.
Total entities (properties, states, 500 yes

events, actions, capabilities,
mappings, devices, and services)
in a namespace.
Total flow definitions in a 100 yes

namespace.
Entity definition document size 1 MB no

(for properties, states, events,
actions, capabilities, mappings,
devices, and services).
Device action timeout. 1 minute no
API Max Calls Per Second Adjustable?
AssociateEntityToThing 10 yes
10
CreateDeploymentConfiguration yes
CreateFlowTemplate 10 yes
CreateSystemInstance 20 yes
CreateSystemTemplate 10 yes
Version 1.0
290
10
DeleteDeploymentConfiguration yes
DeleteFlowTemplate 10 yes
DeleteNamespace 10 yes
DeleteSystemInstance 10 yes
DeleteSystemTemplate 10 yes
DeployConfigurationToTarget10 yes
DeploySystemInstance 10 yes
10
DeprecateDeploymentConfiguration yes
DeprecateFlowTemplate 10 yes
DeprecateSystemTemplate 10 yes
DescribeNamespace 10 yes
DissociateEntityFromThing 10 yes
GetDeploymentConfiguration 10 yes
GetEntities 10 yes
GetFlowTemplate 10 yes
GetFlowTemplateRevisions 10 yes
GetNamespaceDeletionStatus 10 yes
GetRecentUploads 10 yes
GetSystemInstance 10 yes
GetSystemTemplate 10 yes
GetSystemTemplateRevisions 10 yes
GetUploadStatus 10 yes
ListFlowExecutionMessages 10 yes
ListMappingPaths 10 yes
10
SearchDeploymentConfigurations yes
SearchEntities 10 yes
SearchFlowExecutions 10 yes
SearchFlowTemplates 10 yes
SearchSystemInstances 10 yes
SearchSystemTemplates 10 yes
SearchThings 10 yes
Version 1.0
291
AWS Key Management Service (AWS KMS)
UndeploySystemInstance 10 yes
UpdateFlowTemplate 10 yes
UpdateSystemTemplate 10 yes
UploadEntityDefinitions 10 yes
ValidateEntityDefinitions 10 yes
AWS Key Management Service (AWS KMS)

Resource Default
Customer Master Keys (CMKs) 10,000
Aliases 10,000
Grants per CMK 10,000
Grants for a given principal per CMK 500
Key policy document size 32 KB (32,768 bytes)
Requests per second Varies by API operation; see Limits in the AWS Key
Management Service Developer Guide.
All limits in the preceding table are calculated separately for each AWS Region in each AWS account.
For more information about these limits, see Limits in the AWS Key Management Service Developer Guide.

Resource Default
Delivery streams per Region 50
Delivery stream capacity for US East (N. Virginia), US West (Oregon), 2,000 transactions/second
and EU (Ireland) †
5,000 records/second
5 MB/second
Delivery stream capacity for other Regions where Kinesis Data 1,000 transactions/second
Firehose is available †
1,000 records/second
1 MB/second
† The three capacity limits scale proportionally. For example, if you increase the throughput limit to 2
MB/second in Asia Pacific (Singapore), the other limits increase to 2,000 transactions/second and 2,000
records/second.
Version 1.0
292
For more information, see Amazon Kinesis Data Firehose Limits in the Amazon Kinesis Data Firehose
Developer Guide.

Resource Default
Shards per Region US East (N. Virginia) Region – 500
US West (Oregon) Region – 500
EU (Ireland) Region – 500
All other supported Regions – 200
For more information, see Amazon Kinesis Data Streams Limits in the Amazon Kinesis Data Streams
Developer Guide.

Kinesis Data Analytics for SQL Applications Limits
Resource Default
Kinesis Processing Units (KPUs) 8
Input Parallelism for SQL applications 64 input streams
Applications 50
For more information, see Limits in the Amazon Kinesis Data Analytics for SQL Applications Developer
Guide.
Kinesis Data Analytics for Java Applications Limits
Resource Default
Kinesis Processing Units (KPUs) 32
Snapshots 1000
Applications 50
For more information, see Limits in the Amazon Kinesis Data Analytics for Java Applications Developer
Guide.

The limits below are either soft [s], which can be upgraded by submitting a support ticket, or hard [h],
which cannot be increased.
Version 1.0
293
Control Plane API
Control Plane API

The following section describes limits for Control Plane APIs.
When an account-level Request limit is reached, a ClientLimitExceededException is thrown.
When an account-level Streams limit is reached, or a stream-level limit is reached, a

StreamLimitExceededException is thrown.
Control Plane API limits
API Account Limit: Account Limit: Stream-level Relevant Exceptions and Notes
Request Streams limit
CreateStream 50 TPS [s] 2500 streams Devices, CLIs, SDK-driven access,

per account and the console can all invoke
[s] in US East this API. Only one API call
(N. Virginia) succeeds if the stream doesn’t
and US West already exist.
(Oregon)
regions. 1000
streams per
account [s]
in all other
supported
regions.
Note
This
limit
can be
increased
up to
100,000
(or
more)
streams
per
account
[s].
Sign in
to the
AWS
Management
Console
at
https://
console.aws.amazon.com/
and
submit
a
service
limit
increase
case
for
Kinesis
Video
Version 1.0
294
Media and Archived Media API
API Account Limit: Account Limit: Stream-level Relevant Exceptions and Notes
Request Streams limit
Streams
to
request
an
increase
of this
limit.
DescribeStream 300 TPS [h] N/A 5 TPS [h]
UpdateStream 50 TPS [h] N/A 5 TPS [h]
ListStreams 50 TPS [h] N/A
DeleteStream 50 TPS [h] N/A 5 TPS [h]
GetDataEndpoint300 TPS [h] N/A 5 TPS [h] Called every 45 minutes to

refresh the streaming token for
most PutMedia/GetMedia use
cases. Caching data endpoints
is safe if the application reloads
them on failure.
UpdateDataRetention
50 TPS [h] N/A 5 TPS [h]
TagStream 50 TPS [h] N/A 5 TPS [h]
UntagStream 50 TPS [h] N/A 5 TPS [h]
ListTagsForStream
50 TPS [h] N/A 5 TPS [h]

The following section describes limits for Media and Archived Media APIs.
When a stream-level limit is exceeded, a StreamLimitExceededException is thrown.
When a connection-level limit is reached, a ConnectionLimitExceededException is thrown.
The following errors or acks are thrown when a fragment-level limit is reached:
• A MIN_FRAGMENT_DURATION_REACHED ack is returned for a fragment below the minimum duration.

• A MAX_FRAGMENT_DURATION_REACHED ack is returned for a fragment above the maximum duration.
• A MAX_FRAGMENT_SIZE ack is returned for a fragment above the maximum data size.
• A FragmentLimitExceeded exception is thrown if a fragment limit is reached in a
GetMediaForFragmentList operation.
Data Plane API limits

API Stream- Connection- Bandwidth Fragment- Relevant Exceptions and
level limit level limit limit level limit Notes
PutMedia 5 TPS [h] 1 [s] 12.5 MB/ • Minimum A typical PutMedia request
second, or fragment contains data for several
100 Mbps [s] duration: seconds, resulting in a
Version 1.0
295

1 second lower TPS per stream.
[h] In the case of multiple
• Maximum concurrent connections
fragment that exceed limits, the last
duration: connection is accepted.
10
seconds
[h]
• Maximum
fragment
size: 50
MB [h]
• Maximum
number of
tracks: 3
[s]
GetHLSStreamingSessionURL
5 TPS Burst, N/A N/A N/A Only 10 sessions per
1 TPS stream can be active at a
Sustained time [s]. After the limit has
[h] been reached, the oldest
session is revoked when a
new session is created.
GetDASHStreamingSessionURL
5 TPS Burst, N/A N/A N/A Only 10 sessions per
1 TPS stream can be active at a
Sustained time [s]. After the limit has
[h] been reached, the oldest
session is revoked when a
new session is created.
GetMedia 5 TPS [h] 3 [s] 25 MB/s or N/A Only three clients can
200 Mbps [s] concurrently receive
content from the media
stream at any moment
of time. Further client
connections are rejected.
A unique consuming client
shouldn’t need more
than 2 or 3 TPS because
after the connection is
established, we anticipate
that the application will
read continuously.
If a typical fragment is
approximately 5 MB, this
limit means ~75 MB/ sec
per Kinesis video stream.
Such a stream would have
an outgoing bitrate of 2x
the streams' maximum
incoming bitrate.
Version 1.0
296
AWS Lake Formation

ListFragments 5 TPS [h] N/A N/A N/A
GetMediaForFragmentList
5 TPS [h] 5 [s] 25 MB/s or Maximum Five fragment-based
200 MbpsA number of consuming applications can
[s] fragments: concurrently get media.
1000 [h] Further connections are
rejected.
Video Playback Protocol API limits

API Session-level limit Fragment-level limit
GetDASHManifestPlaylist 5 TPS [h] Maximum number of fragments

per playlist: 1000 [h]
GetHLSMasterPlaylist 5 TPS [h] N/A
GetHLSMediaPlaylist 5 TPS [h] Maximum number of fragments

per playlist: 1000 [h]
GetMP4InitFragment 5 TPS [h] N/A
GetMP4MediaFragment 10 TPS [h] N/A
GetTSFragment 10 TPS [h] N/A
AWS Lake Formation

The following limits apply per catalog.
Resource Default
Number of subfolders in Amazon S3 path 20
Length of path which can be registered 700
Number of admins 10
Number of registered paths per catalog 10,000
Number of permissions per catalog 10,000,000
AWS Lambda
AWS Lambda limits the amount of compute and storage resources that you can use to run and store
functions. The following limits apply per Region and can be increased. To request an increase, use the
Support Center console.
Resource Default
Concurrent executions 1,000
Version 1.0
297
AWS License Manager
Resource Default
Function and layer storage 75 GB
For more information, see AWS Lambda Limits in the AWS Lambda Developer Guide.
AWS License Manager

Resource Default
Number of license configurations per resource 10
Total number of license configurations 25
Amazon Lightsail
New AWS accounts may start with defaults that are lower than those described here.
Resource Default Comment
Number of instances 20 per Region This limit can be increased by

contacting support.
Number of databases 40 per Region This limit cannot be increased.
Number of static IP addresses 5 per Region This limit can be increased by

contacting support.
Number of parallel SSH connections 5 per Region, per This limit cannot be increased.
using the browser-based SSH client account
Number of parallel RDP connections 1 per Region, per This limit cannot be increased.
using the browser-based RDP client account
Number of DNS zones (or domains) 3 per account This limit cannot be increased.
Number of load balancers 5 per Region This limit cannot be increased.
Amount of attached block storage disk 20,000 GB per These limits cannot be increased.
space Region
16 TB per disk
maximum, or 8 GB
per disk minimum
Each instance can

have up to 15
attached disks,
and 1 boot volume
disk
Number of certificates (last 365 days) 20 per account This limit cannot be increased.
Number of tags 50 per resource This limit cannot be increased.
Version 1.0
298
Amazon Macie
Amazon Macie
Resource Default
Full data classification 3 TB per month
Macie member accounts 10
S3 buckets/prefixes specified for data classification 250 (this is a hard limit and
cannot be changed)
For more information, see the Amazon Macie User Guide.
Amazon Machine Learning (Amazon ML)

Resource Default
Data file size* 100 GB
Batch prediction input size 1 TB
Batch prediction input (number of records) 100 million
Number of variables in a data file (schema) 1,000
Recipe complexity (number of processed output variables) 10,000
Transactions Per Second for each real-time prediction endpoint 200
Total Transactions Per Second for all real-time prediction endpoints 10,000
Total RAM for all real-time prediction endpoints 10 GB
Number of simultaneous jobs 25
Longest run time for any job 7 days
Number of classes for multiclass ML models 100
ML model size 2 GB
Note
The size of your data files is limited to ensure that jobs finish in a timely manner. Jobs that have
been running for more than seven days are automatically terminated, resulting in a FAILED
status.
For more information, see Amazon ML Limits in the Amazon Machine Learning Developer Guide.
Amazon Managed Blockchain

For information about attributes of Starter Edition and Standard Edition networks, such as the number
of members per network, peer nodes per member, available instance types, and more, see Amazon
Managed Blockchain Pricing.
Version 1.0
299
Resource Default
Starter Edition networks
Maximum number of Starter Edition networks in 4

which an AWS account can own a member.
Maximum number of Hyperledger Fabric channels 3

per Starter Edition network.
Standard Edition networks
Maximum number of Standard Edition networks 2

in which an AWS account can own a member.
Maximum number of Hyperledger Fabric channels 8

per Standard Edition network.

Entitlements 50 per flow The maximum number of

entitlements that you can grant
on a flow.
Flows 20 per AWS Region The maximum number of flows

that you can create in each AWS
Region.
Outputs 20 per flow The maximum number of

outputs that a flow can have.
Sources 1 per flow The maximum number of

sources that you can assign to a
flow.

Resource Default
Number of queues per account 10
Concurrent jobs processed per on- Varies by Region.

demand queue
200 in these
Regions:
• US East (N.
Virginia)
• US West (N.
California)
• EU (Ireland)
Version 1.0
300
Resource Default
100 in all other
Regions
Concurrent jobs processed per reserved Equal to the

queue number of
reserved
transcoding slots
(RTS) purchased in
the contract.
Number of custom output presets 100
Number of custom output job 100

templates
Rate of DescribeEndpoints requests 0.01667 TPS

(Once per 60
seconds)
Note
This
endpoint
is specific
to your
AWS
account
and won't
change.
Request
this
endpoint
once,
and then
hardcode
or cache
it.
Rate of CreateJob requests 5 TPS (5

transactions per
second)
Rate of all other requests 2 TPS (2

transactions per
second)
Burst rate of all requests other than 100 TPS (100

DescribeEndpoints transactions per
second)
To request increases, open a support case with AWS Support.
Version 1.0
301

Resource Default
Maximum inputs 5
Maximum input security groups 5
Maximum channels 5

You can request increases on the following limits. To do so, go to the AWS support center and create a
case.
For more information about AWS Elemental MediaPackage limits, including limits that can't be increased,
see Limits in the AWS Elemental MediaPackage User Guide.
Live Content
These are the limits for live content in MediaPackage.
Resource Default
Maximum channels per account 30
Maximum endpoints per channel 10
VOD Content
These are the limits for video on demand (VOD) content in MediaPackage.
Resource Default
Maximum packaging groups 10
Maximum packaging configurations per 10

packaging group
Maximum assets per packaging group 1000

Resource or Default Comments
Operation
DeleteObject 100 transactions per The maximum number of operation requests that
second (TPS) you can make per second. Additional requests are
throttled.
Version 1.0
302
Resource or Default Comments

Operation
DescribeObject 1,000 transactions per The maximum number of operation requests that
throttled.
GetObject 1,000 transactions per The maximum number of operation requests that
throttled.
ListItems 5 transactions per second The maximum number of operation requests that
(TPS) you can make per second. Additional requests are
throttled.
PutObject 100 transactions per The maximum number of operation requests that
throttled.
For more information, see Limits in the AWS Elemental MediaStore User Guide.

Resource Default Comment
Transactions 3,000 concurrent This is an account-level limit.

transactions per
second across Your transactions per second are
all request types largely dependent on how often the
(such as manifest player requests updated manifests. For
requests and example, a player with eight second
tracking requests segments might update the manifest
for client-side every eight seconds. The player, then,
reporting). generates 0.125 transactions per
second.
For more information about AWS Elemental MediaTailor limits, including limits that can't be increased,
see Limits in the AWS Elemental MediaTailor User Guide.
Amazon MQ
For more information, see Amazon MQ Limits in the Amazon MQ Developer Guide.
Version 1.0
303
Amazon Neptune
Amazon Neptune
Resource Default
US East (N. Virginia) Region: Maximum instances is 3.
Maximum instances
You can request an increase on this limit. For more information, see https://aws.amazon.com/support.
AWS OpsWorks for Chef Automate and AWS

OpsWorks for Puppet Enterprise
Resource Default
Chef or Puppet servers 5
User-initiated (manual) backup generations 10
Automated (scheduled) backup generations 30
AWS OpsWorks Stacks

Resource Default
Stacks 40
Layers per stack 40
Instances per stack 40
Apps per stack 40
AWS Organizations
Resource Default
Accounts per organization Varies. Contact Customer

Support.
Invitations sent per day 20
For more information, see Limits of AWS Organizations in the AWS Organizations User Guide.
Version 1.0
304
OTA Update Manager
OTA Update Manager

OTA Update Manager API
API TPS
CreateOTAUpdate 10 TPS
GetOTAUpdate 15 TPS
DeleteOTAUpdate 5 TPS
ListOTAUpdates 15 TPS
Amazon Pinpoint
Resource Default
Active campaigns per account 200 per account.

Note
An active campaign is
a campaign that hasn't
completed or failed.
Active campaigns have
a status of SCHEDULED,
EXECUTING, or
PENDING_NEXT_RUN.
Concurrent endpoint import jobs per account 2 per account.
Message sends per campaign activity 100 million.
Total file size per endpoint import job 1 GB per import job.
SMS account spend threshold USD$1.00 per account.
Maximum number of Amazon SNS topics for two-way SMS 100,000 per account.
Number of emails that you can send in a 24-hour period (sending 200 emails per 24-hour period
quota) for accounts in the sandbox.
Number of emails that you can send each second (sending rate) 1 email per second for accounts
in the sandbox.
Email recipient addresses Accounts in the sandbox can

only send email to recipients
whose email addresses or
domains have been verified.
Number of voice messages that you can send in a 24-hour period. 20 messages per 24-hour period
for accounts in the sandbox.
Number of voice messages that you can send per minute. 5 messages per minute for
accounts in the sandbox.
Version 1.0
305
Amazon Polly
Resource Default
Voice message length. 30 second length for accounts in

the sandbox.
Ability to send voice messages to international phone numbers. Accounts in the sandbox can
only send messages to recipients
in the following countries and
Regions:
• Australia
• Canada
• China
• Germany
• Hong Kong
• Israel
• Japan
• Mexico
• Singapore
• Sweden
• The United States
• The United Kingdom
To request an increase, submit a Amazon Pinpoint Limit Increase case.

Note
The sandbox for the email channel is separate from the sandbox for the voice channel. To gain
production access for both channels, you have to complete the request form for both channels.
To learn more about requesting production access for the email channel, see Requesting
Production Access for Email. To learn more about requesting production access for the voice
channel, see Requesting Production Access (Voice).
For more information, see Limits in the Amazon Pinpoint Developer Guide.
Amazon Polly
• Throttle rate per IP address: 100 transactions (requests) per second (tps) with a burst limit of 120 tps.
• Throttle rate per operation:
Throttle Rate per Operation
Operation Limit
Lexicon
DeleteLexicon Any 2 transactions per second (tps) from these operations

combined.
PutLexicon
Maximum allowed burst of 4 tps.
GetLexicon
ListLexicons
Version 1.0
306
Amazon QLDB
Operation Limit
Speech
DescribeVoices 80 rps with a burst limit of 100 tps
SynthesizeSpeech 80 rps with a burst limit of 100 tps
Amazon QLDB
Resource Default
Number of active ledgers 5
For more information, see Limits in Amazon QLDB in the Amazon QLDB Developer Guide.

Resource Default
Maximum number of resource shares 500
Maximum number of shared resources 5000
Maximum number of pending invitations 20
Amazon Redshift
Resource Default
Nodes per cluster 101
Nodes 200
Reserved Nodes 200
Snapshots 20
Parameter Groups 20
Security Groups 20
Subnet Groups 20
Subnets per Subnet Group 20
Event Subscriptions 20
For more information, see Limits in Amazon Redshift in the Amazon Redshift Cluster Management Guide.
Version 1.0
307
Amazon Rekognition
Amazon Rekognition
Amazon Rekognition has the following limits that you can change.
Resource Default
Transactions per second per account for image data plane • US East (Ohio) Region – 5
operations: • US East (N. Virginia) Region –
50
• CompareFaces
• US West (N. California) Region
• DetectFaces –5
• DetectLabels
• US West (Oregon) Region – 50
• DetectModerationLabels • Asia Pacific (Mumbai) Region –
• DetectText 5
• GetCelebrityInfo • Asia Pacific (Seoul) Region – 5
• IndexFaces • Asia Pacific (Singapore) Region
• ListFaces –5
• RecognizeCelebrities • Asia Pacific (Sydney) Region –
• SearchFaces 5
• SearchFacesByImage • Asia Pacific (Tokyo) Region – 5
• EU (Frankfurt) Region – 5
• EU (Ireland) Region – 50
• EU (London) Region – 5
• AWS GovCloud (US-West) – 5
Transactions per second per account for image control plane In each Region that Amazon
operations: Rekognition supports – 5
• CreateCollection
• DeleteCollection
• DeleteFaces
• DescribeCollection
• ListCollections
Transactions per second per account for all stored video Start In each Region that Amazon
• StartCelebrityRecognition
• StartContentModeration
• StartFaceDetection
• StartFaceSearch
• StartLabelDetection
• StartPersonTracking
Transactions per second per account for all stored video Get • US East (Ohio) Region – 5
operations: • US East (N. Virginia) Region –
20
• GetCelebrityRecognition
• GetContentModeration –5
• GetFaceDetection
• US West (Oregon) Region – 20
• GetFaceSearch
Version 1.0
308
Resource Default
• GetLabelDetection • Asia Pacific (Mumbai) Region –
• GetPersonTracking 5
• Asia Pacific (Seoul) Region – 5
• Asia Pacific (Singapore) Region
–5
• Asia Pacific (Sydney) Region –
5
• Asia Pacific (Tokyo) Region – 5
• EU (Frankfurt) Region – 5
• EU (Ireland) Region – 5
• EU (London) Region – 5
• AWS GovCloud (US-West) – 5
Maximum number of concurrent stored video jobs per account 20
Maximum number of streaming video stream processors per In each Region that Amazon
account that can simultaneously exist Rekognition supports – 10
Transactions per second per account for all streaming video In each Region that Amazon
• CreateStreamProcessor
• DeleteStreamProcessor
• DescribeStreamProcessor
• ListStreamProcessors
• StartStreamProcessor
• StopStreamProcessor
For more information, see Amazon Rekognition Limits.

RDS)
Resource Default
Clusters 40
Cluster parameter groups 50
DB Instances 40
Event subscriptions 20
Manual snapshots 100
Option groups 20
Parameter groups 50
Read replicas per master 5
Version 1.0
309
AWS Resource Groups
Resource Default
Reserved instances 40
Rules per security group 20
Security groups 25
Security groups (VPC) 5
Subnet groups 50
Subnets per subnet group 20
Tags per resource 50
Total storage for all DB instances 100 TB
AWS Resource Groups

Resource Default
Resource groups per account 100
AWS RoboMaker
Resource Default Limit Type Comments
Robot application 40 Soft The maximum number

of robot applications
you can create in this
account in the current
Region.
Robot application 40 Soft The maximum number

versions of versions you can
create for a Robot
Application.
Simulation application 40 Soft The maximum

number of simulation
applications you can
create in this account in
the current Region.
Simulation application 40 Soft The maximum number

versions of versions you can
create for a Simulation
Application.
Concurrent simulation • US West (Oregon) Soft The maximum

jobs Region – 10 number of concurrent
• US East (N. Virginia) simulation jobs you can
Region – 10
Version 1.0
310
AWS RoboMaker

• All other supported run in this account in
regions – 5 the current Region.
Simulation job creation • US West (Oregon) Hard The maximum number

rate per minute Region – 10 of simulation jobs you
• US East (N. Virginia) can create per minute
Region – 10 in this account in the
current Region.
• All other supported
regions – 5
Minimum simulation 5 Hard The minimum duration

duration in minutes that you can
specify for a simulation
job.
Simulation duration 14 Hard The maximum

duration in days that a
simulation job can run
for including restarts.
Simulation job 90 Hard The maximum duration

retention time in days a simulation
job is retained. After
this time, you can no
longer retrieve or view
the simulation job.
Robots 100 Soft The maximum number

of robots you can create
in this account in the
current Region.
Fleets 20 Soft The maximum number

of fleets you can create
in this account in the
current Region.
Robots per fleet 100 Soft The maximum number

of robots you can
register to a fleet.
Deployment job 90 Hard The maximum duration

retention time in days a deployment
job is retained. After
this time, you can no
longer retrieve or view
the deployment job.
Concurrent deployment 5 Soft The maximum

jobs number of concurrent
deployment jobs you
can run in this account
in the current Region.
Version 1.0
311
Amazon Route 53
Source size 5 Hard The maximum size (in

GB) for any source of
robot application or
simulation application.
Amazon Route 53
DNS and Domain Registration
Resource Default
Hosted zones 500
Domains 50
Resource record sets per hosted zone 10,000
Reusable delegation sets 100
Hosted zones that can use the same reusable delegation set 100
Amazon VPCs that you can associate with a private hosted zone 100
Health checks 200
Traffic policies 50
Traffic policy records 5
Route 53 Resolver
Resource Default
Endpoints per AWS Region 4 per AWS account
Rules per AWS Region 1,000 per AWS account
Associations between rules and VPCs per AWS Region 2,000 per AWS account
Amazon Route 53 auto naming has been released as a separate service, AWS Cloud Map. See AWS Cloud
Map (p. 246).
For more information, see Route 53 Limits in the Amazon Route 53 Developer Guide.
Amazon SageMaker
The following tables group Amazon SageMaker limits by components.
Amazon SageMaker limits for new accounts might be different from the default limits listed here. If you
receive an error that you've exceeded your limit, contact customer service to request a limit increase for
the resources you want to use.
Version 1.0
312
Amazon SageMaker
Amazon SageMaker Notebooks
Resource Default
ml.t2.medium instances 20
ml.t2.large instances 20
ml.t2.xlarge instances 20
ml.t2.2xlarge instances 20
ml.m4.xlarge instances 20
ml.m4.2xlarge instances 20
ml.c4.xlarge instances 20
ml.c4.2xlarge instances 20
ml.c5d.xlarge instances 20
ml.c5d.2xlarge instances 20
Version 1.0
313
Amazon SageMaker
Resource Default
ml.p2.xlarge instances 1
ml.p2.8xlarge instances 1
Number of notebook instances 20
Amazon SageMaker Automatic Model Tuning
Resource Default
Number of concurrent hyperparameter tuning jobs 100
Number of hyperparameters that can be searched (every possible 20

value in a categorical hyperparameter counts against this limit)
Number of metrics defined per hyperparameter tuning job 20
Number of parallel training jobs per hyperparameter tuning job 10
Number of training jobs per hyperparameter tuning job 500
Maximum run time for a hyperparameter tuning job 30 days
Amazon SageMaker Training and Managed Spot Training

Note
On-demand and Spot instance limits are tracked and modified separately. For example, with the
default limits, you could run up to 20 training jobs with on-demand ml.m4.xlarge instances and
up to 20 training jobs with Managed Spot ml.m4.xlarge instances simultaneously. Request limit
increases for on-demand and spot instances separately.
Resource Default
ml.m5.large instances 20
Version 1.0
314
Amazon SageMaker
Resource Default
Longest run time for a training job 5 days
Number of instances across training jobs 20
Number of instances for a training job 20
Size of EBS volume for an instance 1 TB
Amazon SageMaker Hosting
Resource Default
Version 1.0
315
Amazon SageMaker
Resource Default
ml.c4.large instances 20
ml.c5.large instances 20
ml.g4dn.xlarge instances 2
ml.g4dn.2xlarge instances 2
Version 1.0
316
Amazon SageMaker
Resource Default
ml.r5.large instances 5
ml.r5.xlarge instances 5
ml.r5.2xlarge instances 4
Number of instances across active endpoints 20
Number of instances for an endpoint 20
Total TPS for all endpoints 10,000
Maximum payload size for endpoint invocation 5 MB
Amazon SageMaker Batch Transform
Resource Default
Version 1.0
317
AWS Secrets Manager
Resource Default
Longest run time for a transform job 5 days
Number of instances across transform jobs 20
Number of instances for a transform job 20
Amazon SageMaker Ground Truth
Resource Default
Concurrent labeling jobs 20
Dataset objects per labeling job 100,000
AWS Secrets Manager

Resource Default
Max number of secrets in an AWS account 40,000
Max number of versions in a secret Approximately 100
Max number of labels you can attach to a version 20
Max number of versions a label can be attached to at the same time 1
Maximum length of a secret 10240 bytes
Maximum length of a resource-based policy - JSON text 20480 bytes
Version 1.0
318

Resource Default
Concurrent VM migrations 50 per account
Maximum duration of service usage per VM (not per account), 90 days

beginning with the initial replication of a VM. We terminate an
ongoing replication after this period, unless a customer requests a
limit increase.

Limits Per Account Per Region
Resource Default
Public Applications 100
Free Amazon S3 Storage for Code Packages 5 GB
For more information, see AWS Serverless Application Repository Limits in the AWS Serverless Application
Repository Developer Guide.
Service Quotas
Service Quota Default Value
Active service quota increase requests per AWS account 20
Active service quota increase requests per limit, in the current Region 1
Service quota increase requests allowed per template 10
Active service quota increase requests allowed per account, in the current 2
Region
ListServices requests allowed per second per account, in the current Region 10
Additional ListServices requests per second (RPS) sent in one burst per 10
account, in the current Region
GetAWSDefaultServiceQuota requests allowed per second per account, in 5

the current Region
Additional GetAWSDefaultServiceQuota RPS sent in one burst per account, 5

in the current Region
GetRequestedServiceQuotaChange requests per second per account, in the 5

current Region
Additional GetRequestedServiceQuotaChange RPS sent in one burst per 5

Version 1.0
319
Service Quotas
GetServiceQuota requests allowed per second per account, in the current 5

Region
Additional GetServiceQuota RPS sent in one burst per account, in the current 5
Region
ListAWSDefaultServiceQuotas requests allowed per second, in the current 10

Region
Additional ListAWSDefaultServiceQuotas RPS sent in one burst per account, 10

Additional ListRequestedServiceQuotaChangeHistory requests allowed per 5

second per account, in the current Region
ListRequestedServiceQuotaChangeHistoryByQuota requests allowed per 5

second (RPS) per account, in the current Region
Additional ListRequestedServiceQuotaChangeHistoryByQuota RPS sent in 5

one burst per account, in the current Region
ListServiceQuotas requests allowed per second per account, in the current 10

Region
Additional ListServiceQuotas RPS sent in one burst per account, in the 10

current Region
RequestServiceQuotaIncrease requests allowed per second per account, in 3

the current Region
Additional RequestServiceQuotaIncrease RPS sent in one burst per account, 3

Maximum number of AssociateQuotaTemplate requests allowed per second 1

per account, in the current Region
Additional AssociateQuotaTemplate RPS sent in one burst per account, in 1

the current Region
DisassociateQuotaTemplate requests allowed per second per account, in the 1

current Region
Additional DisassociateQuotaTemplate RPS sent in one burst per account, in 1

the current Region
GetAssociationForQuotaTemplate requests allowed per second per account, 2

Additional GetAssociationForQuotaTemplate RPS sent in one burst per 2

GetServiceQuotaIncreaseRequestFromTemplate requests allowed per second 2

Additional GetServiceQuotaIncreaseRequestFromTemplate RPS sent in one 1

burst per account, in the current Region
ListServiceQuotaIncreaseRequestsInTemplate requests allowed per second 2

Version 1.0
320
AWS Service Catalog
Additional ListServiceQuotaIncreaseRequestsInTemplate RPS sent in one 1

DeleteServiceQuotaIncreaseRequestFromTemplate requests allowed per 2

second per account, in the current Region
Additional DeleteServiceQuotaIncreaseRequestFromTemplate RPS sent in 1

one burst per account, in the current Region
PutServiceQuotaIncreaseRequestToTemplatee requests allowed per second 1

Additional PutServiceQuotaIncreaseRequestToTemplatee RPS sent in one 1

AWS Service Catalog

Resource Default
Portfolios 25 per account
Users, groups, and roles 25 per portfolio
Products 25 per portfolio, 100 total per

account
Product versions 50 per product
Constraints 25 per product per portfolio
Tags 20 per product, 20 per portfolio,

50 per provisioned product
Stacks 200 (AWS CloudFormation limit)
AWS Shield Advanced

AWS Shield Advanced offers advanced monitoring and protection for Elastic IP addresses, CloudFront
distributions, Route 53 hosted zones, or Elastic Load Balancing load balancers. You can monitor and
protect up to 1000 of each of these resource types per account. If you want to increase these limits,
contact the AWS Support Center.
Amazon Simple Email Service (Amazon SES)

The following are the default limits for Amazon SES in the sandbox environment.
Resource Default
Daily sending quota 200 messages per 24-hour

period.
Version 1.0
321
Resource Default
Maximum send rate 1 email per second.

Note
The rate at which
Amazon SES accepts
your messages might be
less than the maximum
send rate.
Recipient address verification All recipient addresses must be

verified.
For more information, see Limits in Amazon SES in the Amazon Simple Email Service Developer Guide.

The following limits determine how many Amazon SNS resources you can create in your AWS account,
and they determine the rate at which you can issue Amazon SNS API requests.
Amazon SNS Resource

To request an increase, submit an SNS Limit Increase case.
Note
The delivery rate for email messages has a hard limit of 10 messages per second. This limit can't
be increased.
Resource Default
Topics 100,000 per account
Subscriptions 12,500,000 per topic
Pending subscriptions 5,000 per account
Account spend threshold for SMS 1.00 USD per account
Delivery rate for promotional SMS messages 20 messages per second
Delivery rate for transactional SMS messages 20 messages per second
Subscription filter policies 200 per account
Amazon SNS API Throttling

The following limits throttle the rate at which you can issue Amazon SNS API requests.
Hard
The following limits cannot be increased.
Version 1.0
322
Amazon SNS API Throttling
ListEndpointsByPlatformApplication 30
ListTopics 30
ListPlatformApplications 15
ListSubscriptions 30
ListSubscriptionsByTopic 30
Subscribe 100
Unsubscribe 100
Soft
The following limits vary by AWS Region. To increase any of these limits, submit an SNS Limit Increase
case.
Publish API Throttling
API AWS Regions Transactions per Second
Publish US East (N. Virginia) Region 30,000
EU (Ireland) Region 9,000
US West (Oregon) Region
Asia Pacific (Singapore) Region 1,500
Asia Pacific (Sydney) Region
Asia Pacific (Tokyo) Region
EU (Frankfurt) Region
US West (N. California) Region
Asia Pacific (Mumbai) Region 300
Asia Pacific (Osaka-Local) Region
Asia Pacific (Seoul) Region
Canada (Central) Region
China (Beijing) Region
China (Ningxia) Region
EU (London) Region
EU (Paris) Region
South America (São Paulo)

Region
Version 1.0
323
AWS Streaming Service
API AWS Regions Transactions per Second

US East (Ohio) Region
Other API Throttling
APIs AWS Regions Transactions per Second
CheckIfPhoneNumberIsOptedOut US East (N. Virginia) Region 3,000
ConfirmSubscription EU (Ireland) Region 900
CreatePlatformApplication US West (Oregon) Region
CreatePlatformEndpoint Asia Pacific (Singapore) Region 150
CreateTopic Asia Pacific (Sydney) Region
DeleteEndpoint Asia Pacific (Tokyo) Region
DeletePlatformApplication EU (Frankfurt) Region
DeleteTopic US West (N. California) Region
GetEndpointAttributes Asia Pacific (Mumbai) Region 30
GetPlatformApplicationAttributes Asia Pacific (Osaka-Local) Region
GetSMSAttributes Asia Pacific (Seoul) Region
GetSubscriptionAttributes Canada (Central) Region
GetTopicAttributes China (Beijing) Region
ListPhoneNumbersOptedOut China (Ningxia) Region
OptInPhoneNumber EU (London) Region
SetEndpointAttributes EU (Paris) Region
SetPlatformApplicationAttributes South America (São Paulo)

Region
SetSMSAttributes
US East (Ohio) Region
SetSubscriptionAttributes
SetTopicAttributes
AWS Streaming Service

Streaming
Resource Limit
Maximum number of streams 1000
Maximum number of files per stream 10
Version 1.0
324
Resource Limit
Minimum file block size 256 bytes
Maximum file block size 128 KB
Streaming API
API TPS
CreateStream 15 TPS
UpdateStream 15 TPS
ListStreams 15 TPS
DeleteStream 15 TPS
DescribeStream 15 TPS

For more information, see Amazon SQS Limits in the Amazon Simple Queue Service Developer Guide and
the "Limits and Restrictions" section of the Amazon SQS FAQs.

Resource Default Notes
Buckets 100 per account The maximum limit of buckets per

AWS account is 1,000. To request
a limit increase, see AWS Service
Limits (p. 236).

For more information, see Amazon SWF Limits in the Amazon Simple Workflow Service Developer Guide.
Amazon SimpleDB
Resource Default
Domains 250
For more information, see Amazon SimpleDB Limits in the Amazon SimpleDB Developer Guide.
Version 1.0
325
AWS Step Functions
AWS Step Functions

For more information, see AWS Step Functions Limits in the AWS Step Functions Developer Guide.
AWS Storage Gateway

For more information, see AWS Storage Gateway Limits in the AWS Storage Gateway User Guide.
Amazon Sumerian
Resource Default
Projects 1,000
Scenes 10,000
Texture file size 10 MB
Sound file size 10 MB
Model file size 50 MB
Script file size 1 MB
ZIP file size 200 MB
AWS Systems Manager

Capability Resource Default
Automation Concurrently executing automations 25
Each AWS account can

execute a maximum of 25
automations at one time.
Concurrent executions
greater than 25 are
automatically added to an
execution queue.
Automation Concurrently executing child 75

automations
execute a maximum of 75
child automations. Child
automation executions
are initiated from a parent
automation execution.
This limit is a cumulative
total of child automation
executions. Current child
Version 1.0
326
AWS Systems Manager

automation executions over
the default limit of 75 are
automatically added to an
execution queue.
Automation Additional automation executions that 1,000

can be queued
Automation Maximum duration an automation 12 hours

execution can run when running in the
context of a user If you expect an automation
to run longer than 12 hours,
then you must execute
the automation by using a
service role (or assume role).
Distributor Maximum number of Distributor 200

packages per account, per Region
Distributor Maximum number of package versions 25

per Distributor package
Distributor Maximum package size in Distributor 20 GB
Distributor Maximum package manifest size in 64 KB

Distributor
Managed Instances - Hybrid Total number of registered on-premises Standard instances: 1,000
Environment servers and virtual machines (VMs) in a (per account per Region)
hybrid environment
Advanced instances:
Advanced instances are
available on a pay-per-use
basis. Advanced instances
also enable you to connect
to your hybrid machines
by using AWS Systems
Manager Session Manager.
For more information about
activating on-premises
instances for use in your
hybrid environment, see
Create a Managed-Instance
Activation in the AWS
Systems Manager User
Guide. For more information
about enabling advanced
instances, see Using the
Advanced-Instances Tier.
Version 1.0
327
AWS Systems Manager
Inventory Inventory data collected per instance per 1 MB

call
This maximum adequately
supports most inventory
collection scenarios. When
this limit is reached, no new
inventory data is collected
for the instance. Inventory
data previously collected is
stored until the expiration.
Inventory Inventory data collected per instance per 5 MB

day
When this limit is reached,
no new inventory data is
collected for the instance.
Inventory data previously
collected is stored until the
expiration.
Inventory Custom inventory types 20
You can add up to 20

custom inventory types.
Inventory Custom inventory type size 200 KB
This is the maximum size of

the type, not the inventory
collected.
Inventory Custom inventory type attributes 50
This is the maximum

number of attributes within
the custom inventory type.
Inventory Inventory data expiration 30 days
If you terminate an
instance, inventory data
for that instance is deleted
immediately. For running
instances, inventory data
older than 30 days is
deleted. If you need to store
inventory data longer than
30 days, you can use AWS
Config to record history
or periodically query and
upload the data to an
Amazon S3 bucket. For more
information, see, Recording
Amazon EC2 managed
instance inventory in the
AWS Config Developer Guide.
Version 1.0
328
AWS Systems Manager
Maintenance Windows Maintenance Windows per account 50
Maintenance Windows Tasks per Maintenance Window 20
Maintenance Windows Targets per Maintenance Window 100
Maintenance Windows Instance IDs per target 50
Maintenance Windows Targets per task 10
Maintenance Windows Concurrent executions of a single 1

Maintenance Window
Maintenance Windows Concurrent executions of Maintenance 5

Windows
Maintenance Windows Execution history retention 30 days
OpsCenter Total number of OpsItems allowed per 500,000

account per AWS Region
OpsCenter Maximum number of OpsItems per 10,000

account per month
OpsCenter Maximum operational data value size 20 KB
OpsCenter Maximum number of associated 10

Automation runbooks per OpsItem
OpsCenter Maximum number of Automation 10

runbook executions stored in operational
data under a single associated runbook
OpsCenter Maximum number of related resources 100

you can specify per OpsItem
OpsCenter Maximum number of related OpsItems 10

you can specify per OpsItem
OpsCenter Maximum length of a deduplication 64 characters

string
Parameter Store Total number of parameters allowed Standard parameters:

10,000
(per AWS account and Region)
Advanced parameters:
100,000
For more information about

advanced parameters, see
About Systems Manager
Advanced Parameters in the
AWS Systems Manager User
Guide.
Parameter Store Max size for parameter value Standard parameter: 4 KB
Advanced parameter: 8 KB
Version 1.0
329
AWS Systems Manager
Parameter Store Max number of parameter policies per 10

advanced parameter
Parameter Store Max throughput (transactions per Default throughput: 40

second) (Shared by the following
API actions: GetParameter,
GetParameters,
GetParametersByPath)
Higher throughput: 100

(GetParametersByPath)
Higher throughput: 1000

(Shared by the following API
actions: GetParameter and
GetParameters)
For more information

about Parameter Store
throughput, see Increasing
Parameter Store Throughput
in the AWS Systems Manager
User Guide.
Parameter Store Max history for a parameter 100 past values
Patch Baselines Patch baselines per account 50
Patch Baselines Patch groups per patch baseline 25
Run Command Execution history retention 30 days
The history of each

command is available for
up to 30 days. In addition,
you can store a copy of all
log files in Amazon Simple
Storage Service or have an
audit trail of all API calls in
AWS CloudTrail.
Session Manager Maximum number of active sessions per 100

account per Region
Session Manager Maximum idle time before session 20 minutes

termination
SSM Documents Total documents 500

create a maximum of 500
documents per Region.
Version 1.0
330
Amazon Textract
SSM Documents Privately shared Systems Manager 1000

document
A single Systems Manager
document can be shared
with a maximum of 1000
AWS accounts.
SSM Documents Publicly shared Systems Manager 5

document
publicly share a maximum of
five documents.
State Manager Targets per State Manager association 10,000
Each Systems Manager

document can be associated
with a maximum of 10,000
instances. As a best practice
when creating State
Manager associations, use
tags as targets instead of
instance IDs.
State Manager Concurrent State Manager associations 2,000
Each AWS Account can

have 2,000 associations per
Region at one time.
State Manager State Manager association versions 1,000
You can created a maximum

of 1,000 versions of a State
Manager association.
Amazon Textract
Amazon Textract has the following limits that you can change.
Resource Default
Transactions per second per account for synchronous operations: In each Region that Amazon
Textract supports – 1
• AnalyzeDocument
• DetectDocumentText
Transactions per second per account for all Start (asynchronous) In each Region that Amazon
operations: Textract supports – 2
• StartDocumentAnalysis
• StartDocumentTextDetection
Transactions per second per account for all Get (asynchronous) In each Region that Amazon
operations: Textract supports – 5
Version 1.0
331
Amazon Transcribe
Resource Default
• GetDocumentAnalysis
• GetDocumentTextDetection
Maximum number of asynchronous jobs per account that can In each Region that Amazon
simultaneously exist Textract supports – 10
For more information, see Amazon Textract Limits.
Amazon Transcribe
Resource Default
Number of concurrent 100

transcription jobs
Total number of 100

vocabularies per account
Number of pending 10
vocabularies
Transactions per second, 10

StartTranscriptionJob
operation

GetTranscriptionJob
operation

ListTranscriptionJobs
operation

CreateVocabulary
and UpdateVocabulary
operations

DeleteVocabulary
operation

GetVocabulary
operation

ListVocabularies
operation
Number of channels for 2

channel identification
Version 1.0
332
Resource Default
Number of simultaneous 5
streams for streaming
transcription
Maximum audio 4 hours

length for streaming
transcription

StartStreamTranscription
operation
You can request an increase for any of the limits using the Amazon Transcribe service limits increase
form.
For more information, see Guidelines and Limits in the Amazon Transcribe Developer Guide.

Servers per customer 10
Simultaneous sessions per server 10,000
Users per server 10,000 This limit applies to service

managed servers only.
SSH keys per user 10 This limit applies to service

managed servers only.
Maximum file size 5 TiB
Amazon Translate
Resource Default
Bytes per 10 seconds per language pair 10,000
Transactions per second per language pair 20
You can request an increase for any of the limits using the Amazon Translate service limits increase form.
For more information, see Guidelines and Limits in the Amazon Translate Developer Guide.
Amazon Virtual Private Cloud (Amazon VPC)

Unless otherwise noted, you can submit a request to increase these limits.
Version 1.0
333
VPCs and Subnets
VPCs per Region 5 Increasing this limit increases the limit on Internet
gateways per Region by the same amount.
Subnets per VPC 200 -
IPv4 CIDR blocks per VPC 5 This limit is made up of the primary CIDR block plus 4
secondary CIDR blocks.
IPv6 CIDR blocks per VPC 1 This limit cannot be increased.
Elastic IP Addresses
Elastic IP addresses per 5 This is the limit for the number of Elastic IP addresses
Region for EC2-VPC for use in EC2-VPC. For Elastic IP addresses for EC2-
Classic, see Amazon Elastic Compute Cloud (Amazon
EC2) (p. 259).
Gateways
Customer gateways per 50 To increase this limit, contact AWS Support.

Region
Egress-only Internet 5 This limit is directly correlated with the limit on VPCs per
gateways per Region Region. To increase this limit, increase the limit on VPCs
per Region. Only one egress-only Internet gateway can be
attached to a VPC at a time.
Internet gateways per 5 This limit is directly correlated with the limit on VPCs per
Region Region. To increase this limit, increase the limit on VPCs
per Region. Only one Internet gateway can be attached to
a VPC at a time.
NAT gateways per 5 A NAT gateway in the pending, active, or deleting

Availability Zone state counts against your limit.
Virtual private gateways 5 Only one virtual private gateway can be attached to a
per Region VPC at a time.
Network ACLs
Network ACLs per VPC 200 You can associate one network ACL to one or more
subnets in a VPC. This limit is not the same as the number
of rules per network ACL.
Rules per network ACL 20 This is the one-way limit for a single network ACL,
where the limit for ingress rules is 20, and the limit for
egress rules is 20. This limit includes both IPv4 and IPv6
rules, and includes the default deny rules (rule number
32767 for IPv4 and 32768 for IPv6, or an asterisk * in the
Amazon VPC console).
This limit can be increased up to a maximum if 40;

however, network performance may be impacted.
Network Interfaces
Version 1.0
334
Network interfaces per - This limit varies by instance type. For more information,
instance see IP Addresses Per ENI Per Instance Type.
Network interfaces per 5000 -

Region
Route Tables
Route tables per VPC 200 This limit includes the main route table.
Routes per route table 50 You can increase this limit up to a maximum of 1000;
(non-propagated routes) however, network performance might be impacted. This
limit is enforced separately for IPv4 routes and IPv6
routes.
If you have more than 125 routes, we recommend that

you paginate calls to describe your route tables for better
performance.
BGP advertised routes per 100 This limit cannot be increased. If you require more than
route table (propagated 100 prefixes, advertise a default route.
routes)
Security Groups
VPC security groups per 2500 The maximum is 10000. If you have more than 5000
Region security groups in a Region, we recommend that you
paginate calls to describe your security groups for better
performance.
Inbound or outbound rules 60 You can have 60 inbound and 60 outbound rules per
per security group security group (making a total of 120 rules). This limit
is enforced separately for IPv4 rules and IPv6 rules; for
example, a security group can have 60 inbound rules for
IPv4 traffic and 60 inbound rules for IPv6 traffic. A rule
that references a security group or prefix list ID counts as
one rule for IPv4 and one rule for IPv6.
A limit change applies to both inbound and outbound

rules. This limit multiplied by the limit for security groups
per network interface cannot exceed 1000. For example,
if you increase this limit to 100, we decrease the limit for
your number of security groups per network interface to
10.
Security groups per 5 To increase or decrease this limit, contact AWS Support.
network interface The maximum is 16. The limit for security groups per
network interface multiplied by the limit for rules per
security group cannot exceed 1000. For example, if you
increase this limit to 10, we decrease the limit for your
number of rules per security group to 100.
Transit Gateways
Total number of transit 5 -

gateway attachments per
transit gateway:
Version 1.0
335
Number of transit gateway 5 This limit cannot be increased.

attachments per VPC:
Number of transit gateways 5 -

per Region per account
Number of transit gateway 20

route tables per transit
gateway
Number of static routes per 10,000 For VPC route table limits, see Amazon VPC Limits in the
transit gateway route table Amazon VPC User Guide.
Total number of transit 5,000 -

gateway attachments per
Region per account
Maximum number of 100

incoming prefixes for a BGP
session on an IPSec VPN
attachment
Maximum bandwidth 50 Gbps

(burst) per Availability Zone
per VPC connection
Maximum bandwidth per 1.25 Gbps This is a hard limit. You can use ECMP to get higher VPN
VPN connection bandwidth by aggregating multiple VPN connections.
Number of AWS Direct 20 This limit cannot be increased.

Connect gateways per
transit gateway
Transit gateways per AWS 3 This limit cannot be increased.

Direct Connect gateway
VPC Endpoints
Gateway VPC endpoints per 20 You cannot have more than 255 gateway endpoints per
Region VPC.
Interface VPC endpoints 20 To increase this limit, contact AWS Support.

per VPC
VPC Peering Connections
Active VPC peering 50 The maximum limit is 125 peering connections per
connections per VPC VPC. The number of entries per route table should be
increased accordingly; however, network performance
may be impacted.
Outstanding VPC peering 25 This is the limit for the number of outstanding VPC
connection requests peering connection requests that you've requested from
your account.
Expiry time for an 1 week (168 -

unaccepted VPC peering hours)
connection request
Version 1.0
336
Amazon VPC DNS
VPC Sharing
Number of unique accounts 100 This is the limit for the number of distinct participant
with which you can share a accounts that subnets in a VPC can be shared with.
VPC This is a per VPC limit and applies across all the
subnets shared in a VPC. AWS recommends that
you paginate your DescribeSecurityGroups and
DescribeNetworkInterfaces API calls before
requesting an increase for this limit. To increase this limit,
contact AWS Support.
Number of subnets that 100 This is the limit for maximum number of subnets that
you can share with an can be shared with an AWS account. AWS recommends
account that you paginate your DescribeSecurityGroups
and DescribeSubnets API calls before requesting an
increase for this limit. To increase this limit contact AWS
Support.
VPN Connections
VPN connections per 50 -

Region
VPN connections per 10 -

VPC (per virtual private
gateway)
For more information, see Amazon VPC Limits in the Amazon VPC User Guide.
Amazon VPC DNS

For more information, see DNS Limits in the Amazon VPC User Guide.
AWS WAF
AWS WAF has default limits on the number of entities per account. You can request an increase in these
limits.
Resource Default
Web ACLs per AWS account 50
Rules per AWS account 100
Conditions per AWS account 100 of each

condition type
(For example: 100
Size constraint
conditions, 100 IP
match conditions,
etc.)
Version 1.0
337
AWS Well-Architected Tool
Resource Default
Requests per Second 10,000 per web

ACL*
*This limit applies only to AWS WAF on an Application Load Balancer. Requests per Second (RPS) limits
for AWS WAF on CloudFront are the same as the RPS limits support by CloudFront described in the
Amazon CloudFront Developer Guide.
The following limits on AWS WAF entities can't be changed.
Resource Limit
Rule groups per web ACL 2: 1 customer-

created rule
group and 1 AWS
Marketplace rule
group
Rules per web ACL 10
Conditions per rule 10
IP address ranges (in CIDR notation) per IP match condition 10,000
Filters per cross-site scripting match condition 10
Filters per size constraint condition 10
Filters per SQL injection match condition 10
Filters per string match condition 10
In string match conditions, the number of characters in HTTP header names, 40

when you've configured AWS WAF to inspect the headers in web requests for a
specified value
In string match conditions, the number of characters in the value that you want 50
AWS WAF to search for
In regex match conditions, the number of characters in the pattern that you want 70
AWS WAF to search for
These limits are the same for all Regions in which AWS WAF is available. Each Region is subject to these
limits individually. That is, the limits are not cumulative across regions.
AWS Well-Architected Tool

Resource Default
Workloads per AWS account 1000
Milestones per workload 100
Version 1.0
338
Amazon WorkMail
Amazon WorkMail
For more information, see Amazon WorkMail Limits.
Amazon WorkSpaces
Resource Default
WorkSpaces per Region 1
Graphics WorkSpaces per Region 0
GraphicsPro WorkSpaces per Region 0
Images per Region 5
IP access control groups per Region 100
Rules per IP access control group 10
IP access control groups per directory 5
AWS X-Ray
Resource Default
Trace and service graph retention 30 days
Segment document size 64kB
Indexed annotations per trace 50
Custom sampling rules per Region 25
Version 1.0
339
Download
AWS IP Address Ranges

Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. To view the current
ranges, download the .json file. To maintain history, save successive versions of the .json file on your
system. To determine whether there have been changes since the last time that you saved the file, check
the publication time in the current file and compare it to the publication time in the last file that you
saved.
Contents
• Download (p. 340)
• Syntax (p. 340)
• Filtering the JSON File (p. 342)
• Implementing Egress Control (p. 344)
• AWS IP Address Ranges Notifications (p. 346)
Download
Download ip-ranges.json.
If you access this file programmatically, it is your responsibility to ensure that the application downloads
the file only after successfully verifying the TLS certificate presented by the server.
Syntax
The syntax of ip-ranges.json is as follows.
{
"syncToken": "0123456789",
"createDate": "yyyy-mm-dd-hh-mm-ss",
"prefixes": [
{
"ip_prefix": "cidr",
"region": "region",
"service": "subset"
}
],
"ipv6_prefixes": [
{
"ipv6_prefix": "cidr",
"region": "region",
"service": "subset"
}
]
}
syncToken
The publication time, in Unix epoch time format.
Type: String
Example: "syncToken": "1416435608"
Version 1.0
340
Syntax
createDate
The publication date and time.
Type: String
Example: "createDate": "2014-11-19-23-29-02"

prefixes
The IP prefixes for the IPv4 address ranges.
Type: Array
ipv6_prefixes
The IP prefixes for the IPv6 address ranges.
Type: Array
ip_prefix
The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more
specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21,
96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.
Type: String
Example: "ip_prefix": "198.51.100.2/24"

ipv6_prefix
The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more
specific ranges.
Type: String
Example: "ipv6_prefix": "2001:db8:1234::/64"

region
The AWS Region or GLOBAL for edge locations. Note that the CLOUDFRONT and ROUTE53 ranges are
GLOBAL.
Type: String
Valid values: ap-east-1 | ap-northeast-1 | ap-northeast-2 | ap-northeast-3 | ap-south-1

| ap-southeast-1 | ap-southeast-2 | ca-central-1 | cn-north-1 | cn-northwest-1 | eu-
central-1 | eu-north-1 | eu-west-1 | eu-west-2 | eu-west-3 | me-south-1 | sa-east-1 |
us-east-1 | us-east-2 | us-gov-east-1 | us-gov-west-1 | us-west-1 | us-west-2 | GLOBAL
Example: "region": "us-east-1"

service
The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only. Specify
AMAZON to get all IP address ranges (for example, the ranges in the EC2 subset are also in the
AMAZON subset). Some IP address ranges are only in the AMAZON subset.
Type: String
Valid values: AMAZON | AMAZON_CONNECT | API_GATEWAY | CLOUD9 | CLOUDFRONT |

CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | ROUTE53 |
ROUTE53_HEALTHCHECKS | S3
Example: "service": "AMAZON"
Version 1.0
341
Filtering the JSON File
Filtering the JSON File

You can download a command line tool to help you filter the information to just what you are looking
for.
Windows
The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange, to parse
this JSON file. The following examples demonstrate its use. For more information, see Querying the
Public IP Address Ranges for AWS and Get-AWSPublicIpAddressRange.
Example 1. Get the creation date
PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate
Wednesday, August 22, 2018 9:22:35 PM
Example 2. Get the information for a specific Region
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1
IpPrefix Region Service

-------- ------ -------
23.20.0.0/14 us-east-1 AMAZON
...
Example 3. Get all IP addresses
PS C:\> (Get-AWSPublicIpAddressRange).IpPrefix
23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...
2406:da00:ff00::/64
2600:1fff:6000::/40
2a01:578:3::/64
2600:9000::/28
Example 4. Get all IPv4 addresses
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select

IpPrefix
IpPrefix
--------
23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv6"} | select

IpPrefix
Version 1.0
342
Linux
IpPrefix
--------
2a05:d07c:2000::/40
2a05:d000:8000::/40
2406:dafe:2000::/40
...
Example 6. Get all IP addresses for a specific service
PS C:\> Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix
IpPrefix
--------
52.47.73.72/29
13.55.255.216/29
52.15.247.208/29
...
Linux
The following example commands use the jq tool to parse a local copy of the JSON file.
Example 1. Get the creation date
$ jq .createDate < ip-ranges.json
"2016-02-18-17-22-15"
Example 2. Get the information for a specific Region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
{
"ip_prefix": "23.20.0.0/14",
"region": "us-east-1",
"service": "AMAZON"
},
{
"ip_prefix": "50.16.0.0/15",
"service": "AMAZON"
},
{
"ip_prefix": "50.19.0.0/16",
"service": "AMAZON"
},
...
$ jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...
Version 1.0
343
Implementing Egress Control
$ jq -r '.ipv6_prefixes | .[].ipv6_prefix' < ip-ranges.json
2a05:d07c:2000::/40
2a05:d000:8000::/40
2406:dafe:2000::/40
...
Example 5. Get all IPv4 addresses for a specific service
$ jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
52.47.73.72/29
13.55.255.216/29
52.15.247.208/29
...
Example 6. Get all IPv4 addresses for a specific service in a specific Region
$ jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="CODEBUILD")

| .ip_prefix' < ip-ranges.json
34.228.4.208/28
Implementing Egress Control

To allow an instance to access only AWS services, create a security group with rules that allow outbound
traffic to the CIDR blocks in the AMAZON list, minus the CIDR blocks that are also in the EC2 list. IP
addresses in the EC2 list can be assigned to EC2 instances.
Windows PowerShell
The following PowerShell example shows you how to get the IP addresses that are in the AMAZON list but
not the EC2 list. Copy the script and save it in a file named Select_address.ps1.
$amazon_addresses = Get-AWSPublicIpAddressRange -ServiceKey amazon

$ec2_addresses = Get-AWSPublicIpAddressRange -ServiceKey ec2
ForEach ($address in $amazon_addresses)

{
if( $ec2_addresses.IpPrefix -notcontains $address.IpPrefix)
{
($address).IpPrefix
}
}
You can run this script as follows:
PS C:\> .\Select_address.ps1
13.32.0.0/15
13.35.0.0/16
13.248.0.0/20
13.248.16.0/21
13.248.24.0/22
Version 1.0
344
jq
13.248.28.0/22
27.0.0.0/22
43.250.192.0/24
43.250.193.0/24
...
jq
The following example shows you how to get the IP addresses that are in the AMAZON list but not the
EC2 list, for all Regions:
jq -r '[.prefixes[] | select(.service=="AMAZON").ip_prefix] - [.prefixes[] |

select(.service=="EC2").ip_prefix] | .[]' < ip-ranges.json
52.94.22.0/24
52.94.17.0/24
52.95.154.0/23
52.95.212.0/22
54.239.0.240/28
54.239.54.0/23
52.119.224.0/21
...
The following example shows you how to filter the results to one Region:
jq -r '[.prefixes[] | select(.region=="us-east-1" and .service=="AMAZON").ip_prefix] -

[.prefixes[] | select(.region=="us-east-1" and .service=="EC2").ip_prefix] | .[]' < ip-
ranges.json
Python
The following python script shows you how to get the IP addresses that are in the AMAZON list but not
the EC2 list. Copy the script and save it in a file named get_ips.py.
#!/usr/bin/env python
import requests
ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()
['prefixes']
amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"]
ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"]
amazon_ips_less_ec2=[]
for ip in amazon_ips:
if ip not in ec2_ips:
amazon_ips_less_ec2.append(ip)
for ip in amazon_ips_less_ec2: print(str(ip))
You can run this script as follows:
$ python ./get_ips.py
13.32.0.0/15
13.35.0.0/16
13.248.0.0/20
13.248.16.0/21
13.248.24.0/22
Version 1.0
345
AWS IP Address Ranges Notifications
13.248.28.0/22
27.0.0.0/22
43.250.192.0/24
43.250.193.0/24
...

Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the
AmazonIpSpaceChanged topic. The payload contains information in the following format:
{
"create-time":"yyyy-mm-ddThh:mm:ss+00:00",
"synctoken":"0123456789",
"md5":"6a45316e8bc9463c9e926d5d37836d33",
"url":"https://ip-ranges.amazonaws.com/ip-ranges.json"
}
create-time
The creation date and time.
Notifications could be delivered out of order. Therefore, we recommend that you check the
timestamps to ensure the correct order.
synctoken
The publication time, in Unix epoch time format.

md5
The cryptographic hash value of the ip-ranges.json file. You can use this value to check whether
the downloaded file is corrupted.
url
The location of the ip-ranges.json file.
If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe as
follows to receive notifications using Amazon SNS.
To subscribe to AWS IP address range notifications
1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

2. In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must select this
Region because the SNS notifications that you are subscribing to were created in this Region.
3. In the navigation pane, choose Subscriptions.
4. Choose Create subscription.
5. In the Create subscription dialog box, do the following:
a. For Topic ARN, copy the following Amazon Resource Name (ARN):
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
b. For Protocol, choose the protocol to use (for example, Email).

c. For Endpoint, type the endpoint to receive the notification (for example, your email address).
d. Choose Create subscription.
Version 1.0
346
6. You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For
example, if you specified an email address, you'll receive an email message with the subject line
AWS Notification - Subscription Confirmation. Follow the directions to confirm your
subscription.
Notifications are subject to the availability of the endpoint. Therefore, you might want to check the
JSON file periodically to ensure that you've got the latest ranges. For more information about Amazon
SNS reliability, see https://aws.amazon.com/sns/faqs/#Reliability.
If you no longer want to receive these notifications, use the following procedure to unsubscribe.
To unsubscribe from AWS IP address ranges notifications
1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

2. In the navigation pane, choose Subscriptions.
3. Select the check box for the subscription.
4. Choose Actions, Delete subscriptions.
5. When prompted for confirmation, choose Delete.
For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.
Version 1.0
347
Error Retries and Exponential

Backoff in AWS
Numerous components on a network, such as DNS servers, switches, load balancers, and others can
generate errors anywhere in the life of a given request. The usual technique for dealing with these error
responses in a networked environment is to implement retries in the client application. This technique
increases the reliability of the application and reduces operational costs for the developer.
Each AWS SDK implements automatic retry logic. The AWS SDK for Java automatically retries requests,
and you can configure the retry settings using the ClientConfiguration class. For example, you
might want to turn off the retry logic for a web page that makes a request with minimal latency and no
retries. Use the ClientConfiguration class and provide a maxErrorRetry value of 0 to turn off the
retries.
If you're not using an AWS SDK, you should retry original requests that receive server (5xx) or throttling
errors. However, client errors (4xx) indicate that you need to revise the request to correct the problem
before trying again.
In addition to simple retries, each AWS SDK implements exponential backoff algorithm for better flow
control. The idea behind exponential backoff is to use progressively longer waits between retries for
consecutive error responses. You should implement a maximum delay interval, as well as a maximum
number of retries. The maximum delay interval and maximum number of retries are not necessarily fixed
values, and should be set based on the operation being performed, as well as other local factors, such as
network latency.
Most exponential backoff algorithms use jitter (randomized delay) to prevent successive collisions.
Because you aren't trying to avoid such collisions in these cases, you don't need to use this random
number. However, if you use concurrent clients, jitter can help your requests succeed faster. For more
information, see the blog post for Exponential Backoff and Jitter.
The following pseudo code shows one way to poll for a status using an incremental delay.
Do some asynchronous operation.
retries = 0
DO
wait for (2^retries * 100) milliseconds
status = Get the result of the asynchronous operation.
IF status = SUCCESS
retry = false
ELSE IF status = NOT_READY
retry = true
ELSE IF status = THROTTLED
retry = true
ELSE
Some other error occurred, so stop calling the API.
retry = false
END IF
retries = retries + 1
WHILE (retry AND (retries < MAX_RETRIES))
Version 1.0
348
The following code demonstrates how to implement this incremental delay in Java.
public enum Results {

SUCCESS,
NOT_READY,
THROTTLED,
SERVER_ERROR
}
/*
* Performs an asynchronous operation, then polls for the result of the
* operation using an incremental delay.
*/
public static void doOperationAndWaitForResult() {
try {
// Do some asynchronous operation.
long token = asyncOperation();
int retries = 0;
boolean retry = false;
do {
long waitTime = Math.min(getWaitTimeExp(retries), MAX_WAIT_INTERVAL);
System.out.print(waitTime + "\n");
// Wait for the result.

Thread.sleep(waitTime);
// Get the result of the asynchronous operation.

Results result = getAsyncOperationResult(token);
if (Results.SUCCESS == result) {
retry = false;
} else if (Results.NOT_READY == result) {
retry = true;
} else if (Results.THROTTLED == result) {
retry = true;
} else if (Results.SERVER_ERROR == result) {
retry = true;
}
else {
// Some other error occurred, so stop calling the API.
retry = false;
}
} while (retry && (retries++ < MAX_RETRIES));

}
catch (Exception ex) {

}
}
/*
* Returns the next wait interval, in milliseconds, using an exponential
* backoff algorithm.
*/
public static long getWaitTimeExp(int retryCount) {
long waitTime = ((long) Math.pow(2, retryCount) * 100L);
return waitTime;
}
Version 1.0
349
When Do You Need to Sign Requests?
Signing AWS API Requests

When you send HTTP requests to AWS, you sign the requests so that AWS can identify who sent them.
You sign requests with your AWS access key, which consists of an access key ID and secret access key.
Some requests do not need to be signed, such as anonymous requests to Amazon Simple Storage
Service (Amazon S3) and some API operations in AWS Security Token Service (AWS STS) such as
AssumeRoleWithWebIdentity.
Note
You need to learn how to sign HTTP requests only when you manually create them. When you
use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to
AWS, these tools automatically sign the requests for you with the access key that you specify
when you configure the tools. When you use these tools, you don't need to learn how to sign
requests yourself.
To learn how to create, view, and download access key IDs and secret access keys, see Access
Keys (Access Key ID and Secret Access Key) (p. 218).
When Do You Need to Sign Requests?

When you write custom code to send HTTP requests to AWS, you need to include code to sign the
requests. You might do this for the following reasons:
• You are working with a programming language for which there is no AWS SDK.
• You want complete control over how a request is sent to AWS.
You don't need to sign a request when you use the AWS Command Line Interface (AWS CLI) or one of the
AWS SDKs. These tools manage the connection details, such as calculating signatures, handling request
retries, and error handling. In most cases, they also contain sample code, tutorials, and other resources to
help you get started writing applications that interact with AWS.
Why Requests Are Signed

The signing process helps secure requests in the following ways:
• Verify the identity of the requester
Signing makes sure that the request has been sent by someone with a valid access key. For more
information, see Understanding and Getting Your Security Credentials (p. 216).
• Protect data in transit
To prevent tampering with a request while it's in transit, some of the request elements are used to
calculate a hash (digest) of the request, and the resulting hash value is included as part of the request.
When an AWS service receives the request, it uses the same information to calculate a hash and
matches it against the hash value in your request. If the values don't match, AWS denies the request.
• Protect against potential replay attacks
In most cases, a request must reach AWS within five minutes of the time stamp in the request.
Otherwise, AWS denies the request.
Version 1.0
350
Signing Requests
Signing Requests
To sign a request, you first calculate a hash (digest) of the request. Then you use the hash value, some
other information from the request, and your secret access key to calculate another hash known as the
signature. Then you add the signature to the request in one of the following ways:
• Using the HTTP Authorization header.

• Adding a query string value to the request. Because the signature is part of the URL in this case, this
type of URL is called a presigned URL.
Signature Versions
AWS supports two signature versions: Signature Version 4 and Signature Version 2. You should use
Signature Version 4. All AWS services support Signature Version 4, except Amazon SimpleDB which
requires Signature Version 2. For AWS services that support both versions, we recommend that you use
Signature Version 4.
All AWS Regions support Signature Version 4.
Version 1.0
351
Signature Version 4 Signing Process

Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP.
For security, most requests to AWS must be signed with an access key, which consists of an access key
ID and secret access key. These two keys are commonly referred to as your security credentials. For
details on how to obtain credentials for your account, see Understanding and Getting Your Security
Important
When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to
make requests to AWS, these tools automatically sign the requests for you with the security
credentials you specify when you configure the tools. When you use these tools, you don't need
to learn how to sign requests yourself. However, when you manually create HTTP requests to
access AWS services, you must sign requests that require signing yourself.
How Signature Version 4 works
1. Create a canonical request.

2. Use the canonical request and additional metadata to create a string for signing.
3. Derive a signing key from your AWS secret access key. Then use the signing key, and the string from
the previous step, to create a signature.
4. Add the resulting signature to the HTTP request in a header or as a query string parameter.
When an AWS service receives the request, it performs the same steps that you did to calculate the
signature you sent in your request. AWS then compares its calculated signature to the one you sent with
the request. If the signatures match, the request is processed. If the signatures don't match, the request
is denied.
For more information, see the following resources:
• To get started with the signing process, see Signing AWS Requests with Signature Version 4 (p. 356).
• For sample signed requests, see Examples of the Complete Version 4 Signing Process
(Python) (p. 375).
• If you have questions about Signature Version 4, post your question in the AWS Identity and Access
Management forum.
Version 1.0
352
Changes in Signature Version 4
Changes in Signature Version 4

Signature Version 4 is the current AWS signing protocol. It includes several changes from the previous
Signature Version 2:
• To sign your message, you use a signing key that is derived from your secret access key rather than
using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the
Signature for AWS Signature Version 4 (p. 367).
• You derive your signing key from the credential scope, which means that you don't need to include the
key itself in the request. Credential scope is represented by a slash-separated string of dimensions in
the following order:
1. Date information as an eight-digit string representing the year (YYYY), month (MM), and day (DD)
of the request (for example, 20150830). For more information about handling dates, see Handling
Dates in Signature Version 4 (p. 371).
2. Region information as a lowercase alphanumeric string. Use the Region name that is part of the
service's endpoint. For services with a globally unique endpoint such as IAM, use us-east-1.
3. Service name information as a lowercase alphanumeric string (for example, iam). Use the
service name that is part of the service's endpoint. For example, the IAM endpoint is https://
iam.amazonaws.com, so you use the string iam as part of the Credential parameter.
4. A special termination string: aws4_request.
• You use the credential scope in each signing task:
• If you add signing information to the query string, include the credential scope as part of the X-
Amz-Credential parameter when you create the canonical request in Task 1: Create a Canonical
Request for Signature Version 4 (p. 359).
• You must include the credential scope as part of your string to sign in Task 2: Create a String to Sign
for Signature Version 4 (p. 365).
• Finally, you use the date, Region, and service name components of the credential scope to derive
your signing key in Task 3: Calculate the Signature for AWS Signature Version 4 (p. 367).
Version 1.0
353
Signature Version 4 Request Elements
Elements of an AWS Signature Version 4 Request

Each HTTP/HTTPS request that uses version 4 signing must contain these elements.
• Endpoint Specification
• Action
• Required and Optional Parameters
• Date
• Authentication Parameters
Endpoint Specification
This is specified as the Host header in HTTP/1.1 requests. This header specifies the DNS name of the
computer to which you send the request, like dynamodb.us-east-1.amazonaws.com.
You must include the Host header with HTTP/1.1 requests. For HTTP/2 requests, you can use the
:authority header or the Host header. Use only the :authority header for compliance with the
HTTP/2 specification. Not all services support HTTP/2 requests, so check the service documentation for
details.
The endpoint usually contains the service name and Region, both of which you must use as part of the
Credential authentication parameter. For example, the Amazon DynamoDB endpoint for the eu-
west-1 Region is dynamodb.eu-west-1.amazonaws.com. If you don't specify a Region, a web service
uses the default Region, us-east-1. If you use a service like IAM that uses a globally unique endpoint,
use the default Region (us-east-1), as part of the Credential authentication parameter (described
later in this topic).
For a complete list of endpoints supported by AWS, see Regions and Endpoints.
Action
This element specifies the action that you want a web service to perform, such as the DynamoDB
CreateTable action or the Amazon EC2 DescribeInstances action. The specified action determines
the parameters used in the request. For query APIs, the action is an API name. For non-query APIs (such
as RESTful APIs), see the service documentation for the appropriate actions.
Required and Optional Parameters

This element specifies the parameters to the request action. Each action in a web service has a set of
required and optional parameters that define an API call. The API version is usually a required parameter.
See the service documentation for the details of required and optional parameters.
Date
This is the date and time at which you make the request. Including the date in the request helps prevent
third parties from intercepting your request and resubmitting it later. The date is specified using the
ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format.
Authentication Parameters
Each request that you send must include the following set of parameters that AWS uses to ensure the
validity and authenticity of the request.
• Algorithm. The hash algorithm that you're using as part of the signing process. For example, if you use
SHA-256 to create hashes, use the value AWS4-HMAC-SHA256.
Version 1.0
354
Signature Version 4 Request Elements
• Credential scope. A string separated by slashes ("/") that is formed by concatenating your access key
ID and your credential scope components. Credential scope includes the date in YYYYMMDD format,
the AWS Region, the service name, and a special termination string (aws4_request). For example, the
following string represents the Credential parameter for an IAM request in the us-east-1 Region.
AKIAIOSFODNN7EXAMPLE/20111015/us-east-1/iam/aws4_request
Important
You must use lowercase characters for the Region, service name, and special termination
string.
• SignedHeaders A list delimited by semicolons (";") of HTTP/HTTPS headers to include in the signature.
• Signature A hexadecimal-encoded string that represents the output of the signature operation
described in Task 3: Calculate the Signature for AWS Signature Version 4 (p. 367). You must calculate
the signature using the algorithm that you specified in the Algorithm parameter.
To view sample signed requests, see Examples of the Complete Version 4 Signing Process
(Python) (p. 375).
Version 1.0
355
Signing AWS Requests
Signing AWS Requests with Signature Version 4

This section explains how to create a signature and add it to an HTTP request to AWS.
Summary of Signing Steps

To create a signed request, complete the following:
• Task 1: Create a Canonical Request for Signature Version 4 (p. 359)
Arrange the contents of your request (host, action, headers, etc.) into a standard (canonical) format.
The canonical request is one of the inputs used to create a string to sign.
• Task 2: Create a String to Sign for Signature Version 4 (p. 365)
Create a string to sign with the canonical request and extra information such as the algorithm, request
date, credential scope, and the digest (hash) of the canonical request.
• Task 3: Calculate the Signature for AWS Signature Version 4 (p. 367)
Derive a signing key by performing a succession of keyed hash operations (HMAC operations) on the
request date, Region, and service, with your AWS secret access key as the key for the initial hashing
operation. After you derive the signing key, you then calculate the signature by performing a keyed
hash operation on the string to sign. Use the derived signing key as the hash key for this operation.
• Task 4: Add the Signature to the HTTP Request (p. 369)
After you calculate the signature, add it to an HTTP header or to the query string of the request.
Note
The AWS SDKs handle the signature calculation process for you, so you do not have to manually
complete the signing process. For more information, see Tools for Amazon Web Services.
Additional Signing Resources

The following additional resources illustrate aspects of the signing process:
• Examples of How to Derive a Signing Key for Signature Version 4 (p. 372). This page shows how to
derive a signing key using Java, C#, Python, Ruby, and JavaScript.
• Examples of the Complete Version 4 Signing Process (Python) (p. 375). This set of programs in
Python provide complete examples of the signing process. The examples show signing with a POST
request, with a GET request that has signing information in a request header, and with a GET request
that has signing information in the query string.
• Signature Version 4 Test Suite (p. 383). This downloadable package contains a collection of examples
that include signature information for various steps in the signing process. You can use these examples
to verify that your signing code is producing the correct results at each step of the process.
Version 1.0
356
What Signing Looks Like in a Request

The following example shows what an HTTPS request might look like as it is sent from your client to
AWS, without any signing information.
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1

Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: iam.amazonaws.com
X-Amz-Date: 20150830T123600Z
After you complete the signing tasks, you add the authentication information to the request. You can
add the authentication information in two ways:
Authorization header
You can add the authentication information to the request with an Authorization header. Although
the HTTP header is named Authorization, the signing information is actually used for authentication
to establish who the request came from.
The Authorization header includes the following information:
• Algorithm you used for signing (AWS4-HMAC-SHA256)

• Credential scope (with your access key ID)
• List of signed headers
• Calculated signature. The signature is based on your request information, and you use your AWS secret
access key to produce the signature. The signature confirms your identity to AWS.
The following example shows what the preceding request might look like after you've created the
signing information and added it to the request in the Authorization header.
Note that in the actual request, the Authorization header would appear as a continuous line of text.
The version below has been formatted for readability.

Authorization: AWS4-HMAC-SHA256
Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.amazonaws.com
x-amz-date: 20150830T123600Z
Query string
As an alternative to adding authentication information with an HTTP request header, you can include it
in the query string. The query string contains everything that is part of the request, including the name
and parameters for the action, the date, and the authentication information.
The following example shows how you might construct a GET request with the action and authentication
information in the query string.
(In the actual request, the query string would appear as a continuous line of text. The version below has
been formatted with line breaks for readability.)
GET https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request
Version 1.0
357
&X-Amz-Date=20150830T123600Z
&X-Amz-Expires=60
&X-Amz-SignedHeaders=content-type%3Bhost
&X-Amz-Signature=37ac2f4fde00b0ac9bd9eadeb459b1bbee224158d66e7ae5fcadb70b2d181d02 HTTP/1.1
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.amazonaws.com
GET and POST Requests in the Query API

The query API that many AWS services support lets you make requests using either HTTP GET or POST.
(In the query API, you can use GET even if you're making requests that change state; that is, the query
API is not inherently RESTful.) Because GET requests pass parameters on the query string, they are
limited to the maximum length of a URL. If a request includes a large payload (for example, you might
upload a large IAM policy or send many parameters in JSON format for a DynamoDB request), you
generally use a POST request.
The signing process is the same for both types of requests.
Version 1.0
358
Task 1: Create a Canonical Request for Signature Version 4

To begin the signing process, create a string that includes information from your request in a
standardized (canonical) format. This ensures that when AWS receives the request, it can calculate the
same signature that you calculated.
Follow the steps here to create a canonical version of the request. Otherwise, your version and the
version calculated by AWS won't match, and the request will be denied.
The following example shows the pseudocode to create a canonical request.
Example canonical request pseudocode
CanonicalRequest =
HTTPRequestMethod + '\n' +
CanonicalURI + '\n' +
CanonicalQueryString + '\n' +
CanonicalHeaders + '\n' +
SignedHeaders + '\n' +
HexEncode(Hash(RequestPayload))
In this pseudocode, Hash represents a function that produces a message digest, typically SHA-256. (Later
in the process, you specify which hashing algorithm you're using.) HexEncode represents a function
that returns the base-16 encoding of the digest in lowercase characters. For example, HexEncode("m")
returns the value 6d rather than 6D. Each input byte must be represented as exactly two hexadecimal
characters.
Signature Version 4 does not require that you use a particular character encoding to encode the
canonical request. However, some AWS services might require a specific encoding. For more information,
consult the documentation for that service.
The following examples show how to construct the canonical form of a request to IAM. The original
request might look like this as it is sent from the client to AWS, except that this example does not include
the signing information yet.
Example request

X-Amz-Date: 20150830T123600Z
The preceding example request is a GET request (method) that makes a ListUsers API (action) call to
AWS Identity and Access Management (host). This action takes the Version parameter.
To create a canonical request, concatenate the following components from each step into a
single string:
1. Start with the HTTP request method (GET, PUT, POST, etc.), followed by a newline character.
Example request method
GET
2. Add the canonical URI parameter, followed by a newline character. The canonical URI is the URI-
encoded version of the absolute path component of the URI, which is everything in the URI from the
HTTP host to the question mark character ("?") that begins the query string parameters (if any).
Version 1.0
359
Normalize URI paths according to RFC 3986. Remove redundant and relative path components. Each
path segment must be URI-encoded twice (except for Amazon S3 which only gets URI-encoded
once).
Example canonical URI with encoding
/documents%2520and%2520settings/
Note
In exception to this, you do not normalize URI paths for requests to Amazon S3.
For example, if you have a bucket with an object named my-object//example//
photo.user, use that path. Normalizing the path to my-object/example/photo.user
will cause the request to fail. For more information, see Task 1: Create a Canonical Request
in the Amazon Simple Storage Service API Reference.
If the absolute path is empty, use a forward slash (/). In the example IAM request, nothing follows
the host in the URI, so the absolute path is empty.
Example canonical URI
3. Add the canonical query string, followed by a newline character. If the request does not include a
query string, use an empty string (essentially, a blank line). The example request has the following
query string.
Example canonical query string
Action=ListUsers&Version=2010-05-08
To construct the canonical query string, complete the following steps:
a. Sort the parameter names by character code point in ascending order. Parameters with
duplicate names should be sorted by value. For example, a parameter name that begins with
the uppercase letter F precedes a parameter name that begins with a lowercase letter b.
b. URI-encode each parameter name and value according to the following rules:
• Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9,
hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).
• Percent-encode all other characters with %XY, where X and Y are hexadecimal characters (0-9
and uppercase A-F). For example, the space character must be encoded as %20 (not using '+',
as some encoding schemes do) and extended UTF-8 characters must be in the form %XY%ZA
%BC.
• Double-encode any equals ( = ) characters in parameter values.
c. Build the canonical query string by starting with the first parameter name in the sorted list.
d. For each parameter, append the URI-encoded parameter name, followed by the equals
sign character (=), followed by the URI-encoded parameter value. Use an empty string for
parameters that have no value.
e. Append the ampersand character (&) after each parameter value, except for the last value in the
list.
One option for the query API is to put all request parameters in the query string. For example, you
can do this for Amazon S3 to create aVersion
presigned
1.0 URL. In that case, the canonical query string must
360
include not only parameters for the request, but also the parameters used as part of the signing
process—the hashing algorithm, credential scope, date, and signed headers parameters.
The following example shows a query string that includes authentication information. The example
is formatted with line breaks for readability, but the canonical query string must be one continuous
line of text in your code.
Example authentication parameters in a query string
Action=ListUsers&
Version=2010-05-08&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request&
X-Amz-Date=20150830T123600Z&
X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-date
For more information about authentication parameters, see Task 2: Create a String to Sign for
Signature Version 4 (p. 365).
Note
You can use temporary security credentials provided by the AWS Security Token Service
(AWS STS) to sign a request. The process is the same as using long-term credentials, but
when you add signing information to the query string you must add an additional query
parameter for the security token. The parameter name is X-Amz-Security-Token, and
the parameter's value is the URI-encoded session token (the string you received from AWS
STS when you obtained temporary security credentials).
For some services, you must include the X-Amz-Security-Token query parameter in the
canonical (signed) query string. For other services, you add the X-Amz-Security-Token
parameter at the end, after you calculate the signature. For details, see the API reference
documentation for that service.
4. Add the canonical headers, followed by a newline character. The canonical headers consist of a list of
all the HTTP headers that you are including with the signed request.
For HTTP/1.1 requests, you must include the host header at a minimum. Standard headers like
content-type are optional.For HTTP/2 requests, you must include the :authority header
instead of the host header. Different services might require other headers.
Example canonical headers
content-type:application/x-www-form-urlencoded; charset=utf-8\n
host:iam.amazonaws.com\n
x-amz-date:20150830T123600Z\n
To create the canonical headers list, convert all header names to lowercase and remove leading
spaces and trailing spaces. Convert sequential spaces in the header value to a single space.
The following pseudocode describes how to construct the canonical list of headers:
CanonicalHeaders =
CanonicalHeadersEntry0 + CanonicalHeadersEntry1 + ... + CanonicalHeadersEntryN
CanonicalHeadersEntry =
Lowercase(HeaderName) + ':' + Trimall(HeaderValue) + '\n'
Lowercase represents a function that converts all characters to lowercase. The Trimall function
removes excess white space before and after values, and converts sequential spaces to a single
space.
Version 1.0
361
Build the canonical headers list by sorting the (lowercase) headers by character code and then
iterating through the header names. Construct each header according to the following rules:
• Append the lowercase header name followed by a colon.

• Append a comma-separated list of values for that header. Do not sort the values in headers that
have multiple values.
• Append a new line ('\n').
The following examples compare a more complex set of headers with their canonical form:
Example original headers
Host:iam.amazonaws.com\n
Content-Type:application/x-www-form-urlencoded; charset=utf-8\n
My-header1: a b c \n
X-Amz-Date:20150830T123600Z\n
My-Header2: "a b c" \n
Example canonical form
content-type:application/x-www-form-urlencoded; charset=utf-8\n
host:iam.amazonaws.com\n
my-header1:a b c\n
my-header2:"a b c"\n
x-amz-date:20150830T123600Z\n
Note
Each header is followed by a newline character, meaning the complete list ends with a
newline character.
In the canonical form, the following changes were made:
• The header names were converted to lowercase characters.

• The headers were sorted by character code.
• Leading and trailing spaces were removed from the my-header1 and my-header2 values.
• Sequential spaces in a b c were converted to a single space for the my-header1 and my-
header2 values.
Note
You can use temporary security credentials provided by the AWS Security Token Service
(AWS STS) to sign a request. The process is the same as using long-term credentials, but
when you include signing information in the Authorization header you must add an
additional HTTP header for the security token. The header name is X-Amz-Security-
Token, and the header's value is the session token (the string you received from AWS STS
when you obtained temporary security credentials).
5. Add the signed headers, followed by a newline character. This value is the list of headers that you
included in the canonical headers. By adding this list of headers, you tell AWS which headers in the
request are part of the signing process and which ones AWS can ignore (for example, any additional
headers added by a proxy) for purposes of validating the request.
For HTTP/1.1 requests, the host header must be included as a signed header. For HTTP/2
requests that include the :authority header instead of the host header, you must include the
Version 1.0
362
:authority header as a signed header. If you include a date or x-amz-date header, you must also
include that header in the list of signed headers.
To create the signed headers list, convert all header names to lowercase, sort them by character
code, and use a semicolon to separate the header names. The following pseudocode describes how
to construct a list of signed headers. Lowercase represents a function that converts all characters
to lowercase.
SignedHeaders =
Lowercase(HeaderName0) + ';' + Lowercase(HeaderName1) + ";" + ... +
Lowercase(HeaderNameN)
Build the signed headers list by iterating through the collection of header names, sorted by
lowercase character code. For each header name except the last, append a semicolon (';') to the
header name to separate it from the following header name.
Example signed headers
content-type;host;x-amz-date\n
6. Use a hash (digest) function like SHA256 to create a hashed value from the payload in the body of
the HTTP or HTTPS request. Signature Version 4 does not require that you use a particular character
encoding to encode text in the payload. However, some AWS services might require a specific
encoding. For more information, consult the documentation for that service.
Example structure of payload
HashedPayload = Lowercase(HexEncode(Hash(requestPayload)))
When you create the string to sign, you specify the signing algorithm that you used to hash the
payload. For example, if you used SHA256, you will specify AWS4-HMAC-SHA256 as the signing
algorithm. The hashed payload must be represented as a lowercase hexadecimal string.
If the payload is empty, use an empty string as the input to the hash function. In the IAM example,
the payload is empty.
Example hashed payload (empty string)
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
7. To construct the finished canonical request, combine all the components from each step as a single
string. As noted, each component ends with a newline character. If you follow the canonical request
pseudocode explained earlier, the resulting canonical request is shown in the following example.
Example canonical request
GET
/
Action=ListUsers&Version=2010-05-08
content-type:application/x-www-form-urlencoded; charset=utf-8
host:iam.amazonaws.com
x-amz-date:20150830T123600Z
content-type;host;x-amz-date
Version 1.0
363
8. Create a digest (hash) of the canonical request with the same algorithm that you used to hash the
payload.
Note
Signature Version 4 does not require that you use a particular character encoding to encode
the canonical request before calculating the digest. However, some AWS services might
require a specific encoding. For more information, consult the documentation for that
service.
The hashed canonical request must be represented as a string of lowercase hexadecimal characters.
The following example shows the result of using SHA-256 to hash the example canonical request.
Example hashed canonical request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59
You include the hashed canonical request as part of the string to sign in Task 2: Create a String to
Sign for Signature Version 4 (p. 365).
Version 1.0
364
Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and about the canonical request that
you created in Task 1: Create a Canonical Request for Signature Version 4 (p. 359). You will use the string
to sign and a derived signing key that you create later as inputs to calculate the request signature in Task
3: Calculate the Signature for AWS Signature Version 4 (p. 367).
To create the string to sign, concatenate the algorithm, date and time, credential scope, and digest of the
canonical request, as shown in the following pseudocode:
Structure of string to sign
StringToSign =
Algorithm + \n +
RequestDateTime + \n +
CredentialScope + \n +
HashedCanonicalRequest
The following example shows how to construct the string to sign with the same request from Task 1:
Create A Canonical Request (p. 359).
Example HTTPS request

X-Amz-Date: 20150830T123600Z
To create the string to sign
1. Start with the algorithm designation, followed by a newline character. This value is the hashing
algorithm that you use to calculate the digests in the canonical request. For SHA256, AWS4-HMAC-
SHA256 is the algorithm.
AWS4-HMAC-SHA256\n
2. Append the request date value, followed by a newline character. The date is specified with ISO8601
basic format in the x-amz-date header in the format YYYYMMDD'T'HHMMSS'Z'. This value must
match the value you used in any previous steps.
20150830T123600Z\n
3. Append the credential scope value, followed by a newline character. This value is a string that
includes the date, the Region you are targeting, the service you are requesting, and a termination
string ("aws4_request") in lowercase characters. The Region and service name strings must be
UTF-8 encoded.
20150830/us-east-1/iam/aws4_request\n
• The date must be in the YYYYMMDD format. Note that the date does not include a time value.
• Verify that the Region you specify is the Region that you are sending the request to. See AWS
Service Endpoints (p. 2).
4. Append the hash of the canonical request that you created in Task 1: Create a Canonical Request for
Signature Version 4 (p. 359). This value is not followed by a newline character. The hashed canonical
request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.
Version 1.0
365
The following string to sign is a request to IAM on August 30, 2015.
Example string to sign
AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
Version 1.0
366
Task 3: Calculate the Signature for AWS Signature Version 4

Before you calculate a signature, you derive a signing key from your AWS secret access key. Because the
derived signing key is specific to the date, service, and Region, it offers a greater degree of protection.
You don't just use your secret access key to sign the request. You then use the signing key and the string
to sign that you created in Task 2: Create a String to Sign for Signature Version 4 (p. 365) as the inputs to
a keyed hash function. The hex-encoded result from the keyed hash function is the signature.
Signature Version 4 does not require that you use a particular character encoding to encode the string to
sign. However, some AWS services might require a specific encoding. For more information, consult the
To calculate a signature
1. Derive your signing key. To do this, use your secret access key to create a series of hash-based
message authentication codes (HMACs). This is shown in the following pseudocode, where
HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format. The
result of each hash function becomes input for the next one.
Pseudocode for deriving a signing key
kSecret = your secret access key

kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")
Note that the date used in the hashing process is in the format YYYYMMDD (for example, 20150830),
and does not include the time.
Make sure you specify the HMAC parameters in the correct order for the programming language you
are using. This example shows the key as the first parameter and the data (message) as the second
parameter, but the function that you use might specify the key and data in a different order.
Use the digest (binary format) for the key derivation. Most languages have functions to compute
either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest.
The key derivation requires that you use a binary-formatted digest.
The following example show the inputs to derive a signing key and the resulting output, where
kSecret = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.
The example uses the same parameters from the request in Task 1 and Task 2 (a request to IAM in
the us-east-1 Region on August 30, 2015).
Example inputs
HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20150830"),"us-east-1"),"iam"),"aws4_request")
The following example shows the derived signing key that results from this sequence of HMAC hash
operations. This shows the hexadecimal representation of each byte in the binary signing key.
Example signing key
c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
For more information about how to derive a signing key in different programming languages, see
Examples of How to Derive a Signing Key for Signature Version 4 (p. 372).
Version 1.0
367
2. Calculate the signature. To do this, use the signing key that you derived and the string to sign as
inputs to the keyed hash function. After you calculate the signature, convert the binary value to a
hexadecimal representation.
The following pseudocode shows how to calculate the signature.
signature = HexEncode(HMAC(derived signing key, string to sign))
Note
Make sure you specify the HMAC parameters in the correct order for the programming
language you are using. This example shows the key as the first parameter and the data
(message) as the second parameter, but the function that you use might specify the key and
data in a different order.
The following example shows the resulting signature if you use the same signing key and the string
to sign from Task 2:
Example signature
5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
Version 1.0
368
Task 4: Add the Signature to the HTTP Request

After you calculate the signature, add it to the request. You can add the signature to a request in one of
two ways:
• An HTTP header named Authorization

• The query string
You cannot pass signing information in both the Authorization header and the query string.
Note
You can use temporary security credentials provided by the AWS Security Token Service (AWS
STS) to sign a request. The process is the same as using long-term credentials, but requires
an additional HTTP header or query string parameter for the security token. The name of
the header or query string parameter is X-Amz-Security-Token, and the value is the
session token (the string you received from AWS STS when you obtained temporary security
credentials).
When you add the X-Amz-Security-Token parameter to the query string, some services
require that you include this parameter in the canonical (signed) request. For other services,
you add this parameter at the end, after you calculate the signature. For details, see the API
reference documentation for that service.
Adding Signing Information to the Authorization Header

You can include signing information by adding it to an HTTP header named Authorization. The
contents of the header are created after you calculate the signature as described in the preceding steps,
so the Authorization header is not included in the list of signed headers. Although the header is
named Authorization, the signing information is actually used for authentication.
The following pseudocode shows the construction of the Authorization header.
Authorization: algorithm Credential=access key ID/credential scope,

SignedHeaders=SignedHeaders, Signature=signature
The following example shows a finished Authorization header.
Note that in the actual request, the authorization header would appear as a continuous line of text. The
version below has been formatted for readability.
Authorization: AWS4-HMAC-SHA256
Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
Note the following:
• There is no comma between the algorithm and Credential. However, the SignedHeaders and
Signature are separated from the preceding values with a comma.
• The Credential value starts with the access key ID, which is followed by a forward slash (/), which
is followed by the credential scope that you calculated in Task 2: Create a String to Sign for Signature
Version 4 (p. 365). The secret access key is used to derive the signing key for the signature, but is not
included in the signing information sent in the request.
Adding Signing Information to the Query String

You can make requests and pass all request values in the query string, including signing information. This
is sometimes referred to as a presigned URL, because it produces a single URL with everything required
Version 1.0
369
in order to make a successful call to AWS. It's commonly used in Amazon S3. For more information, see
Authenticating Requests by Using Query Parameters (AWS Signature Version 4) in the Amazon Simple
Storage Service API Reference.
Important
If you make a request in which all parameters are included in the query string, the resulting URL
represents an AWS action that is already authenticated. Therefore, treat the resulting URL with
as much caution as you would treat your actual credentials. We recommend you specify a short
expiration time for the request with the X-Amz-Expires parameter.
When you use this approach, all the query string values (except the signature) are included in the
canonical query string that is part of the canonical query that you construct in the first part of the
signing process (p. 359).
The following pseudocode shows the construction of a query string that contains all request parameters.
querystring = Action=action
querystring += &X-Amz-Algorithm=algorithm
querystring += &X-Amz-Credential= urlencode(access_key_ID + '/' + credential_scope)
querystring += &X-Amz-Date=date
querystring += &X-Amz-Expires=timeout interval
querystring += &X-Amz-SignedHeaders=signed_headers
After the signature is calculated (which uses the other query string values as part of the calculation), you
add the signature to the query string as the X-Amz-Signature parameter:
querystring += &X-Amz-Signature=signature
The following example shows what a request might look like when all the request parameters and the
signing information are included in query string parameters.
Note that in the actual request, the authorization header would appear as a continuous line of text. The
version below has been formatted for readability.
https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08
&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request
&X-Amz-Date=20150830T123600Z
&X-Amz-Expires=60
&X-Amz-SignedHeaders=content-type%3Bhost
&X-Amz-Signature=37ac2f4fde00b0ac9bd9eadeb459b1bbee224158d66e7ae5fcadb70b2d181d02
Note the following:
• For the signature calculation, query string parameters must be sorted in code point order from low to
high, and their values must be URI-encoded. See the step about creating a canonical query string in
Task 1: Create a Canonical Request for Signature Version 4 (p. 359).
• Set the timeout interval (X-Amz-Expires) to the minimal viable time for the operation you're
requesting.
Version 1.0
370
Handling Dates
Handling Dates in Signature Version 4

The date that you use as part of your credential scope must match the date of your request. You can
include the date as part of your request in several ways. You can use a date header, an x-amz-date
header or include x-amz-date as a query parameter. For example requests, see Examples of the
Complete Version 4 Signing Process (Python) (p. 375).
The time stamp must be in UTC and in the following ISO 8601 format: YYYYMMDD'T'HHMMSS'Z'. For
example, 20150830T123600Z is a valid time stamp. Do not include milliseconds in the time stamp.
AWS first checks the x-amz-date header or parameter for a time stamp. If AWS can't find a value for x-
amz-date, it looks for the date header. AWS then checks the credential scope for an eight-digit string
representing the year (YYYY), month (MM), and day (DD) of the request. For example, if the x-amz-date
header value is 20111015T080000Z and the date component of the credential scope is 20111015, AWS
allows the authentication process to proceed.
If the dates don't match, AWS rejects the request, even if the time stamp is only seconds away from the
date in the credential scope. For example, AWS will reject a request that has an x-amz-date header
value of 20151014T235959Z and a credential scope that has the date 20151015.
Version 1.0
371
Examples of How to Derive a Signing Key
Examples of How to Derive a Signing Key for

Signature Version 4
This page shows examples in several programming languages for how to derive a signing key for
Signature Version 4. The examples on this page show only how to derive a signing key, which is just
one part of signing AWS requests. For examples that show the complete process, see Examples of the
Complete Version 4 Signing Process (Python) (p. 375).
Note
If you are using one of the AWS SDKs (including the SDK for Java, .NET, Python, Ruby, or
JavaScript), you do not have to manually perform the steps of deriving a signing key and adding
authentication information to a request. The SDKs perform this work for you. You need to
manually sign requests only if you are directly making HTTP or HTTPS requests.
Topics
• Deriving the Signing Key with Java (p. 372)
• Deriving the Signing Key with .NET (C#) (p. 372)
• Deriving the Signing Key with Python (p. 373)
• Deriving the Signing Key with Ruby (p. 373)
• Deriving the Signing Key with JavaScript (Node.js) (p. 373)
• Deriving the Signing Key with Other Languages (p. 373)
• Common Coding Mistakes (p. 374)
Deriving the Signing Key with Java

static byte[] HmacSHA256(String data, byte[] key) throws Exception {
String algorithm="HmacSHA256";
Mac mac = Mac.getInstance(algorithm);
mac.init(new SecretKeySpec(key, algorithm));
return mac.doFinal(data.getBytes("UTF-8"));
}
static byte[] getSignatureKey(String key, String dateStamp, String regionName, String

serviceName) throws Exception {
byte[] kSecret = ("AWS4" + key).getBytes("UTF-8");
byte[] kDate = HmacSHA256(dateStamp, kSecret);
byte[] kRegion = HmacSHA256(regionName, kDate);
byte[] kService = HmacSHA256(serviceName, kRegion);
byte[] kSigning = HmacSHA256("aws4_request", kService);
return kSigning;
}
Deriving the Signing Key with .NET (C#)

static byte[] HmacSHA256(String data, byte[] key)
{
String algorithm = "HmacSHA256";
KeyedHashAlgorithm kha = KeyedHashAlgorithm.Create(algorithm);
kha.Key = key;
return kha.ComputeHash(Encoding.UTF8.GetBytes(data));
}
static byte[] getSignatureKey(String key, String dateStamp, String regionName, String

serviceName)
Version 1.0
372
{
byte[] kSecret = Encoding.UTF8.GetBytes(("AWS4" + key).ToCharArray());
byte[] kDate = HmacSHA256(dateStamp, kSecret);
byte[] kRegion = HmacSHA256(regionName, kDate);
byte[] kService = HmacSHA256(serviceName, kRegion);
byte[] kSigning = HmacSHA256("aws4_request", kService);
return kSigning;
}
Deriving the Signing Key with Python

def sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def getSignatureKey(key, dateStamp, regionName, serviceName):

kDate = sign(("AWS4" + key).encode("utf-8"), dateStamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, "aws4_request")
return kSigning
Deriving the Signing Key with Ruby

def getSignatureKey key, dateStamp, regionName, serviceName
kDate = OpenSSL::HMAC.digest('sha256', "AWS4" + key, dateStamp)
kRegion = OpenSSL::HMAC.digest('sha256', kDate, regionName)
kService = OpenSSL::HMAC.digest('sha256', kRegion, serviceName)
kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
kSigning
end
Deriving the Signing Key with JavaScript (Node.js)

The following example uses the crypto-js library. For more information, see https://www.npmjs.com/
package/crypto-js and https://code.google.com/archive/p/crypto-js/.
var crypto = require("crypto-js");
function getSignatureKey(key, dateStamp, regionName, serviceName) {

var kDate = crypto.HmacSHA256(dateStamp, "AWS4" + key);
var kRegion = crypto.HmacSHA256(regionName, kDate);
var kService = crypto.HmacSHA256(serviceName, kRegion);
var kSigning = crypto.HmacSHA256("aws4_request", kService);
return kSigning;
}
Deriving the Signing Key with Other Languages

If you need to implement this logic in a different programming language, we recommend testing the
intermediary steps of the key derivation algorithm against the values in this section. The following
example in Ruby prints the results using the hexEncode function after each step in the algorithm.
def hexEncode bindata

result=""
data=bindata.unpack("C*")
Version 1.0
373
data.each {|b| result+= "%02x" % b}

result
end
Given the following test input:
key = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
dateStamp = '20120215'
regionName = 'us-east-1'
serviceName = 'iam'
Your program should generate the following values for the values in getSignatureKey. Note that
these are hex-encoded representations of the binary data; the key itself and the intermediate values
should be in binary format.
kSecret =
'41575334774a616c725855746e46454d492f4b374d44454e472b62507852666943594558414d504c454b4559'
kDate = '969fbb94feb542b71ede6f87fe4d5fa29c789342b0f407474670f0c2489e0a0d'
kRegion = '69daa0209cd9c5ff5c8ced464a696fd4252e981430b10e3d3fd8e2f197d7a70c'
kService = 'f72cfd46f26bc4643f06a11eabb6c0ba18780c19a8da0c31ace671265e3c87fa'
kSigning = 'f4780e2d9f65fa895f9c67b32ce1baf0b0d8a43505a000a1a9e090d414db404d'
Common Coding Mistakes

To simplify your task, avoid the following common coding errors.
Tip
Examine the HTTP request that you're sending to AWS with a tool that shows you what your raw
HTTP requests look like. This can help you spot issues that aren't evident from your code.
• Don't include an extra newline character, or forget one where it's required.
• Don't format the date incorrectly in the credential scope, such as using a time stamp instead of
YYYYMMDD format.
• Make sure the headers in the canonical headers and the signed headers are the same.
• Don't inadvertently swap the key and the data (message) when calculating intermediary keys. The
result of the previous step's computation is the key, not the data. Check the documentation for your
cryptographic primitives carefully to ensure that you place the parameters in the proper order.
• Don't forget to add the string "AWS4" in front of the key for the first step. If you implement the key
derivation using a for loop or iterator, don't forget to special-case the first iteration so that it includes
the "AWS4" string.
For more information about possible errors, see Troubleshooting AWS Signature Version 4
Errors (p. 386).
Version 1.0
374
Signing Examples (Python)
Examples of the Complete Version 4 Signing Process

(Python)
This section shows example programs written in Python that illustrate how to work with Signature
Version 4 in AWS. We deliberately wrote these example programs to be simple (to use few Python-
specific features) to make it easier to understand the overall process of signing AWS requests.
Note
If you are using one of the AWS SDKs (including the SDK for C++, SDK for Go, SDK for Java,
AWS SDK for JavaScript, AWS SDK for .NET, SDK for PHP, SDK for Python (Boto 3), or SDK for
Ruby), you do not have to manually perform the steps of deriving a signing key and adding
authentication information to a request. The SDKs perform this work for you. You need to
manually sign requests only if you are directly making HTTP or HTTPS requests.
In order to work with these example programs, you need the following:
• Python 2.x installed on your computer, which you can get from the Python site. These programs were
tested using Python 2.7 and 3.6.
• The Python requests library, which is used in the example script to make web requests. A convenient
way to install Python packages is to use pip, which gets packages from the Python package index site.
You can then install requests by running pip install requests at the command line.
• An access key (access key ID and secret access key) in environment variables named
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Alternatively, you can keep these values in a
credentials file and read them from that file. As a best practice, we recommend that you do not embed
credentials in code. For more information, see Best Practices for Managing AWS Access Keys in the
Amazon Web Services General Reference.
Note
The following examples use UTF-8 to encode the canonical request and string to sign, but
Signature Version 4 does not require that you use a particular character encoding. However,
some AWS services might require a specific encoding. For more information, consult the
Topics
• Using GET with an Authorization Header (Python) (p. 375)
• Using POST (Python) (p. 378)
• Using GET with Authentication Information in the Query String (Python) (p. 380)
Using GET with an Authorization Header (Python)

The following example shows how to make a request using the Amazon EC2 query API without SDK for
Python (Boto 3). The request makes a GET request and passes authentication information to AWS using
the Authorization header.
# Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

#
# This file is licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License. A copy of the
# License is located at
#
# http://aws.amazon.com/apache2.0/
#
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
# OF ANY KIND, either express or implied. See the License for the specific
Version 1.0
375
# language governing permissions and limitations under the License.

#
# ABOUT THIS PYTHON SAMPLE: This sample is part of the AWS General Reference
# Signing AWS API Requests top available at
# https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
#
# AWS Version 4 signing example
# EC2 API (DescribeRegions)
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
# This version makes a GET request and passes the signature
# in the Authorization header.
import sys, os, base64, datetime, hashlib, hmac
import requests # pip install requests
# ************* REQUEST VALUES *************

method = 'GET'
service = 'ec2'
host = 'ec2.amazonaws.com'
region = 'us-east-1'
endpoint = 'https://ec2.amazonaws.com'
request_parameters = 'Action=DescribeRegions&Version=2013-10-15'
# Key derivation functions. See:

# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-
examples-python
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
kSigning = sign(kService, 'aws4_request')
return kSigning
# Read AWS access key from env. variables or configuration file. Best practice is NOT
# to embed credentials in code.
access_key = os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
if access_key is None or secret_key is None:
print('No access key is available.')
sys.exit()
# Create a date for headers and the credential string

t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope
# ************* TASK 1: CREATE A CANONICAL REQUEST *************

# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
# Step 1 is to define the verb (GET, POST, etc.)--already done.
# Step 2: Create canonical URI--the part of the URI from domain to query
# string (use '/' if no path)
canonical_uri = '/'
# Step 3: Create the canonical query string. In this example (a GET request),
# request parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
# For this example, the query string is pre-formatted in the request_parameters variable.
canonical_querystring = request_parameters
Version 1.0
376
# Step 4: Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
# low to high. Note that there is a trailing \n.
canonical_headers = 'host:' + host + '\n' + 'x-amz-date:' + amzdate + '\n'
# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
# signed_headers lists those that you want to be included in the
# hash of the request. "Host" and "x-amz-date" are always required.
signed_headers = 'host;x-amz-date'
# Step 6: Create payload hash (hash of the request body content). For GET
# requests, the payload is an empty string ("").
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
# Step 7: Combine elements to create canonical request

canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' +
canonical_headers + '\n' + signed_headers + '\n' + payload_hash
# ************* TASK 2: CREATE THE STRING TO SIGN*************

# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'
string_to_sign = algorithm + '\n' + amzdate + '\n' + credential_scope + '\n' +
hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
# ************* TASK 3: CALCULATE THE SIGNATURE *************

# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, datestamp, region, service)
# Sign the string_to_sign using the signing_key

signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'),
hashlib.sha256).hexdigest()
# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************

# The signing information can be either in a query string value or in
# a header named Authorization. This code shows how to use a header.
# Create authorization header and add to request headers
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' +
credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' +
signature
# The request can include any headers, but MUST include "host", "x-amz-date",
# and (for this scenario) "Authorization". "host" and "x-amz-date" must
# be included in the canonical_headers and signed_headers, as noted
# earlier. Order here is not significant.
# Python note: The 'host' header is added automatically by the Python 'requests' library.
headers = {'x-amz-date':amzdate, 'Authorization':authorization_header}
# ************* SEND THE REQUEST *************

request_url = endpoint + '?' + canonical_querystring
print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
print('Request URL = ' + request_url)
r = requests.get(request_url, headers=headers)
print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print('Response code: %d\n' % r.status_code)
print(r.text)
Version 1.0
377
Using POST (Python)

The following example shows how to make a request using the Amazon DynamoDB query API without
SDK for Python (Boto 3). The request makes a POST request and passes values to AWS in the body of the
request. Authentication information is passed using the Authorization request header.

#
#
#
# DynamoDB API (CreateTable)
# This version makes a POST request and passes request parameters
# in the body (payload) of the request. Auth information is passed in
# an Authorization header.
import sys, os, base64, datetime, hashlib, hmac
# ************* REQUEST VALUES *************

method = 'POST'
service = 'dynamodb'
host = 'dynamodb.us-west-2.amazonaws.com'
region = 'us-west-2'
endpoint = 'https://dynamodb.us-west-2.amazonaws.com/'
# POST requests use a content type header. For DynamoDB,
# the content is JSON.
content_type = 'application/x-amz-json-1.0'
# DynamoDB requires an x-amz-target header that has this format:
# DynamoDB_<API version>.<operationName>
amz_target = 'DynamoDB_20120810.CreateTable'
# Request parameters for CreateTable--passed in a JSON block.

request_parameters = '{'
request_parameters += '"KeySchema": [{"KeyType": "HASH","AttributeName": "Id"}],'
request_parameters += '"TableName": "TestTable","AttributeDefinitions": [{"AttributeName":
"Id","AttributeType": "S"}],'
request_parameters += '"ProvisionedThroughput": {"WriteCapacityUnits":
5,"ReadCapacityUnits": 5}'
request_parameters += '}'

examples-python
def sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def getSignatureKey(key, date_stamp, regionName, serviceName):

kDate = sign(('AWS4' + key).encode('utf-8'), date_stamp)
Version 1.0
378

return kSigning
sys.exit()

amz_date = t.strftime('%Y%m%dT%H%M%SZ')
date_stamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope

# Step 1 is to define the verb (GET, POST, etc.)--already done.
canonical_uri = '/'
## Step 3: Create the canonical query string. In this example, request

# parameters are passed in the body of the request and the query string
# is blank.
canonical_querystring = ''
# Step 4: Create the canonical headers. Header names must be trimmed

# and lowercase, and sorted in code point order from low to high.
# Note that there is a trailing \n.
canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-amz-
date:' + amz_date + '\n' + 'x-amz-target:' + amz_target + '\n'
# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
# signed_headers include those that you want to be included in the
# hash of the request. "Host" and "x-amz-date" are always required.
# For DynamoDB, content-type and x-amz-target are also required.
signed_headers = 'content-type;host;x-amz-date;x-amz-target'
# Step 6: Create payload hash. In this example, the payload (body of

# the request) contains the request parameters.
payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest()


credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' +

# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, date_stamp, region, service)
Version 1.0
379

signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'),

# Put the signature information in a header named Authorization.
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' +
credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' +
signature
# For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
# "x-amz-target", "content-type", and "Authorization". Except for the authorization
# header, the headers must be included in the canonical_headers and signed_headers values,
as
# noted earlier. Order here is not significant.
# # Python note: The 'host' header is added automatically by the Python 'requests' library.
headers = {'Content-Type':content_type,
'X-Amz-Date':amz_date,
'X-Amz-Target':amz_target,
'Authorization':authorization_header}
# ************* SEND THE REQUEST *************

print('Request URL = ' + endpoint)
r = requests.post(endpoint, data=request_parameters, headers=headers)
print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print(r.text)
Using GET with Authentication Information in the Query String

(Python)
The following example shows how to make a request using the IAM query API without SDK for Python
(Boto 3). The request makes a GET request and passes parameters and signing information using the
query string.

#
#
#
#
# ABOUT THIS PYTHON SAMPLE: This sample is part of the AWS General Reference
# Signing AWS API Requests top available at
# https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
#
# IAM API (CreateUser)
Version 1.0
380
# This version makes a GET request and passes request parameters
# and authorization information in the query string
import sys, os, base64, datetime, hashlib, hmac, urllib
# ************* REQUEST VALUES *************

method = 'GET'
service = 'iam'
host = 'iam.amazonaws.com'
region = 'us-east-1'
endpoint = 'https://iam.amazonaws.com'

examples-python
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
return kSigning
sys.exit()

amz_date = t.strftime('%Y%m%dT%H%M%SZ') # Format date as YYYYMMDD'T'HHMMSS'Z'
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope

# Because almost all information is being passed in the query string,

# the order of these steps is slightly different than examples that
# use an authorization header.
# Step 1: Define the verb (GET, POST, etc.)--already done.
canonical_uri = '/'
# Step 3: Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
# low to high. Note trailing \n in canonical_headers.
# signed_headers is the list of headers that are being included
# as part of the signing process. For requests that use query strings,
# only "host" is included in the signed headers.
canonical_headers = 'host:' + host + '\n'
signed_headers = 'host'
Version 1.0
381
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'
# Step 4: Create the canonical query string. In this example, request

# parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
# use urllib.parse.quote_plus() if using Python 3
canonical_querystring = 'Action=CreateUser&UserName=NewUser&Version=2010-05-08'
canonical_querystring += '&X-Amz-Algorithm=AWS4-HMAC-SHA256'
canonical_querystring += '&X-Amz-Credential=' + urllib.quote_plus(access_key + '/' +
credential_scope)
canonical_querystring += '&X-Amz-Date=' + amz_date
canonical_querystring += '&X-Amz-Expires=30'
canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers
# Step 5: Create payload hash. For GET requests, the payload is an

# empty string ("").
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()


string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' +

# Create the signing key
signing_key = getSignatureKey(secret_key, datestamp, region, service)

signature = hmac.new(signing_key, (string_to_sign).encode("utf-8"),

# The auth information can be either in a query string
# value or in a header named Authorization. This code shows how to put
# everything into a query string.
canonical_querystring += '&X-Amz-Signature=' + signature
# ************* SEND THE REQUEST *************

# The 'host' header is added automatically by the Python 'request' lib. But it
# must exist as a header in the request.
request_url = endpoint + "?" + canonical_querystring
print('Request URL = ' + request_url)
r = requests.get(request_url)
print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print(r.text)
Version 1.0
382
Test Suite
Signature Version 4 Test Suite

To assist you in the development of an AWS client that supports Signature Version 4, you can use the
files in the test suite to ensure your code is performing each step of the signing process correctly.
To get the test suite, download aws-sig-v4-test-suite.zip.
Topics
• Credential Scope and Secret Key (p. 383)
• Example—A Simple GET Request with Parameters (p. 383)
Each test group contains five files that you can use to validate each of the tasks described in Signature
Version 4 Signing Process (p. 352). The following list describes the contents of each file.
• file-name.req—the web request to be signed.

• file-name.creq—the resulting canonical request.
• file-name.sts—the resulting string to sign.
• file-name.authz—the Authorization header.
• file-name.sreq— the signed request.
Credential Scope and Secret Key

The examples in the test suite use the following credential scope:
AKIDEXAMPLE/20150830/us-east-1/service/aws4_request
The example secret key used for signing is:
wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
Example—A Simple GET Request with Parameters

The following example shows the web request to be signed from the get-vanilla-query-order-
key-case.req file. This is the original request.
GET /?Param2=value2&Param1=value1 HTTP/1.1

Host:example.amazonaws.com
X-Amz-Date:20150830T123600Z
Task 1: Create a Canonical Request

In the steps outlined in Task 1: Create a Canonical Request for Signature Version 4 (p. 359), change the
request in the get-vanilla-query-order-key-case.req file.

X-Amz-Date:20150830T123600Z
This creates the canonical request in the get-vanilla-query-order-key-case.creq file.
GET
Version 1.0
383
Test Suite
/
Param1=value1&Param2=value2
host:example.amazonaws.com
x-amz-date:20150830T123600Z
host;x-amz-date
Notes
• The parameters are sorted alphabetically (by character code).

• The header names are lowercase.
• There is a line break between the x-amz-date header and the signed headers.
• The hash of the payload is the hash of the empty string.
Task 2: Create a String to Sign

The hash of the canonical request returns the following value:
816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0
In the steps outlined in Task 2: Create a String to Sign for Signature Version 4 (p. 365), add the
algorithm, request date, credential scope, and the canonical request hash to create the string to sign.
The result is the get-vanilla-query-order-key-case.sts file.
AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/service/aws4_request
816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0
Notes
• The date on the second line matches the x-amz-date header, as well as the first element in the
credential scope.
• The last line is the hex-encoded value for the hash of the canonical request.
Task 3: Calculate the Signature

In the steps outlined in Task 3: Calculate the Signature for AWS Signature Version 4 (p. 367), create a
signature with your signing key and the string to sign from the get-vanilla-query-order-key-
case.sts file.
The result generates the contents in the get-vanilla-query-order-key-case.authz file.
AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/
service/aws4_request, SignedHeaders=host;x-amz-date,
Signature=b97d918cfa904a5beff61c982a1b6f458b799221646efd99d3219ec94cdf2500
Task 4: Add the Signing Information to the Request

In the steps outlined in Task 4: Add the Signature to the HTTP Request (p. 369), add the signing
information generated in task 3 to the original request. For example, take the contents in the get-
vanilla-query-order-key-case.authz, add it to the Authorization header, and then add the
result to the get-vanilla-query-order-key-case.req.
Version 1.0
384
Test Suite
This creates the signed request in the get-vanilla-query-order-key-case.sreq file.

X-Amz-Date:20150830T123600Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/
us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date,
Signature=b97d918cfa904a5beff61c982a1b6f458b799221646efd99d3219ec94cdf2500
Version 1.0
385
Troubleshooting
Troubleshooting AWS Signature Version 4 Errors

Topics
• Troubleshooting AWS Signature Version 4 Canonicalization Errors (p. 386)
• Troubleshooting AWS Signature Version 4 Credential Scope Errors (p. 387)
• Troubleshooting AWS Signature Version 4 Key Signing Errors (p. 388)
When you develop code that implements Signature Version 4, you might receive errors from AWS
products that you test against. The errors typically come from an error in the canonicalization of the
request, the incorrect derivation or use of the signing key, or a validation failure of signature-specific
parameters sent along with the request.
Troubleshooting AWS Signature Version 4 Canonicalization

Errors
Consider the following request:
https://iam.amazonaws.com/?MaxItems=100
&Action=ListGroupsForUser
&UserName=Test
&Version=2010-05-08
&X-Amz-Date=20120223T063000Z
&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE/20120223/us-east-1/iam/aws4_request
&X-Amz-SignedHeaders=host
&X-Amz-Signature=<calculated value>
If you incorrectly calculate the canonical request or the string to sign, the signature verification step
performed by the service fails. The following example is a typical error response, which includes the
canonical string and the string to sign as computed by the service. You can troubleshoot your calculation
error by comparing the returned strings with the canonical string and your calculated string to sign.
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided.
Check your AWS Secret Access Key and signing method. Consult the service documentation for
details.
The canonical string for this request should have been 'GET /
Action=ListGroupsForUser&MaxItems=100&UserName=Test&Version=2010-05-08&X-Amz-
Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential
=AKIAIOSFODNN7EXAMPLE%2F20120223%2Fus-east-1%2Fiam%2Faws4_request&X-Amz-
Date=20120223T063000Z&X-Amz-SignedHeaders=host
host:iam.amazonaws.com
host
<hashed-value>'
The String-to-Sign should have been

'AWS4-HMAC-SHA256
20120223T063000Z
20120223/us-east-1/iam/aws4_request
<hashed-value>'
</Message>
</Error>
<RequestId>4ced6e96-5de8-11e1-aa78-a56908bdf8eb</RequestId>
Version 1.0
386
Troubleshooting
</ErrorResponse>
For testing with an SDK, we recommend troubleshooting by verifying each derivation step against known
values. For more information, see Signature Version 4 Test Suite (p. 383).
Troubleshooting AWS Signature Version 4 Credential Scope

Errors
AWS products validate credentials for proper scope; the credential parameter must specify the correct
service, Region, and date. For example, the following credential references the Amazon RDS service:
Credential=AKIAIOSFODNN7EXAMPLE/20120224/us-east-1/rds/aws4_request
If you use the same credentials to submit a request to IAM, you'll receive the following error response:
<Error>
<Type>Sender</Type>
<Message>Credential should be scoped to correct service: 'iam'. </Message>
</Error>
<RequestId>aa0da9de-5f2b-11e1-a2c0-c1dc98b6c575</RequestId>
The credential must also specify the correct Region. For example, the following credential for an IAM
request incorrectly specifies the US West (N. California) Region.
Credential=AKIAIOSFODNN7EXAMPLE/20120224/us-west-1/iam/aws4_request
If you use the credential to submit a request to IAM, which accepts only the us-east-1 Region
specification, you'll receive the following response:
comma-separated<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Message>Credential should be scoped to a valid Region, not 'us-west-1'. </Message>
</Error>
<RequestId>8e229682-5f27-11e1-88f2-4b1b00f424ae</RequestId>
</ErrorResponse>
You'll receive the same type of invalid Region response from AWS products that are available in multiple
Regions if you submit requests to a Region that differs from the Region specified in your credential
scope.
The credential must also specify the correct Region for the service and action in your request.
The date that you use as part of the credential must match the date value in the x-amz-date header.
For example, the following x-amz-date header value does not match the date value used in the
Credential parameter that follows it.
x-amz-date:"20120224T213559Z"
Credential=AKIAIOSFODNN7EXAMPLE/20120225/us-east-1/iam/aws4_request
If you use this pairing of x-amz-date header and credential, you'll receive the following error response:
Version 1.0
387
Troubleshooting
<Error>
<Type>Sender</Type>
<Message>Date in Credential scope does not match YYYYMMDD from ISO-8601 version of date
from HTTP: '20120225' != '20120224', from '20120 224T213559Z'.</Message>
</Error>
<RequestId>9d6ddd2b-5f2f-11e1-b901-a702cd369eb8</RequestId>
</ErrorResponse>
An expired signature can also generate an error response. For example, the following error response was
generated due to an expired signature.
<Error>
<Type>Sender</Type>
<Message>Signature expired: 20120306T074514Z is now earlier than 20120306T074556Z
(20120306T080056Z - 15 min.)</Message>
</Error>
<RequestId>fcc88440-5dec-11e1-b901-a702cd369eb8</RequestId>
</ErrorResponse>
Troubleshooting AWS Signature Version 4 Key Signing Errors

Errors that are caused by an incorrect derivation of the signing key or improper use of cryptography are
more difficult to troubleshoot. The error response will tell you that the signature does not match. If you
verified that the canonical string and the string to sign are correct, the cause of the signature mismatch
is most likely one of the two following issues:
• The secret access key does not match the access key ID that you specified in the Credential
parameter.
• There is a problem with your key derivation code.
To check whether the secret key matches the access key ID, you can use your secret key and access key ID
with a known working implementation. One way is to use one of the AWS SDKs to write a program that
makes a simple request to AWS using the access key ID and secret access key that you want to use.
To check whether your key derivation code is correct, you can compare it to our example derivation code.
For more information, see Examples of How to Derive a Signing Key for Signature Version 4 (p. 372).
Version 1.0
388
Service-Specific Reference
Service-Specific Reference for Signature Version 4

To learn more about making and signing HTTP requests in the context of specific AWS services, see the
documentation for the following services:
• Amazon API Gateway

• Amazon CloudSearch
• Amazon CloudWatch
• AWS Data Pipeline
• Amazon Elastic Compute Cloud (Amazon EC2)
• Amazon Elastic Transcoder
• Amazon S3 Glacier
• Amazon Mobile Analytics
• Amazon Relational Database Service (Amazon RDS)
• Amazon Simple Email Service (Amazon SES)
• Amazon Simple Queue Service (Amazon SQS)
• Amazon Simple Storage Service (Amazon S3)
• Amazon Simple Workflow Service (Amazon SWF)
• AWS WAF

You can use Signature Version 2 to sign API requests. However, we recommend that you sign your
request with Signature Version 4. For more information, see Signature Version 4 Signing Process (p. 352).
Supported Regions and Services

You can use Signature Version 2 to sign API requests for some AWS services in some AWS Regions.
Otherwise, you must use Signature Version 4 to sign API requests.
Regions that Support Signature Version 2
• US East (N. Virginia) Region

• US West (Oregon) Region
• EU (Ireland) Region
• Asia Pacific (Tokyo) Region
• Asia Pacific (Singapore) Region
• Asia Pacific (Sydney) Region
• South America (São Paulo) Region
Services that Support Signature Version 2
• Amazon EC2 Auto Scaling

• AWS CloudFormation
• Amazon CloudWatch
• AWS Elastic Beanstalk
Version 1.0
389
Components of a Query Request for Signature Version 2
• Amazon Elastic Compute Cloud (Amazon EC2)

• Elastic Load Balancing
• Amazon EMR
• Amazon ElastiCache
• AWS Identity and Access Management (IAM)
• AWS Import/Export
• Amazon Relational Database Service (Amazon RDS
• Amazon Simple Notification Service (Amazon SNS)
• Amazon Simple Queue Service (Amazon SQS)
• Amazon SimpleDB
Components of a Query Request for Signature

Version 2
AWS requires that each HTTP or HTTPS Query request formatted for Signature Version 2 contains the
following:
Endpoint
Also known as the host part of an HTTP request. This is the DNS name of the computer where you
send the Query request. This is different for each AWS Region. For the list of endpoints for each
service, see AWS Service Endpoints (p. 2).
Action
The action you want a web service to perform. This value determines the parameters used in the
request.
AWSAccessKeyId
A value distributed by AWS when you sign up for an AWS account.

SignatureMethod
The hash-based protocol used to calculate the signature. This can be either HMAC-SHA1 or HMAC-
SHA256 for Signature Version 2.
SignatureVersion
The version of the AWS signature protocol.

Timestamp
The time at which you make the request. Include this in the Query request to help prevent third
parties from intercepting your request.
Required and optional parameters
Each action has a set of required and optional parameters that define the API call.
Signature
The calculated value that ensures the signature is valid and has not been tampered.
The following is an example Amazon EMR Query request formatted as an HTTPS GET request.
• The endpoint, elasticmapreduce.amazonaws.com, is the default endpoint and maps to the Region
us-east-1.
• The action is DescribeJobFlows, which requests information about one or more job flows.
Version 1.0
390
How to Generate a Signature Version 2 for a Query Request
Note
In the actual Query request, there are no spaces or newline characters. The request is a
continuous line of text. The version below is formatted for human readability.
https://elasticmapreduce.amazonaws.com?
&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
&Action=DescribeJobFlows
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2011-10-03T15%3A19%3A30
&Version=2009-03-31
&Signature=calculated value
How to Generate a Signature Version 2 for a Query

Request
Web service requests are sent across the Internet and are vulnerable to tampering. To check that the
request has not been altered, AWS calculates the signature to determine if any of the parameters or
parameter values were changed en route. AWS requires a signature as part of every request.
Note
Be sure to URI encode the request. For example, blank spaces in your request should be encoded
as %20. Although an unencoded space is normally allowed by the HTTP protocol specification,
unencoded characters create an invalid signature in your Query request. Do not encode spaces
as a plus sign (+) as this will cause errors.
The following topics describe the steps needed to calculate a signature using AWS Signature Version 2.
Task 1: Format the Query Request

Before you can sign the Query request, format the request in a standardized (canonical) format. This is
needed because the different ways to format a Query request will result in different HMAC signatures.
Format the request in a canonical format before signing. This ensures your application and AWS will
calculate the same signature for a request.
To create the string to sign, you concatenate the Query request components. The following example
generates the string to sign for the following call to the Amazon EMR API.
Action=DescribeJobFlows
&Version=2009-03-31
&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
&SignatureVersion=2
&Timestamp=2011-10-03T15:19:30
Note
In the preceding request, the last four parameters (AWSAccessKeyID through Timestamp) are
called authentication parameters. They're required in every Signature Version 2 request. AWS
uses them to identify who is sending the request and whether to grant the requested access.
To create the string to sign (Signature Version 2)
1. Start with the request method (either GET or POST), followed by a newline character. For human
readability, the newline character is represented as \n.
Version 1.0
391
GET\n
2. Add the HTTP host header (endpoint) in lowercase, followed by a newline character. The port
information is omitted if it is the standard port for the protocol (port 80 for HTTP and port 443 for
HTTPS), but included if it is a nonstandard port.
elasticmapreduce.amazonaws.com\n
3. Add the URL-encoded version of each path segment of the URI, which is everything between the
HTTP host header to the question mark character (?) that begins the query string parameters,
followed by a newline character. Don't encode the forward slash (/) that delimits each path
segment.
In this example, if the absolute path is empty, use a forward slash (/).
/\n
4. a. Add the query string components, as UTF-8 characters which are URL encoded (hexadecimal
characters must be uppercase). You do not encode the initial question mark character (?) in the
request. For more information, see RFC 3986.
b. Sort the query string components by byte order. Byte ordering is case sensitive. AWS sorts these
components based on the raw bytes.
For example, this is the original order for the query string components.
Version=2009-03-31
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
SignatureVersion=2
SignatureMethod=HmacSHA256
Timestamp=2011-10-03T15%3A19%3A30
The query string components would be reorganized as the following:
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
SignatureMethod=HmacSHA256
SignatureVersion=2
Timestamp=2011-10-03T15%3A19%3A30
Version=2009-03-31
c. Separate parameter names from their values with the equal sign character (=), even if the value
is empty. Separate parameter and value pairs with the ampersand character (&). Concatenate
the parameters and their values to make one long string with no spaces. Spaces within a
parameter value are allowed, but must be URL encoded as %20. In the concatenated string,
period characters (.) are not escaped. RFC 3986 considers the period character an unreserved
character, so it is not URL encoded.
Note
RFC 3986 does not specify what happens with ASCII control characters, extended
UTF-8 characters, and other characters reserved by RFC 1738. Since any values may be
passed into a string value, these other characters should be percent encoded as %XY
where X and Y are uppercase hex characters. Extended UTF-8 characters take the form
%XY%ZA... (this handles multibytes).
Version 1.0
392
The following example shows the query string components, with the parameters concatenated with
the ampersand character (&), and sorted by byte order.
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMethod=HmacSHA256&SignatureVer
5. To construct the finished canonical request, combine all the components from each step. As shown,
each component ends with a newline character.
GET\n
/\n
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMethod=HmacSHA256&SignatureVer
Task 2: Calculate the Signature

After you've created the canonical string as described in Task 1: Format the Query Request (p. 391),
calculate the signature by creating a hash-based message authentication code (HMAC) that uses either
the HMAC-SHA1 or HMAC-SHA256 protocols. The HMAC-SHA256 is preferred.
In this example, the signature is calculated with the following canonical string and secret key as inputs to
a keyed hash function:
• Canonical query string:
GET\n
/\n
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMethod=HmacSHA256&SignatureVersi
• Sample secret key:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The resulting signature must be base-64 encoded.
i91nKc4PWAt0JJIdXwz9HxZCJDdiy6cf%2FMj6vPxyYIs%3D
Add the resulting value to the query request as a Signature parameter. When you add this parameter
to the request, you must URI encode it just like any other parameter. You can use the signed request in
an HTTP or HTTPS call.
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMethod=HmacSHA256&SignatureVersion
%2FMj6vPxyYIs%3D
Note
You can use temporary security credentials provided by AWS Security Token Service (AWS STS)
to sign a request. The process is the same as using long-term credentials, but requests require
an additional parameter for the security token.
Version 1.0
393
The following request uses a temporary access key ID and the SecurityToken parameter.
Example Example request with temporary security credentials
https://sdb.amazonaws.com/
?Action=GetAttributes
&AWSAccessKeyId=access-key-from-AWS Security Token Service
&DomainName=MyDomain
&ItemName=MyItem
&SignatureVersion=2
&Timestamp=2010-01-25T15%3A03%3A07-07%3A00
&Version=2009-04-15
&Signature=signature-calculated-using-the-temporary-access-key
&SecurityToken=session-token
For more information, see the following resources:
• The Amazon EMR Developer Guide has information about Amazon EMR API calls.
• The API documentation for each service has information about requirements and specific parameters
for an action.
• The AWS SDKs offer functions to generate Query request signatures. To see an example using the AWS
SDK for Java, see Using the Java SDK to Sign a Query Request (p. 395).
Troubleshooting Request Signatures Version 2

This section describes some error codes you might see when you are initially developing code to generate
the signature to sign Query requests.
SignatureDoesNotMatch Signing Error in a web service

The following error response is returned when a web service attempts to validate the request signature
by recalculating the signature value and generates a value that does not match the signature you
appended to the request. This can occur because the request was altered between the time you sent it
and the time it reached a web service endpoint (which is what the signature is designed to detect) or
because the signature was calculated improperly. A common cause of the following error message is not
properly creating the string to sign, such as forgetting to URL-encode characters such as the colon (:) and
the forward slash (/) in Amazon S3 bucket names.
<ErrorResponse xmlns="http://elasticmapreduce.amazonaws.com/doc/2009-03-31">
<Error>
<Type>Sender</Type>
<Message>The request signature we calculated does not match the signature you
provided.
Check your AWS Secret Access Key and signing method.
Consult the service documentation for details.</Message>
</Error>
<RequestId>7589637b-e4b0-11e0-95d9-639f87241c66</RequestId>
</ErrorResponse>
IncompleteSignature Signing Error in a web service

The following error indicates that signature is missing information or has been improperly formed.
Version 1.0
394
<ErrorResponse xmlns="http://elasticmapreduce.amazonaws.com/doc/2009-03-31">
<Error>
<Type>Sender</Type>
<Code>IncompleteSignature</Code>
<Message>Request must contain a signature that conforms to AWS standards</Message>
</Error>
<RequestId>7146d0dd-e48e-11e0-a276-bd10ea0cbb74</RequestId>
</ErrorResponse>
Using the Java SDK to Sign a Query Request

The following example uses the amazon.webservices.common package of the AWS SDK for Java to
generate an AWS Signature Version 2 Query request signature. To do so, it creates an RFC 2104-
compliant HMAC signature. For more information about HMAC, see HMAC: Keyed-Hashing for Message
Authentication.
Note
Java is used as an example implementation. You can use the programming language of your
choice to implement the HMAC algorithm to sign Query requests.
import java.security.SignatureException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import com.amazonaws.util.*;
/**
* This class defines common routines for generating
* authentication signatures for AWS Platform requests.
*/
public class Signature {
private static final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
/**
* Computes RFC 2104-compliant HMAC signature.
* * @param data
* The signed data.
* @param key
* The signing key.
* @return
* The Base64-encoded RFC 2104-compliant HMAC signature.
* @throws
* java.security.SignatureException when signature generation fails
*/
public static String calculateRFC2104HMAC(String data, String key)
throws java.security.SignatureException
{
String result;
try {
// Get an hmac_sha256 key from the raw key bytes.

SecretKeySpec signingKey = new SecretKeySpec(key.getBytes("UTF-8"),
HMAC_SHA256_ALGORITHM);
// Get an hmac_sha256 Mac instance and initialize with the signing key.
Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
mac.init(signingKey);
// Compute the hmac on input data bytes.

byte[] rawHmac = mac.doFinal(data.getBytes("UTF-8"));
// Base64-encode the hmac by using the utility in the SDK

result = BinaryUtils.toBase64(rawHmac);
Version 1.0
395
} catch (Exception e) {
throw new SignatureException("Failed to generate HMAC : " + e.getMessage());
}
return result;
}
}
Version 1.0
396
AWS SDK Features for Amazon S3 Client-Side Encryption
AWS SDK Support for Amazon S3

Client-Side Encryption
The following tables provide lists of cryptographic algorithms and features that are supported by the
language–specific AWS SDKs. For details about how to use the features for a particular SDK, see that
SDK's developer guide.
If you are new to cryptography, see Cryptography Basics in the AWS Key Management Service Developer
Guide to get familiar with terms and concepts.
Note
The AWS Encryption SDK is an encryption library that is separate from the language–specific
SDKs. You can use this encryption library to more easily implement encryption best practices in
your application. Unlike the Amazon S3 encryption clients in the language–specific AWS SDKs,
the AWS Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to
be stored anywhere.
The AWS Encryption SDK and the Amazon S3 encryption clients are not compatible because
they produce ciphertexts with different data formats. For more details on the AWS Encryption
SDK see the AWS Encryption SDK Developer Guide.
AWS SDK Features for Amazon S3 Client-Side

Encryption
In the following table, each column indicates whether an AWS SDK for a specific language supports the
features used in client-side encryption.
To use the Amazon S3 client-side encryption feature to encrypt data before uploading to Amazon S3,
you must provide a master key to the Amazon S3 encryption client. You can provide a client-side master
key or use the AWS KMS–managed master keys feature. The AWS KMS–managed master keys feature
provides an easy way to create and manage keys used to encrypt data. For more details about these
features, choose the links provided in the Feature column.
For details about how to use the features for a particular SDK, see the SDK's developer guide.
Feature Java .NET Ruby v2 CLI Boto3 PHP v3 JavaScriptGo C++
Amazon Yes Yes Yes No No Yes No Yes Yes

S3
client-
side
encryption
AWS Yes No Yes No No Yes No Yes Yes

KMS–
managed
master
keys
Version 1.0
397
Amazon S3 Encryption Client Cryptographic Algorithms
For more details about the Amazon S3 encryption client in each language–specific SDK that supports
client-side encryption, see the following blog posts.
• Client-Side Data Encryption for Amazon S3 Using the AWS SDK for Java
• Client Side Data Encryption with AWS SDK for .NET and Amazon S3
• Using Client-Side Encryption for S3 in the AWS SDK for Ruby
• Using the AWS SDK for Go Encryption Client
• Amazon S3 Encryption Client Now Available for C++ Developers
Amazon S3 Encryption Client Cryptographic

Algorithms
The following table lists the algorithms that each language–specific AWS SDK supports for encrypting
keys and data when using the Amazon S3 encryption client.
AlgorithmJava .NET Ruby v2 CLI Boto3 PHP v3 JavaScriptGo C++
AES/ Yes Yes Yes No No No No No No

ECB key
wrap
(not
recommended)
AES/ Yes No No No No No No No Yes

Wrap
key
wrap
RSA key Yes No Yes No No No No No No

wrap
AES/ Yes Yes Yes No No Yes No Yes Yes

CBC
content
encryption
(Encryption
Only
mode)
AES/ Yes No Yes No No Yes No Yes Yes

GCM
content
encryption
(Strict
Authentication
mode)
AES/ Yes No Yes No No No No No Yes

CTR
content
encryption
(Authenticated
mode
only
Version 1.0
398
Amazon S3 Encryption Client Cryptographic Algorithms
AlgorithmJava .NET Ruby v2 CLI Boto3 PHP v3 JavaScriptGo C++

used for
decrypting
in range
GETs)
For more details on Authenticated and Encryption-only modes, see the Amazon S3 Client-Side
Authenticated Encryption blog post.
Version 1.0
399
Paragraphs, Line Spacing, and Horizontal Lines
Using Markdown in AWS

The AWS Management Console supports the use of Markdown, a markup language, in certain fields. This
topic explains the types of Markdown formatting supported in the console.
Contents
• Paragraphs, Line Spacing, and Horizontal Lines (p. 400)
• Headings (p. 400)
• Text Formatting (p. 401)
• Links (p. 401)
• Lists (p. 401)
• Tables and Buttons (CloudWatch Dashboards) (p. 401)
Paragraphs, Line Spacing, and Horizontal Lines

Paragraphs are separated by a blank line. To insert a line break, use followed by a blank line.
Repeat this pair of lines to insert multiple blank lines in a row, as in the following example which inserts
two blank lines:

To create a horizontal line, type three hyphens in a row: ---
To create a text block with monospace type, first type a line that has only three of these characters: ```.
Then type the text, then another line that has only ```
```
This appears in a text box with a background shading.
The text is in monospace.
```
Headings
Headings are designated by the number sign (#). A single number sign and a space indicate a top-level
heading, two number signs create a second-level heading, and three number signs create a third-level
heading, as in the following examples.
# Top-level heading
## Second-level heading
### Third-level heading
Version 1.0
400
Text Formatting
Text Formatting
To format text as italic, surround it with a single underscore or asterisk on each side.
*This text appears in italics.*
To format text as bold, surround it with double underscores or double asterisks on each side.
**This text appears in bold.**
To format text as strikethrough, surround it with two tildes on each side.
~~This text appears in strikethrough.~~
Links
To add a clickable web link that appears as text, enter the link_text surrounded by square brackets,
followed by the full URL in parentheses.
Choose [link_text](http://my.example.com).
Lists
To format lines as part of a bulleted list, type them on separate lines with a single asterisk and then a
space, at the beginning of the line:
Here is a bulleted list:

* Ant
* Bug
* Caterpillar
To format lines as part of a numbered list, type them on separate lines with a number, period, and space
at the beginning of the line:
Here is a numbered list:

1. Do the first step
2. Do the next step
3. Do the final step
Tables and Buttons (CloudWatch Dashboards)

CloudWatch dashboards text widgets support Markdown tables and buttons.
To create a table, separate columns using vertical bars (|) and rows using new lines. To make the first row
a header row, add at least three hyphens for each column, and separate the columns using vertical bars.
The following is example Markdown text for a table.
Version 1.0
401
Tables and Buttons (CloudWatch Dashboards)
Table | Header
----|-----
Amazon Web Services | AWS
1 | 2
The example Markdown text above creates the following table.
Table Header
Amazon Web Services AWS
1 2
In a CloudWatch dashboard text widget, you can also format a web link to appear as a button by using
[button:Button text].
[button:Go to AWS](http://my.example.com)
[button:primary:This button stands out even more](http://my.example.com)
Version 1.0
402
Tag Naming and Usage Conventions
Tagging AWS Resources

Tags are custom attributes to your AWS resources that make it easier to identify, organize, and search for
resources. Each tag has two parts:
• A tag key (for example, CostCenter, Environment, or Project). Tag keys are case sensitive.
• An optional field known as a tag value (for example, 111122223333 or Production). Omitting the
tag value is the same as using an empty string. Like tag keys, tag values are case sensitive.
You can use tags to categorize resources by purpose, owner, environment, or other criteria. For more
information, see AWS Tagging Strategies.
You can add, change, or remove tags one resource at a time from each resource’s service console, service
API, or the AWS CLI.
Tag Naming and Usage Conventions

The following basic naming and usage conventions apply to tags:
• Each resource can have a maximum of 50 tags.

• For each resource, each tag key must be unique, and each tag key can have only one value.
• The maximum tag key length is 128 Unicode characters in UTF-8.
• The maximum tag value length is 256 Unicode characters in UTF-8.
• Allowed characters can vary by AWS service. For information about what characters you can use to tag
resources in a particular AWS service, see its documentation. In general, allowed characters in tags are
letters, numbers, spaces representable in UTF-8, and the following characters: . : + = @ _ / - (hyphen).
• Tag keys and values are case sensitive. As a best practice, decide on a strategy for capitalizing tags,
and consistently implement that strategy across all resource types. For example, decide whether to use
Costcenter, costcenter, or CostCenter, and use the same convention for all tags. Avoid using
similar tags with inconsistent case treatment.
• The aws: prefix is reserved for AWS use. You can't edit or delete a tag's key or value when the tag has
a tag key with the aws: prefix. Tags with a tag key with the aws: prefix do not count against your tags
per resource limit.
More Information on Tagging

This page provides general information on tagging AWS resources. For more information about tagging
resources in a particular AWS service, see its documentation. The following are also good sources of
information about tagging:
• For a list of services that support tagging, see the Resource Groups Tagging API Reference.
• For information about Tag Editor, see Working with Tag Editor in the AWS Resource Groups User Guide.
• For information about using tags to control access to AWS resources, see Control Access Using IAM
Tags in the IAM User Guide.
Version 1.0
403
Document Conventions
The following are the common typographical conventions for AWS technical publications.
Inline code (for example, commands, operations, parameters, constants, XML elements, and regular
expressions)
Formatting: Text in a monospace font
Example: java -version

Example blocks (for example, sample code and scripts)
Formatting: Text in a monospace font inside a shaded block
Example:
# ls -l /var/www/html/index.html
-rw-rw-r-- 1 root root 1872 Jun 21 09:33 /var/www/html/index.html
# date
Wed Jun 21 09:33:42 EDT 2006
Mutually exclusive options
Formatting: Text separated by vertical bars
Example: (start | stride | edge)

Optional parameters
Formatting: Text enclosed in square brackets
Example: [-n, -quiet]

Definitions
Formatting: Text in italics
Example: Amazon Machine Image (AMI)

Technical publications
Formatting: Text in italics
Example: Amazon Simple Storage Service Developer Guide

Elements in the user interface
Formatting: Text in bold
Example: Choose File, Properties.

User input (text that a user types)
Formatting: Text in a monospace font
Example: For the name, type my-new-resource.

Placeholder text for a required value
Formatting: Text in red italics
Version 1.0
404
Example:
aws ec2 register-image --image-location my-s3-bucket/image.manifest.xml
Version 1.0
405
AWS Glossary
Numbers and Symbols (p. 406) | A (p. 406) | B (p. 421) | C (p. 423) | D (p. 427) | E (p. 430) | F (p. 432) |
G (p. 433) | H (p. 434) | I (p. 435) | J (p. 437) | K (p. 437) | L (p. 438) | M (p. 439) | N (p. 441) | O (p. 442)
| P (p. 443) | Q (p. 446) | R (p. 447) | S (p. 450) | T (p. 455) | U (p. 457) | V (p. 458) | W (p. 459) | X, Y,
Z (p. 460)
Numbers and Symbols

100-continue A method that enables a client to see if a server can accept a request before
actually sending it. For large PUT requests, this method can save both time and
bandwidth charges.
A
Z (p. 460)
AAD See additional authenticated data.
access control list (ACL) A document that defines who can access a particular bucket (p. 423) or
object. Each bucket (p. 423) and object in Amazon S3 (p. 412) has an ACL.
The document defines what each type of user can do, such as write and read
permissions.
access identifiers See credentials.
access key The combination of an access key ID (p. 406) (like AKIAIOSFODNN7EXAMPLE)
and a secret access key (p. 451) (like wJalrXUtnFEMI/K7MDENG/
bPxRfiCYEXAMPLEKEY). You use access keys to sign API requests that you make
to AWS.
access key ID A unique identifier that's associated with a secret access key (p. 451); the
access key ID and secret access key are used together to sign programmatic AWS
requests cryptographically.
access key rotation A method to increase security by changing the AWS access key ID. This method
enables you to retire an old key at your discretion.
Version 1.0
406
access policy language A language for writing documents (that is, policies (p. 444)) that specify who can
access a particular AWS resource (p. 448) and under what conditions.
account A formal relationship with AWS that is associated with all of the following:
• The owner email address and password

• The control of resource (p. 448)s created under its umbrella
• Payment for the AWS activity related to those resources
The AWS account has permission to do anything and everything with all the
AWS account resources. This is in contrast to a user (p. 458), which is an entity
contained within the account.
account activity A webpage showing your month-to-date AWS usage and costs. The account
activity page is located at https://aws.amazon.com/account-activity/.
ACL See access control list (ACL).
ACM See AWS Certificate Manager (ACM).
ACM PCA See AWS Certificate Manager Private Certificate Authority (ACM PCA).
ACM Private CA See AWS Certificate Manager Private Certificate Authority (ACM PCA).
action An API function. Also called operation or call. The activity the principal (p. 445)
has permission to perform. The action is B in the statement "A has permission
to do B to C where D applies." For example, Jane sends a request to Amazon
SQS (p. 412) with Action=ReceiveMessage.
Amazon CloudWatch (p. 408): The response initiated by the change in an alarm's
state: for example, from OK to ALARM. The state change may be triggered by a
metric reaching the alarm threshold, or by a SetAlarmState request. Each alarm
can have one or more actions assigned to each state. Actions are performed
once each time the alarm changes to a state that has an action assigned, such as
an Amazon Simple Notification Service (p. 412) notification, an Amazon EC2
Auto Scaling (p. 409) policy (p. 444) execution or an Amazon EC2 (p. 409)
instance (p. 436) stop/terminate action.
active trusted signers A list showing each of the trusted signers you've specified and the IDs of the
corresponding active key pairs that Amazon CloudFront (p. 408) is aware of. To
be able to create working signed URLs, a trusted signer must appear in this list
with at least one key pair ID.
additional authenticated data Information that is checked for integrity but not encrypted, such as headers or
other contextual metadata.
administrative suspension Amazon EC2 Auto Scaling (p. 409) might suspend processes for Auto Scaling
group (p. 414) that repeatedly fail to launch instances. Auto Scaling groups
that most commonly experience administrative suspension have zero running
instances, have been trying to launch instances for more than 24 hours, and have
not succeeded in that time.
alarm An item that watches a single metric over a specified time period and triggers an
Amazon SNS (p. 412) topic (p. 457) or an Amazon EC2 Auto Scaling (p. 409)
policy (p. 444) if the value of the metric crosses a threshold value over a
predetermined number of time periods.
allow One of two possible outcomes (the other is deny (p. 428)) when an
IAM (p. 418) access policy (p. 444) is evaluated. When a user makes a request
Version 1.0
407
to AWS, AWS evaluates the request based on all permissions that apply to the
user and then returns either allow or deny.
Amazon API Gateway A fully managed service that makes it easy for developers to create, publish,
maintain, monitor, and secure APIs at any scale.
See Also https://aws.amazon.com/api-gateway.
Amazon AppStream 2.0 A fully managed, secure service for streaming desktop applications to users
without rewriting those applications.
See Also https://aws.amazon.com/appstream/.
Amazon Athena An interactive query service that makes it easy to analyze data in Amazon S3
using ANSI SQL. Athena is serverless, so there is no infrastructure to manage.
Athena scales automatically and is simple to use, so you can start analyzing your
datasets within seconds.
See Also https://aws.amazon.com/athena/.
Amazon Aurora A fully managed MySQL-compatible relational database engine that combines
the speed and availability of commercial databases with the simplicity and cost-
effectiveness of open-source databases.
See Also https://aws.amazon.com/rds/aurora/.
Amazon Chime A secure, real-time, unified communications service that transforms meetings by
making them more efficient and easier to conduct.
See Also https://aws.amazon.com/chime/.
Amazon Cloud Directory A service that provides a highly scalable directory store for your application’s
(Cloud Directory) multihierarchical data.
See Also https://aws.amazon.com/cloud-directory/.
Amazon CloudFront An AWS content delivery service that helps you improve the performance,
reliability, and availability of your websites and applications.
See Also https://aws.amazon.com/cloudfront.
Amazon CloudSearch A fully managed service in the AWS Cloud that makes it easy to set up, manage,
and scale a search solution for your website or application.
Amazon CloudWatch A web service that enables you to monitor and manage various metrics, and
configure alarm actions based on data from those metrics.
See Also https://aws.amazon.com/cloudwatch.
Amazon CloudWatch Events A web service that enables you to deliver a timely stream of system events that
describe changes in AWS resource (p. 448)s to AWS Lambda (p. 418) functions,
streams in Amazon Kinesis Data Streams (p. 411), Amazon Simple Notification
Service (p. 412) topics, or built-in targets.
Amazon CloudWatch Logs A web service for monitoring and troubleshooting your systems and applications
from your existing system, application, and custom log files. You can send your
existing log files to CloudWatch Logs and monitor these logs in near-real time.
Amazon Cognito A web service that makes it easy to save mobile user data, such as app
preferences or game state, in the AWS Cloud without writing any backend
code or managing any infrastructure. Amazon Cognito offers mobile identity
management and data synchronization across devices.
See Also https://aws.amazon.com/cognito/.
Amazon Connect A service solution that offers easy, self-service configuration and enables
dynamic, personal, and natural customer engagement at any scale.
Version 1.0
408
See Also https://aws.amazon.com/connect/.
Amazon Corretto A no-cost, multiplatform, production-ready distribution of the Open Java

Development Kit (OpenJDK).
See Also https://aws.amazon.com/corretto/.
Amazon DocumentDB (with A managed database service that you can use to set up, operate, and scale
MongoDB compatibility) MongoDB-compatible databases in the cloud.
See Also https://aws.amazon.com/documentdb/.
Amazon DynamoDB A fully managed NoSQL database service that provides fast and predictable
performance with seamless scalability.
See Also https://aws.amazon.com/dynamodb/.
Amazon DynamoDB Storage A storage backend for the Titan graph database implemented on top of Amazon
Backend for Titan DynamoDB. Titan is a scalable graph database optimized for storing and querying
graphs.
Amazon DynamoDB Streams An AWS service that captures a time-ordered sequence of item-level
modifications in any Amazon DynamoDB table, and stores this information in a
log for up to 24 hours. Applications can access this log and view the data items as
they appeared before and after they were modified, in near real time.
Amazon Elastic Block Store A service that provides block level storage volume (p. 459)s for use with EC2
(Amazon EBS) instance (p. 430)s.
See Also https://aws.amazon.com/ebs.
Amazon EBS-backed AMI A type of Amazon Machine Image (AMI) (p. 411) whose instance (p. 436)s use
an Amazon EBS (p. 409) volume (p. 459) as their root device. Compare this
with instances launched from instance store-backed AMI (p. 436)s, which use the
instance store (p. 436) as the root device.
Amazon Elastic Container A fully managed Docker container registry that makes it easy for developers to
Registry (Amazon ECR) store, manage, and deploy Docker container images. Amazon ECR is integrated
with Amazon Elastic Container Service (Amazon ECS) (p. 409) and AWS Identity
and Access Management (IAM) (p. 418).
See Also https://aws.amazon.com/ecr.
Amazon Elastic Container A highly scalable, fast, container (p. 425) management service that makes it
Service (Amazon ECS) easy to run, stop, and manage Docker containers on a cluster (p. 424) of EC2
instance (p. 430)s.
See Also https://aws.amazon.com/ecs.
Amazon ECS service A service for running and maintaining a specified number of task (p. 456)s
(instantiations of a task definition (p. 456)) simultaneously.
Amazon EC2 VM Import See https://aws.amazon.com/ec2/vm-import.

Connector
Amazon Elastic Compute A web service that enables you to launch and manage Linux/UNIX and Windows
Cloud (Amazon EC2) Server instance (p. 436)s in Amazon's data centers.
See Also https://aws.amazon.com/ec2.
Amazon EC2 Auto Scaling A web service designed to launch or terminate instance (p. 436)s automatically
based on user-defined policies (p. 444), schedules, and health check (p. 434)s.
See Also https://aws.amazon.com/ec2/autoscaling.
Amazon Elastic File System A file storage service for EC2 (p. 409) instance (p. 436)s. Amazon EFS is easy
(Amazon EFS) to use and provides a simple interface with which you can create and configure
Version 1.0
409
file systems. Amazon EFS storage capacity grows and shrinks automatically as you
add and remove files.
See Also https://aws.amazon.com/efs/.
Amazon EMR (Amazon EMR) A web service that makes it easy to process large amounts of data efficiently.
Amazon EMR uses Hadoop (p. 434) processing combined with several AWS
products to do such tasks as web indexing, data mining, log file analysis, machine
learning, scientific simulation, and data warehousing.
See Also https://aws.amazon.com/elasticmapreduce.
Amazon Elastic Transcoder A cloud-based media transcoding service. Elastic Transcoder is a highly scalable
tool for converting (or transcoding) media files from their source format into
versions that play on devices like smartphones, tablets, and PCs.
See Also https://aws.amazon.com/elastictranscoder/.
Amazon ElastiCache A web service that simplifies deploying, operating, and scaling an in-memory
cache in the cloud. The service improves the performance of web applications by
providing information retrieval from fast, managed, in-memory caches, instead of
relying entirely on slower disk-based databases.
See Also https://aws.amazon.com/elasticache/.
Amazon Elasticsearch Service An AWS managed service for deploying, operating, and scaling Elasticsearch, an
(Amazon ES) open-source search and analytics engine, in the AWS Cloud. Amazon Elasticsearch
Service (Amazon ES) also offers security options, high availability, data durability,
and direct access to the Elasticsearch API.
See Also https://aws.amazon.com/elasticsearch-service.
Amazon EventBridge A serverless event bus service that enables you to connect your applications
with data from a variety of sources and routes that data to targets such as AWS
Lambda. You can set up routing rules to determine where to send your data to
build application architectures that react in real time to all of your data sources.
See Also https://aws.amazon.com/eventbridge/.
Amazon GameLift A managed service for deploying, operating, and scaling session-based
multiplayer games.
See Also https://aws.amazon.com/gamelift/.
Amazon GuardDuty A continuous security monitoring service. Amazon GuardDuty can help to identify
unexpected and potentially unauthorized or malicious activity in your AWS
environment.
See Also https://aws.amazon.com/guardduty/.
Amazon Inspector An automated security assessment service that helps improve the security and
compliance of applications deployed on AWS. Amazon Inspector automatically
assesses applications for vulnerabilities or deviations from best practices. After
performing an assessment, Amazon Inspector produces a detailed report with
prioritized steps for remediation.
See Also https://aws.amazon.com/inspector.
Amazon Kinesis A platform for streaming data on AWS. Kinesis offers services that simplify the
loading and analysis of streaming data.
See Also https://aws.amazon.com/kinesis/.
Amazon Kinesis Data Firehose A fully managed service for loading streaming data into AWS. Kinesis Data
Firehose can capture and automatically load streaming data into Amazon
S3 (p. 412) and Amazon Redshift (p. 411), enabling near real-time analytics
with existing business intelligence tools and dashboards. Kinesis Data Firehose
automatically scales to match the throughput of your data and requires no
ongoing administration. It can also batch, compress, and encrypt the data before
loading it.
Version 1.0
410
See Also https://aws.amazon.com/kinesis/firehose/.
Amazon Kinesis Data Streams A web service for building custom applications that process or analyze streaming
data for specialized needs. Amazon Kinesis Data Streams can continuously
capture and store terabytes of data per hour from hundreds of thousands of
sources.
See Also https://aws.amazon.com/kinesis/streams/.
Amazon Lightsail Lightsail is designed to be the easiest way to launch and manage a virtual private
server with AWS. Lightsail offers bundled plans that include everything you need
to deploy a virtual private server, for a low monthly rate.
See Also https://aws.amazon.com/lightsail/.
Amazon Lumberyard A cross-platform, 3D game engine for creating high-quality games. You can
connect games to the compute and storage of the AWS Cloud and engage fans on
Twitch.
See Also https://aws.amazon.com/lumberyard/.
Amazon Machine Image (AMI) An encrypted machine image stored in Amazon Elastic Block Store (Amazon
EBS) (p. 409) or Amazon Simple Storage Service (p. 412). AMIs are like a
template of a computer's root drive. They contain the operating system and can
also include software and layers of your application, such as database servers,
middleware, web servers, and so on.
Amazon Machine Learning A cloud-based service that creates machine learning (ML) models by finding
patterns in your data, and uses these models to process new data and generate
predictions.
See Also http://aws.amazon.com/machine-learning/.
Amazon Macie A security service that uses machine learning to automatically discover, classify,
and protect sensitive data in AWS.
See Also http://aws.amazon.com/macie/.
Amazon Managed Blockchain A fully managed service for creating and managing scalable blockchain networks
using popular open source frameworks.
See Also http://aws.amazon.com/managed-blockchain/.
Amazon ML See Amazon Machine Learning.
Amazon Mobile Analytics A service for collecting, visualizing, understanding, and extracting mobile app
usage data at scale.
See Also https://aws.amazon.com/mobileanalytics.
Amazon MQ A managed message broker service for Apache ActiveMQ that makes it easy to set
up and operate message brokers in the cloud.
See Also https://aws.amazon.com/amazon-mq/.
Amazon Neptune A managed graph database service that you can use to build and run applications
that work with highly connected datasets. Neptune supports the popular graph
query languages Apache TinkerPop Gremlin and W3C’s SPARQL, enabling you to
build queries that efficiently navigate highly connected datasets.
See Also https://aws.amazon.com/neptune/.
Amazon QuickSight A fast, cloud-powered business analytics service that makes it easy to build
visualizations, perform analysis, and quickly get business insights from your data.
See Also https://aws.amazon.com/quicksight/.
Amazon Redshift A fully managed, petabyte-scale data warehouse service in the cloud. With
Amazon Redshift, you can analyze your data using your existing business
intelligence tools.
Version 1.0
411
See Also https://aws.amazon.com/redshift/.
Amazon Relational Database A web service that makes it easier to set up, operate, and scale a relational
Service (Amazon RDS) database in the cloud. It provides cost-efficient, resizable capacity for an industry-
standard relational database and manages common database administration
tasks.
See Also https://aws.amazon.com/rds.
Amazon Resource Name A standardized way to refer to an AWS resource (p. 448). For example:
(ARN) arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob.
Amazon Route 53 A web service you can use to create a new DNS service or to migrate your existing
DNS service to the cloud.
See Also https://aws.amazon.com/route53.
Amazon S3 See Amazon Simple Storage Service (Amazon S3).
Amazon S3-Backed AMI See instance store-backed AMI.
Amazon S3 Glacier A secure, durable, and low-cost storage service for data archiving and long-term
backup. You can reliably store large or small amounts of data for significantly less
than on-premises solutions. Glacier is optimized for infrequently accessed data,
where a retrieval time of several hours is suitable.
See Also https://aws.amazon.com/glacier/.
AWS Security Hub A service that provides a comprehensive view of the security state of your AWS
resources. Security Hub collects security data from AWS accounts and services and
helps you analyze your security trends to identify and prioritize the security issues
across your AWS environment.
See Also https://aws.amazon.com/security-hub/.
Amazon Silk A next-generation web browser available only on Fire OS tablets and phones.
Built on a split architecture that divides processing between the client and the
AWS Cloud, Amazon Silk is designed to create a faster, more responsive mobile
browsing experience.
Amazon Simple Email Service An easy-to-use, cost-effective email solution for applications.
(Amazon SES) See Also https://aws.amazon.com/ses.
Amazon Simple Notification A web service that enables applications, users, and devices to instantly send and
Service (Amazon SNS) receive notifications from the cloud.
See Also https://aws.amazon.com/sns.
Amazon Simple Queue Reliable and scalable hosted queues for storing messages as they travel between
Service (Amazon SQS) computers.
See Also https://aws.amazon.com/sqs.
Amazon Simple Storage Storage for the internet. You can use it to store and retrieve any amount of data
Service (Amazon S3) at any time, from anywhere on the web.
See Also https://aws.amazon.com/s3.
Amazon Simple Workflow A fully managed service that helps developers build, run, and scale background
Service (Amazon SWF) jobs that have parallel or sequential steps. Amazon SWF is like a state tracker and
task coordinator in the cloud.
See Also https://aws.amazon.com/swf/.
Amazon Sumerian A set of tools for creating and running high-quality 3D, augmented reality (AR),
and virtual reality (VR) applications on the web.
See Also https://aws.amazon.com/sumerian/.
Version 1.0
412
Amazon Textract A service that automatically extracts text and data from scanned documents.
Amazon Textract goes beyond simple optical character recognition (OCR) to also
identify the contents of fields in forms and information stored in tables.
See Also https://aws.amazon.com/textract/.
Amazon Virtual Private Cloud A web service for provisioning a logically isolated section of the AWS Cloud where
(Amazon VPC) you can launch AWS resource (p. 448)s in a virtual network that you define.
You control your virtual networking environment, including selection of your
own IP address range, creation of subnet (p. 455)s, and configuration of route
table (p. 449)s and network gateways.
See Also https://aws.amazon.com/vpc.
Amazon VPC See Amazon Virtual Private Cloud (Amazon VPC).
Amazon Web Services (AWS) An infrastructure web services platform in the cloud for companies of all sizes.
See Also https://aws.amazon.com/what-is-cloud-computing/.
Amazon WorkDocs A managed, secure enterprise document storage and sharing service with
administrative controls and feedback capabilities.
See Also https://aws.amazon.com/workdocs/.
Amazon WorkLink A cloud-based service that provides secure access to internal websites and web
apps from mobile devices.
See Also https://aws.amazon.com/worklink/.
Amazon WorkMail A managed, secure business email and calendar service with support for existing
desktop and mobile email clients.
See Also https://aws.amazon.com/workmail/.
Amazon WorkSpaces A managed, secure desktop computing service for provisioning cloud-
based desktops and providing users access to documents, applications, and
resource (p. 448)s from supported devices.
See Also https://aws.amazon.com/workspaces/.
Amazon WorkSpaces A web service for deploying and managing applications for Amazon WorkSpaces.
Application Manager (Amazon Amazon WAM accelerates software deployment, upgrades, patching, and
WAM) retirement by packaging Windows desktop applications into virtualized
application containers.
See Also https://aws.amazon.com/workspaces/applicationmanager.
AMI See Amazon Machine Image (AMI).
analysis scheme Amazon CloudSearch (p. 408): Language-specific text analysis options that
are applied to a text field to control stemming and configure stopwords and
synonyms.
application AWS Elastic Beanstalk (p. 417): A logical collection of components, including
environments, versions, and environment configurations. An application is
conceptually similar to a folder.
AWS CodeDeploy (p. 416): A name that uniquely identifies the application to be
deployed. AWS CodeDeploy uses this name to ensure the correct combination of
revision, deployment configuration, and deployment group are referenced during
a deployment.
Application Auto Scaling A web service that enables you to configure automatic scaling for AWS resources
beyond Amazon EC2, such as Amazon ECS services, Amazon EMR clusters, and
DynamoDB tables.
See Also https://aws.amazon.com/autoscaling/.
Version 1.0
413
Application Billing The location where your customers manage the Amazon DevPay products they've
purchased. The web address is http://www.amazon.com/dp-applications.
application revision AWS CodeDeploy (p. 416): An archive file containing source content—such
as source code, webpages, executable files, and deployment scripts—along
with an application specification file (p. 414). Revisions are stored in Amazon
S3 (p. 412) bucket (p. 423)s or GitHub (p. 434) repositories. For Amazon S3, a
revision is uniquely identified by its Amazon S3 object key and its ETag, version, or
both. For GitHub, a revision is uniquely identified by its commit ID.
application specification file AWS CodeDeploy (p. 416): A YAML-formatted file used to map the source files
in an application revision to destinations on the instance. The file is also used to
specify custom permissions for deployed files and specify scripts to be run on
each instance at various stages of the deployment process.
application version AWS Elastic Beanstalk (p. 417): A specific, labeled iteration of an application
that represents a functionally consistent set of deployable application code. A
version points to an Amazon S3 (p. 412) object (a JAVA WAR file) that contains
the application code.
AppSpec file See application specification file.
AUC Area Under a Curve. An industry-standard metric to evaluate the quality of a

binary classification machine learning model. AUC measures the ability of the
model to predict a higher score for positive examples, those that are “correct,”
than for negative examples, those that are “incorrect.” The AUC metric returns a
decimal value from 0 to 1. AUC values near 1 indicate an ML model that is highly
accurate.
ARN See Amazon Resource Name (ARN).
artifact AWS CodePipeline (p. 416): A copy of the files or changes that will be worked
upon by the pipeline.
asymmetric encryption Encryption (p. 431) that uses both a public key and a private key.
asynchronous bounce A type of bounce (p. 422) that occurs when a receiver (p. 447) initially accepts
an email message for delivery and then subsequently fails to deliver it.
atomic counter DynamoDB: A method of incrementing or decrementing the value of an existing

attribute without interfering with other write requests.
attribute A fundamental data element, something that does not need to be broken
down any further. In DynamoDB, attributes are similar in many ways to fields or
columns in other database systems.
Amazon Machine Learning: A unique, named property within an observation in a

dataset. In tabular data, such as spreadsheets or comma-separated values (.csv)
files, the column headings represent the attributes, and the rows contain values
for each attribute.
Aurora See the section called “Amazon Aurora”.
authenticated encryption Encryption (p. 431) that provides confidentiality, data integrity, and authenticity
assurances of the encrypted data.
authentication The process of proving your identity to a system.
Auto Scaling group A representation of multiple EC2 instance (p. 430)s that share similar
characteristics, and that are treated as a logical grouping for the purposes of
instance scaling and management.
Version 1.0
414
Availability Zone A distinct location within a Region (p. 447) that is insulated from failures
in other Availability Zones, and provides inexpensive, low-latency network
connectivity to other Availability Zones in the same Region.
AWS See Amazon Web Services (AWS).
AWS Application Discovery A web service that helps you plan to migrate to AWS by identifying IT assets
Service in a data center—including servers, virtual machines, applications, application
dependencies, and network infrastructure.
See Also https://aws.amazon.com/about-aws/whats-new/2016/04/aws-
application-discovery-service/.
AWS AppSync An enterprise level, fully managed GraphQL service with real-time data
synchronization and offline programming features.
See Also https://aws.amazon.com/appsync/.
AWS Auto Scaling A fully managed service that enables you to quickly discover the scalable AWS
resources that are part of your application and configure dynamic scaling.
See Also https://aws.amazon.com/autoscaling/.
AWS Backup A managed backup service that you can use to centralize and automate the
backup of data across AWS services in the cloud and on premises.
See Also https://aws.amazon.com/backup/.
AWS Billing and Cost The AWS Cloud computing model in which you pay for services on demand and
Management use as much or as little as you need. While resource (p. 448)s are active under
your account, you pay for the cost of allocating those resources. You also pay for
any incidental usage associated with those resources, such as data transfer or
allocated storage.
See Also https://aws.amazon.com/billing/new-user-faqs/.
AWS Blockchain Templates A service for creating and deploying open-source blockchain frameworks on AWS,
such as Ethereum and Hyperledger Fabric.
See Also https://aws.amazon.com/blockchain/templates/.
AWS Certificate Manager A web service for provisioning, managing, and deploying Secure Sockets
(ACM) Layer/Transport Layer Security (p. 457) (SSL/TLS) certificates for use with AWS
services.
See Also https://aws.amazon.com/certificate-manager/.
AWS Certificate Manager A hosted private certificate authority service for issuing and revoking private
Private Certificate Authority digital certificate (p. 424)s.
(ACM PCA) See Also https://aws.amazon.com/certificate-manager/private-certificate-
authority/.
AWS Cloud Development Kit An open-source software development framework for defining your cloud
(AWS CDK) infrastructure in code and provisioning it through AWS CloudFormation.
See Also https://aws.amazon.com/cdk/.
AWS Cloud Map A service that you use to create and maintain a map of the backend services and
resources that your applications depend on. AWS Cloud Map lets you name and
discover your cloud resources.
See Also https://aws.amazon.com/cloud-map.
AWS Cloud9 A cloud-based integrated development environment (IDE) that you use to write,
run, and debug code.
See Also https://aws.amazon.com/cloud9/.
AWS CloudFormation A service for writing or changing templates that create and delete related AWS
resource (p. 448)s together as a unit.
Version 1.0
415
See Also https://aws.amazon.com/cloudformation.
AWS CloudHSM A web service that helps you meet corporate, contractual, and regulatory
compliance requirements for data security by using dedicated hardware security
module (HSM) appliances within the AWS Cloud.
See Also https://aws.amazon.com/cloudhsm/.
AWS CloudTrail A web service that records AWS API calls for your account and delivers log files to
you. The recorded information includes the identity of the API caller, the time of
the API call, the source IP address of the API caller, the request parameters, and
the response elements returned by the AWS service.
See Also https://aws.amazon.com/cloudtrail/.
AWS CodeBuild A fully managed continuous integration service that compiles source code, runs
tests, and produces software packages that are ready to deploy.
See Also https://aws.amazon.com/codebuild.
AWS CodeCommit A fully managed source control service that makes it easy for companies to host
secure and highly scalable private Git repositories.
See Also https://aws.amazon.com/codecommit.
AWS CodeDeploy A service that automates code deployments to any instance, including EC2
instance (p. 430)s and instance (p. 436)s running on-premises.
See Also https://aws.amazon.com/codedeploy.
AWS CodeDeploy agent A software package that, when installed and configured on an instance, enables
that instance to be used in CodeDeploy deployments.
AWS CodePipeline A continuous delivery service for fast and reliable application updates.
See Also https://aws.amazon.com/codepipeline.
AWS Command Line Interface A unified downloadable and configurable tool for managing AWS services.
(AWS CLI) Control multiple AWS services from the command line and automate them
through scripts.
See Also https://aws.amazon.com/cli/.
AWS Config A fully managed service that provides an AWS resource (p. 448) inventory,
configuration history, and configuration change notifications for better security
and governance. You can create rules that automatically check the configuration
of AWS resources that AWS Config records.
See Also https://aws.amazon.com/config/.
AWS Database Migration A web service that can help you migrate data to and from many widely used
Service commercial and open-source databases.
See Also https://aws.amazon.com/dms.
AWS Data Pipeline A web service for processing and moving data between different AWS compute
and storage services, as well as on-premises data sources, at specified intervals.
See Also https://aws.amazon.com/datapipeline.
AWS Device Farm An app testing service that allows developers to test Android, iOS, and Fire OS
devices on real, physical phones and tablets that are hosted by AWS.
See Also https://aws.amazon.com/device-farm.
AWS Direct Connect A web service that simplifies establishing a dedicated network connection
from your premises to AWS. Using AWS Direct Connect, you can establish
private connectivity between AWS and your data center, office, or colocation
environment.
See Also https://aws.amazon.com/directconnect.
Version 1.0
416
AWS Directory Service A managed service for connecting your AWS resource (p. 448)s to an existing
on-premises Microsoft Active Directory or to set up and operate a new,
standalone directory in the AWS Cloud.
See Also https://aws.amazon.com/directoryservice.
AWS Elastic Beanstalk A web service for deploying and managing applications in the AWS Cloud without
worrying about the infrastructure that runs those applications.
See Also https://aws.amazon.com/elasticbeanstalk.
AWS Elemental MediaConnect A service that lets broadcasters and other premium video providers reliably ingest
live video into the AWS Cloud and distribute it to multiple destinations inside or
outside the AWS Cloud.
See Also https://aws.amazon.com/mediaconnect.
AWS Elemental MediaConvert A file-based video conversion service that transforms media into formats required
for traditional broadcast and for internet streaming to multi-screen devices.
See Also https://aws.amazon.com/mediaconvert.
AWS Elemental MediaLive A video service that lets you create live outputs for broadcast and streaming
delivery.
See Also https://aws.amazon.com/medialive.
AWS Elemental MediaPackage A just-in-time packaging and origination service that lets you format highly
secure and reliable live outputs for a variety of devices.
See Also https://aws.amazon.com/mediapackage.
AWS Elemental MediaStore A storage service optimized for media that provides the performance, consistency,
and low latency required to deliver live and on-demand video content at scale.
See Also https://aws.amazon.com/mediastore.
AWS Elemental MediaTailor A video service that lets you serve targeted ads to viewers while maintaining
broadcast quality in over-the-top (OTT) video applications.
See Also https://aws.amazon.com/mediatailor.
AWS Firewall Manager A service that you use with AWS WAF to simplify your AWS WAF administration
and maintenance tasks across multiple accounts and resources. With AWS Firewall
Manager, you set up your firewall rules just once. The service automatically
applies your rules across your accounts and resources, even as you add new
resources.
See Also https://aws.amazon.com/firewall-manager.
AWS Global Accelerator A network layer service that you use to create accelerators that direct traffic to
optimal endpoints over the AWS global network. This improves the availability
and performance of your internet applications that are used by a global audience.
See Also https://aws.amazon.com/global-accelerator.
AWS Glue A fully managed extract, transform, and load (ETL) (p. 432) service that you can
use to catalog data and load it for analytics. With AWS Glue, you can discover
your data, develop scripts to transform sources into targets, and schedule and run
ETL jobs in a serverless environment.
See Also https://aws.amazon.com/glue.
AWS GovCloud (US) An isolated AWS Region designed to host sensitive workloads in the cloud,
ensuring that this work meets the US government's regulatory and compliance
requirements. The AWS GovCloud (US) Region adheres to United States
International Traffic in Arms Regulations (ITAR), Federal Risk and Authorization
Management Program (FedRAMP) requirements, Department of Defense (DOD)
Cloud Security Requirements Guide (SRG) Levels 2 and 4, and Criminal Justice
Information Services (CJIS) Security Policy requirements.
Version 1.0
417
See Also https://aws.amazon.com/govcloud-us/.
AWS Identity and Access A web service that enables Amazon Web Services (AWS) (p. 413) customers to
Management (IAM) manage users and user permissions within AWS.
See Also https://aws.amazon.com/iam.
AWS Import/Export A service for transferring large amounts of data between AWS and portable
storage devices.
See Also https://aws.amazon.com/importexport.
AWS IoT Core A managed cloud platform that lets connected devices easily and securely
interact with cloud applications and other devices.
See Also https://aws.amazon.com/iot.
AWS IoT 1-Click A service that enables simple devices to trigger AWS Lambda functions that can
execute an action.
See Also https://aws.amazon.com/iot-1-click.
AWS IoT Analytics A fully managed service used to run sophisticated analytics on massive volumes
of IoT data.
See Also https://aws.amazon.com/iot-analytics.
AWS IoT Device Defender An AWS IoT security service that allows you to audit the configuration of your
devices, monitor your connected devices to detect abnormal behavior, and to
mitigate security risks.
See Also https://aws.amazon.com/iot-device-defender.
AWS IoT Device Management A service used to securely onboard, organize, monitor, and remotely manage IoT
devices at scale.
See Also https://aws.amazon.com/iot-device-management.
AWS IoT Events A fully managed AWS IoT service that makes it easy to detect and respond to
events from IoT sensors and applications.
See Also https://aws.amazon.com/iot-events.
AWS IoT Greengrass Software that lets you run local compute, messaging, data caching, sync, and ML
inference capabilities for connected devices in a secure way.
See Also https://aws.amazon.com/greengrass.
AWS IoT Things Graph A service that makes it easy to visually connect different devices and web services
to build IoT applications.
See Also https://aws.amazon.com/iot-things-graph.
AWS Key Management A managed service that simplifies the creation and control of
Service (AWS KMS) encryption (p. 431) keys that are used to encrypt data.
See Also https://aws.amazon.com/kms.
AWS Lambda A web service that lets you run code without provisioning or managing servers.
You can run code for virtually any type of application or backend service with zero
administration. You can set up your code to automatically trigger from other AWS
services or call it directly from any web or mobile app.
See Also https://aws.amazon.com/lambda/.
AWS managed key One type of customer master key (CMK) (p. 427) in AWS Key Management
Service (AWS KMS) (p. 418).
AWS managed policy An IAM (p. 418) managed policy (p. 439) that is created and managed by AWS.
AWS Management Console A graphical interface to manage compute, storage, and other cloud
resource (p. 448)s.
Version 1.0
418
See Also https://aws.amazon.com/console.
AWS Management Portal for A web service for managing your AWS resource (p. 448)s using VMware
vCenter vCenter. You install the portal as a vCenter plugin within your existing vCenter
environment. Once installed, you can migrate VMware VMs to Amazon
EC2 (p. 409) and manage AWS resources from within vCenter.
See Also https://aws.amazon.com/ec2/vcenter-portal/.
AWS Marketplace A web portal where qualified partners market and sell their software to AWS
customers. AWS Marketplace is an online software store that helps customers
find, buy, and immediately start using the software and services that run on AWS.
See Also https://aws.amazon.com/partners/aws-marketplace/.
AWS Mobile Hub An integrated console that for building, testing, and monitoring mobile apps.
See Also https://aws.amazon.com/mobile.
AWS Mobile SDK A software development kit whose libraries, code examples, and documentation
help you build high quality mobile apps for the iOS, Android, Fire OS, Unity, and
Xamarin platforms.
See Also https://aws.amazon.com/mobile/sdk.
AWS OpsWorks A configuration management service that helps you use Chef to configure and
operate groups of instances and applications. You can define the application’s
architecture and the specification of each component including package
installation, software configuration, and resource (p. 448)s such as storage. You
can automate tasks based on time, load, lifecycle events, and more.
See Also https://aws.amazon.com/opsworks/.
AWS Organizations An account management service that enables you to consolidate multiple AWS
accounts into an organization that you create and centrally manage.
See Also https://aws.amazon.com/organizations/.
AWS Resource Access A service that lets you share your resources with any AWS account or organization
Manager in AWS Organizations.
See Also https://aws.amazon.com/ram/.
AWS ParallelCluster An AWS supported open source cluster management tool that helps you to
deploy and manage high performance computing (HPC) clusters in the AWS
Cloud.
AWS SDK for C++ A software development kit for that provides C++ APIs for many AWS
services including Amazon S3 (p. 412), Amazon EC2 (p. 409), Amazon
DynamoDB (p. 409), and more. The single, downloadable package includes the
AWS C++ library, code examples, and documentation.
See Also https://aws.amazon.com/sdk-for-cpp/.
AWS SDK for Go A software development kit for integrating your Go application with the full suite
of AWS services.
See Also https://aws.amazon.com/sdk-for-go/.
AWS SDK for Java A software development kit that provides Java APIs for many AWS
services including Amazon S3 (p. 412), Amazon EC2 (p. 409), Amazon
DynamoDB (p. 409), and more. The single, downloadable package includes the
AWS Java library, code examples, and documentation.
See Also https://aws.amazon.com/sdk-for-java/.
AWS SDK for JavaScript in the A software development kit for accessing AWS services from JavaScript code
Browser running in the browser. Authenticate users through Facebook, Google, or Login
with Amazon using web identity federation. Store application data in Amazon
DynamoDB (p. 409), and save user files to Amazon S3 (p. 412).
Version 1.0
419
See Also https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/.
AWS SDK for JavaScript in A software development kit for accessing AWS services from JavaScript in
Node.js Node.js. The SDK provides JavaScript objects for AWS services, including Amazon
S3 (p. 412), Amazon EC2 (p. 409), Amazon DynamoDB (p. 409), and Amazon
Simple Workflow Service (Amazon SWF) (p. 412) . The single, downloadable
package includes the AWS JavaScript library and documentation.
See Also https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/.
AWS SDK for .NET A software development kit that provides .NET API actions for AWS services
including Amazon S3 (p. 412), Amazon EC2 (p. 409), IAM (p. 418), and more.
You can download the SDK as multiple service-specific packages on NuGet.
See Also https://aws.amazon.com/sdk-for-net/.
AWS SDK for PHP A software development kit and open-source PHP library for integrating your
PHP application with AWS services like Amazon S3 (p. 412), Amazon S3
Glacier (p. 412), and Amazon DynamoDB (p. 409).
See Also https://aws.amazon.com/sdk-for-php/.
AWS SDK for Python (Boto) A software development kit for using Python to access AWS services like Amazon
EC2 (p. 409), Amazon EMR (p. 410), Amazon EC2 Auto Scaling (p. 409),
Amazon Kinesis (p. 410), AWS Lambda (p. 418), and more.
See Also http://boto.readthedocs.org/en/latest/.
AWS SDK for Ruby A software development kit for accessing AWS services from Ruby. The SDK
provides Ruby classes for many AWS services including Amazon S3 (p. 412),
Amazon EC2 (p. 409), Amazon DynamoDB (p. 409). and more. The single,
downloadable package includes the AWS Ruby Library and documentation.
See Also https://aws.amazon.com/sdk-for-ruby/.
AWS Security Token Service A web service for requesting temporary, limited-privilege credentials for AWS
(AWS STS) Identity and Access Management (IAM) (p. 418) users or for users that you
authenticate (federated users (p. 433)).
See Also https://aws.amazon.com/iam/.
AWS Service Catalog A web service that helps organizations create and manage catalogs of IT services
that are approved for use on AWS. These IT services can include everything from
virtual machine images, servers, software, and databases to complete multitier
application architectures.
See Also https://aws.amazon.com/servicecatalog/.
AWS Shield A service that helps to protect your resources—such as Amazon EC2 instances,
Elastic Load Balancing load balancers, Amazon CloudFront distributions, and
Route 53 hosted zones—against DDoS attacks. AWS Shield is automatically
included at no extra cost beyond what you already pay for AWS WAF and your
other AWS services. For added protection against DDoS attacks, AWS offers AWS
Shield Advanced.
See Also https://aws.amazon.com/shield.
AWS Single Sign-On A cloud-based service that simplifies managing SSO access to AWS accounts and
business applications. You can control SSO access and user permissions across all
your AWS accounts in AWS Organizations.
See Also https://aws.amazon.com/single-sign-on/.
AWS Step Functions A web service that coordinates the components of distributed applications as a
series of steps in a visual workflow.
See Also https://aws.amazon.com/step-functions/.
AWS Snowball A petabyte-scale data transport solution that uses devices designed to be secure
to transfer large amounts of data into and out of the AWS Cloud.
Version 1.0
420
See Also https://aws.amazon.com/snowball.
AWS Storage Gateway A web service that connects an on-premises software appliance with cloud-based
storage. AWS Storage Gateway provides seamless and secure integration between
an organization’s on-premises IT environment and AWS storage infrastructure.
See Also https://aws.amazon.com/storagegateway/.
AWS Toolkit for Eclipse An open-source plugin for the Eclipse Java integrated development environment
(IDE) that makes it easier to develop, debug, and deploy Java applications using
Amazon Web Services.
See Also https://aws.amazon.com/eclipse/.
AWS Toolkit for JetBrains An open-source plugin for the integrated development environments (IDEs)
from JetBrains that makes it easier to develop, debug, and deploy serverless
applications using Amazon Web Services.
See Also https://aws.amazon.com/intellij/, https://aws.amazon.com/pycharm/.
AWS Toolkit for Visual Studio An extension for Visual Studio that helps in developing, debugging, and
deploying .NET applications using Amazon Web Services.
See Also https://aws.amazon.com/visualstudio/.
AWS Toolkit for Visual Studio An open-source plugin for the Visual Studio Code (VS Code) editor that makes it
Code easier to develop, debug, and deploy applications using Amazon Web Services.
See Also https://aws.amazon.com/visualstudiocode/.
AWS Tools for Windows A set of PowerShell cmdlets to help developers and administrators manage their
PowerShell AWS services from the Windows PowerShell scripting environment.
See Also https://aws.amazon.com/powershell/.
AWS Tools for Microsoft Provides tasks you can use in build and release definitions in VSTS to interact with
Visual Studio Team Services AWS services.
See Also https://aws.amazon.com/vsts/.
AWS Trusted Advisor A web service that inspects your AWS environment and makes recommendations
for saving money, improving system availability and performance, and helping to
close security gaps.
See Also https://aws.amazon.com/premiumsupport/trustedadvisor/.
AWS VPN CloudHub Enables secure communication between branch offices using a simple hub-and-
spoke model, with or without a VPC (p. 459).
AWS WAF A web application firewall service that controls access to content by allowing or
blocking web requests based on criteria that you specify. For example, you can
filter access based on the header values or the IP addresses that the requests
originate from. AWS WAF helps protect web applications from common web
exploits that could affect application availability, compromise security, or
consume excessive resources.
See Also https://aws.amazon.com/waf/.
AWS X-Ray A web service that collects data about requests that your application serves. X-
Ray provides tools that you can use to view, filter, and gain insights into that data
to identify issues and opportunities for optimization.
See Also https://aws.amazon.com/xray/.
B
Version 1.0
421
Z (p. 460)
basic monitoring Monitoring of AWS provided metrics derived at a 5-minute frequency.
batch See document batch.
BGP ASN Border Gateway Protocol Autonomous System Number. A unique identifier for a
network, for use in BGP routing. Amazon EC2 (p. 409) supports all 2-byte ASN
numbers in the range of 1 – 65335, with the exception of 7224, which is reserved.
batch prediction Amazon Machine Learning: An operation that processes multiple input data
observations at one time (asynchronously). Unlike real-time predictions, batch
predictions are not available until all predictions have been processed.
See Also real-time predictions.
billing See AWS Billing and Cost Management.
binary attribute Amazon Machine Learning: An attribute for which one of two possible values is
possible. Valid positive values are 1, y, yes, t, and true answers. Valid negative
values are 0, n, no, f, and false. Amazon Machine Learning outputs 1 for positive
values and 0 for negative values.
See Also attribute.
binary classification model Amazon Machine Learning: A machine learning model that predicts the answer to
questions where the answer can be expressed as a binary variable. For example,
questions with answers of “1” or “0”, “yes” or “no”, “will click” or “will not click”
are questions that have binary answers. The result for a binary classification
model is always either a “1” (for a “true” or affirmative answers) or a “0” (for a
“false” or negative answers).
blacklist A list of IP addresses, email addresses, or domains that an internet service

provider (p. 436) suspects to be the source of spam (p. 453). The ISP blocks
incoming email from these addresses or domains.
block A dataset. Amazon EMR (p. 410) breaks large amounts of data into subsets. Each
subset is called a data block. Amazon EMR assigns an ID to each block and uses a
hash table to keep track of block processing.
block device A storage device that supports reading and (optionally) writing data in fixed-size
blocks, sectors, or clusters.
block device mapping A mapping structure for every AMI (p. 411) and instance (p. 436) that specifies
the block devices attached to the instance.
blue/green deployment CodeDeploy: A deployment method in which the instances in a deployment

group (the original environment) are replaced by a different set of instances (the
replacement environment).
bootstrap action A user-specified default or custom action that runs a script or an application on
all nodes of a job flow before Hadoop (p. 434) starts.
Border Gateway Protocol See BGP ASN.

Autonomous System Number
bounce A failed email delivery attempt.
breach Amazon EC2 Auto Scaling (p. 409): The condition in which a user-set
threshold (upper or lower boundary) is passed. If the duration of the breach is
significant, as set by a breach duration parameter, it can possibly start a scaling
activity (p. 450).
Version 1.0
422
bucket Amazon Simple Storage Service (Amazon S3) (p. 412): A container for stored
objects. Every object is contained in a bucket. For example, if the object named
photos/puppy.jpg is stored in the johnsmith bucket, then authorized users
can access the object with the URL http://johnsmith.s3.amazonaws.com/
photos/puppy.jpg.
bucket owner The person or organization that owns a bucket (p. 423) in Amazon S3 (p. 412).
Just as Amazon is the only owner of the domain name Amazon.com, only one
person or organization can own a bucket.
bundling A commonly used term for creating an Amazon Machine Image (AMI) (p. 411). It
specifically refers to creating instance store-backed AMI (p. 436)s.
C
Z (p. 460)
cache cluster A logical cache distributed over multiple cache node (p. 423)s. A cache cluster
can be set up with a specific number of cache nodes.
cache cluster identifier Customer-supplied identifier for the cache cluster that must be unique for that
customer in an AWS Region (p. 447).
cache engine version The version of the Memcached service that is running on the cache node.
cache node A fixed-size chunk of secure, network-attached RAM. Each cache node runs an
instance of the Memcached service, and has its own DNS name and port. Multiple
types of cache nodes are supported, each with varying amounts of associated
memory.
cache node type An EC2 instance (p. 430) type used to run the cache node.
cache parameter group A container for cache engine parameter values that can be applied to one or more
cache clusters.
cache security group A group maintained by ElastiCache that combines inbound authorizations
to cache nodes for hosts belonging to Amazon EC2 (p. 409) security
group (p. 451)s specified through the console or the API or command line tools.
canned access policy A standard access control policy that you can apply to a bucket (p. 423)
or object. Options include: private, public-read, public-read-write, and
authenticated-read.
canonicalization The process of converting data into a standard format that a service such as
Amazon S3 (p. 412) can recognize.
capacity The amount of available compute size at a given time. Each Auto Scaling
group (p. 414) is defined with a minimum and maximum compute size. A scaling
activity (p. 450) increases or decreases the capacity within the defined minimum
and maximum values.
Cartesian product processor A processor that calculates a Cartesian product. Also known as a Cartesian data
processor.
Cartesian product A mathematical operation that returns a product from multiple sets.
Version 1.0
423
CDN See content delivery network (CDN).
certificate A credential that some AWS products use to authenticate AWS account (p. 407)s
and users. Also known as an X.509 certificate (p. 460) . The certificate is paired
with a private key.
chargeable resources Features or services whose use incurs fees. Although some AWS products are
free, others include charges. For example, in an AWS CloudFormation (p. 415)
stack (p. 454), AWS resource (p. 448)s that have been created incur charges.
The amount charged depends on the usage load. Use the Amazon Web Services
Simple Monthly Calculator at http://calculator.s3.amazonaws.com/calc5.html to
estimate your cost prior to creating instances, stacks, or other resources.
CIDR block Classless Inter-Domain Routing. An internet protocol address allocation and route
aggregation methodology.
See Also Classless Inter-Domain Routing in Wikipedia.
ciphertext Information that has been encrypted (p. 431), as opposed to plaintext (p. 444),
which is information that has not.
ClassicLink A feature for linking an EC2-Classic instance (p. 436) to a VPC (p. 459),
allowing your EC2-Classic instance to communicate with VPC instances using
private IP addresses.
See Also link to VPC, unlink from VPC.
classification In machine learning, a type of problem that seeks to place (classify) a data sample
into a single category or “class.” Often, classification problems are modeled to
choose one category (class) out of two. These are binary classification problems.
Problems with more than two available categories (classes) are called "multiclass
classification" problems.
See Also binary classification model, multiclass classification model.
CLI See AWS Command Line Interface (AWS CLI).
Cloud Directory See Amazon Cloud Directory (Cloud Directory).
cloud service provider (CSP) A company that provides subscribers with access to internet-hosted computing,
storage, and software services.
CloudHub See AWS VPN CloudHub.
cluster A logical grouping of container instance (p. 425)s that you can place
task (p. 456)s on.
Amazon Elasticsearch Service (Amazon ES) (p. 410): A logical grouping of one or
more data nodes, optional dedicated master nodes, and storage required to run
Amazon Elasticsearch Service (Amazon ES) and operate your Amazon ES domain.
See Also data node, dedicated master node, node.
cluster compute instance A type of instance (p. 436) that provides a great amount of CPU power
coupled with increased networking performance, making it well suited for High
Performance Compute (HPC) applications and other demanding network-bound
applications.
cluster placement group A logical cluster compute instance (p. 424) grouping to provide lower latency
and high-bandwidth connectivity between the instance (p. 436)s.
cluster status Amazon Elasticsearch Service (Amazon ES) (p. 410): An indicator of the health
of a cluster. A status can be green, yellow, or red. At the shard level, green means
that all shards are allocated to nodes in a cluster, yellow means that the primary
Version 1.0
424
shard is allocated but the replica shards are not, and red means that the primary
and replica shards of at least one index are not allocated. The shard status
determines the index status, and the index status determines the cluster status.
CMK See customer master key (CMK).
CNAME Canonical Name Record. A type of resource record (p. 448) in the Domain
Name System (DNS) that specifies that the domain name is an alias of another,
canonical domain name. More simply, it is an entry in a DNS table that lets you
alias one fully qualified domain name to another.
complaint The event in which a recipient (p. 447) who does not want to receive an email
message clicks "Mark as Spam" within the email client, and the internet service
provider (p. 436) sends a notification to Amazon SES (p. 412).
compound query Amazon CloudSearch (p. 408): A search request that specifies multiple search
criteria using the Amazon CloudSearch structured search syntax.
condition IAM (p. 418): Any restriction or detail about a permission. The condition is D in
the statement "A has permission to do B to C where D applies."
AWS WAF (p. 421): A set of attributes that AWS WAF searches for in web
requests to AWS resource (p. 448)s such as Amazon CloudFront (p. 408)
distributions. Conditions can include values such as the IP addresses that web
requests originate from or values in request headers. Based on the specified
conditions, you can configure AWS WAF to allow or block web requests to AWS
resources.
conditional parameter See mapping.
configuration API Amazon CloudSearch (p. 408): The API call that you use to create, configure, and
manage search domains.
configuration template A series of key–value pairs that define parameters for various AWS products so
that AWS Elastic Beanstalk (p. 417) can provision them for an environment.
consistency model The method a service uses to achieve high availability. For example, it could
involve replicating data across multiple servers in a data center.
See Also eventual consistency.
console See AWS Management Console.
consolidated billing A feature of the AWS Organizations service for consolidating payment for
multiple AWS accounts. You create an organization that contains your AWS
accounts, and you use the master account of your organization to pay for all
member accounts. You can see a combined view of AWS costs that are incurred
by all accounts in your organization, and you can get detailed cost reports for
individual accounts.
container A Linux container that was created from a Docker image as part of a
task (p. 456).
container definition Specifies which Docker image (p. 429) to use for a container (p. 425), how
much CPU and memory the container is allocated, and more options. The
container definition is included as part of a task definition (p. 456).
container instance An EC2 instance (p. 430) that is running the Amazon Elastic Container Service
(Amazon ECS) (p. 409) agent and has been registered into a cluster (p. 424).
Amazon ECS task (p. 456)s are placed on active container instances.
Version 1.0
425
container registry Stores, manages, and deploys Docker image (p. 429)s.
content delivery network A web service that speeds up distribution of your static and dynamic web content
(CDN) —such as .html, .css, .js, media files, and image files—to your users by using
a worldwide network of data centers. When a user requests your content, the
request is routed to the data center that provides the lowest latency (time delay).
If the content is already in the location with the lowest latency, the CDN delivers
it immediately. If not, the CDN retrieves it from an origin that you specify (for
example, a web server or an Amazon S3 bucket). With some CDNs, you can help
secure your content by configuring an HTTPS connection between users and data
centers, and between data centers and your origin. Amazon CloudFront is an
example of a CDN.
continuous delivery A software development practice in which code changes are automatically built,
tested, and prepared for a release to production.
See Also https://aws.amazon.com/devops/continuous-delivery/.
continuous integration A software development practice in which developers regularly merge code
changes into a central repository, after which automated builds and tests are run.
See Also https://aws.amazon.com/devops/continuous-integration/.
cooldown period Amount of time during which Amazon EC2 Auto Scaling (p. 409) does not allow
the desired size of the Auto Scaling group (p. 414) to be changed by any other
notification from an Amazon CloudWatch (p. 408) alarm (p. 407).
core node An EC2 instance (p. 430) that runs Hadoop (p. 434) map and reduce tasks and
stores data using the Hadoop Distributed File System (HDFS). Core nodes are
managed by the master node (p. 440), which assigns Hadoop tasks to nodes and
monitors their status. The EC2 instances you assign as core nodes are capacity
that must be allotted for the entire job flow run. Because core nodes store data,
you can't remove them from a job flow. However, you can add more core nodes to
a running job flow.
Core nodes run both the DataNodes and TaskTracker Hadoop daemons.
corpus Amazon CloudSearch (p. 408): A collection of data that you want to search.
credential helper AWS CodeCommit (p. 416): A program that stores credentials for repositories
and supplies them to Git when making connections to those repositories. The
AWS CLI (p. 416) includes a credential helper that you can use with Git when
connecting to CodeCommit repositories.
credentials Also called access credentials or security credentials. In authentication and

authorization, a system uses credentials to identify who is making a call and
whether to allow the requested access. In AWS, these credentials are typically the
access key ID (p. 406) and the secret access key (p. 451).
cross-account access The process of permitting limited, controlled use of resource (p. 448)s in one
AWS account (p. 407) by a user in another AWS account. For example, in AWS
CodeCommit (p. 416) and AWS CodeDeploy (p. 416) you can configure cross-
account access so that a user in AWS account A can access an CodeCommit
repository created by account B. Or a pipeline in AWS CodePipeline (p. 416)
created by account A can use CodeDeploy resources created by account B. In
IAM (p. 418) you use a role (p. 449) to delegate (p. 428) temporary access to
a user (p. 458) in one account to resources in another.
cross-Region replication A client-side solution for maintaining identical copies of Amazon

DynamoDB (p. 409) tables across different AWS Region (p. 447)s, in near real
time.
Version 1.0
426
customer gateway A router or software application on your side of a VPN tunnel that is managed
by Amazon VPC (p. 413). The internal interfaces of the customer gateway are
attached to one or more devices in your home network. The external interface is
attached to the virtual private gateway (p. 459) across the VPN tunnel.
customer managed policy An IAM (p. 418) managed policy (p. 439) that you create and manage in your
AWS account (p. 407).
customer master key (CMK) The fundamental resource (p. 448) that AWS Key Management Service (AWS
KMS) (p. 418) manages. CMKs can be either customer managed keys or AWS
managed keys. Use CMKs inside AWS KMS to encrypt (p. 431) or decrypt up to 4
kilobytes of data directly or to encrypt generated data keys, which are then used
to encrypt or decrypt larger amounts of data outside of the service.
D
Z (p. 460)
dashboard See service health dashboard.
data consistency A concept that describes when data is written or updated successfully and
all copies of the data are updated in all AWS Region (p. 447)s. However, it
takes time for the data to propagate to all storage locations. To support varied
application requirements, Amazon DynamoDB (p. 409) supports both eventually
consistent and strongly consistent reads.
See Also eventual consistency, eventually consistent read, strongly consistent
read.
data node Amazon Elasticsearch Service (Amazon ES) (p. 410): An Elasticsearch instance
that holds data and responds to data upload requests.
See Also dedicated master node, node.
data schema See schema.
data source The database, file, or repository that provides information required by an
application or database. For example, in AWS OpsWorks (p. 419), valid data
sources include an instance (p. 436) for a stack’s MySQL layer or a stack’s
Amazon RDS (p. 412) service layer. In Amazon Redshift (p. 411), valid data
sources include text files in an Amazon S3 (p. 412) bucket (p. 423), in an
Amazon EMR (p. 410) cluster, or on a remote host that a cluster can access
through an SSH connection.
See Also datasource.
database engine The database software and version running on the DB instance (p. 428).
database name The name of a database hosted in a DB instance (p. 428). A DB instance can host
multiple databases, but databases hosted by the same DB instance must each
have a unique name within that instance.
datasource Amazon Machine Learning (p. 411): An object that contains metadata about the
input data. Amazon ML reads the input data, computes descriptive statistics on its
attributes, and stores the statistics—along with a schema and other information
—as part of the datasource object. Amazon ML uses datasources to train and
evaluate a machine learning model and generate batch predictions.
See Also data source.
Version 1.0
427
DB compute class The size of the database compute platform used to run the instance.
DB instance An isolated database environment running in the cloud. A DB instance can contain
multiple user-created databases.
DB instance identifier User-supplied identifier for the DB instance. The identifier must be unique for
that user in an AWS Region (p. 447).
DB parameter group A container for database engine parameter values that apply to one or more DB
instance (p. 428)s.
DB security group A method that controls access to the DB instance (p. 428). By default, network
access is turned off to DB instances. After inbound traffic is configured for a
security group (p. 451), the same rules apply to all DB instances associated with
that group.
DB snapshot A user-initiated point backup of a DB instance (p. 428).
Dedicated Host A physical server with EC2 instance (p. 430) capacity fully dedicated to a user.
Dedicated Instance An instance (p. 436) that is physically isolated at the host hardware level and
launched within a VPC (p. 459).
dedicated master node Amazon Elasticsearch Service (Amazon ES) (p. 410): An Elasticsearch instance
that performs cluster management tasks, but does not hold data or respond to
data upload requests. Amazon Elasticsearch Service (Amazon ES) uses dedicated
master nodes to increase cluster stability.
See Also data node, node.
Dedicated Reserved Instance An option that you purchase to guarantee that sufficient capacity will be available
to launch Dedicated Instance (p. 428)s into a VPC (p. 459).
delegation Within a single AWS account (p. 407): Giving AWS user (p. 458)s access to
resource (p. 448)s in your AWS account.
Between two AWS accounts: Setting up a trust between the account that owns
the resource (the trusting account), and the account that contains the users that
need to access the resource (the trusted account).
See Also trust policy.
delete marker An object with a key and version ID, but without content. Amazon S3 (p. 412)
inserts delete markers automatically into versioned bucket (p. 423)s when an
object is deleted.
deliverability The likelihood that an email message will arrive at its intended destination.
deliveries The number of email messages, sent through Amazon SES (p. 412), that
were accepted by an internet service provider (p. 436) for delivery to
recipient (p. 447)s over a period of time.
deny The result of a policy (p. 444) statement that includes deny as the effect, so
that a specific action or actions are expressly forbidden for a user, group, or role.
Explicit deny take precedence over explicit allow (p. 407).
deployment configuration AWS CodeDeploy (p. 416): A set of deployment rules and success and failure
conditions used by the service during a deployment.
deployment group AWS CodeDeploy (p. 416): A set of individually tagged instance (p. 436)s, EC2
instance (p. 430)s in Auto Scaling group (p. 414)s, or both.
detailed monitoring Monitoring of AWS provided metrics derived at a 1-minute frequency.
Version 1.0
428
Description property A property added to parameters, resource (p. 448)s, resource properties,
mappings, and outputs to help you to document AWS CloudFormation (p. 415)
template elements.
dimension A name–value pair (for example, InstanceType=m1.small, or EngineName=mysql),

that contains additional information to identify a metric.
discussion forums A place where AWS users can post technical questions and feedback to help
accelerate their development efforts and to engage with the AWS community.
The discussion forums are located at https://forums.aws.amazon.com/.
distribution A link between an origin server (such as an Amazon S3 (p. 412)

bucket (p. 423)) and a domain name, which CloudFront (p. 408) automatically
assigns. Through this link, CloudFront identifies the object you have stored in your
origin server (p. 443).
DKIM DomainKeys Identified Mail. A standard that email senders use to sign their
messages. ISPs use those signatures to verify that messages are legitimate. For
more information, see http://www.dkim.org.
DNS See Domain Name System.
Docker image A layered file system template that is the basis of a Docker container (p. 425).
Docker images can comprise specific operating systems or applications.
document Amazon CloudSearch (p. 408): An item that can be returned as a search result.
Each document has a collection of fields that contain the data that can be
searched or returned. The value of a field can be either a string or a number. Each
document must have a unique ID and at least one field.
document batch Amazon CloudSearch (p. 408): A collection of add and delete document
operations. You use the document service API to submit batches to update the
data in your search domain.
document service API Amazon CloudSearch (p. 408): The API call that you use to submit document
batches to update the data in a search domain.
document service endpoint Amazon CloudSearch (p. 408): The URL that you connect to when sending
document updates to an Amazon CloudSearch domain. Each search domain has
a unique document service endpoint that remains the same for the life of the
domain.
domain Amazon Elasticsearch Service (Amazon ES) (p. 410): The hardware, software,
and data exposed by Amazon Elasticsearch Service (Amazon ES) endpoints.
An Amazon ES domain is a service wrapper around an Elasticsearch cluster. An
Amazon ES domain encapsulates the engine instances that process Amazon ES
requests, the indexed data that you want to search, snapshots of the domain,
access policies, and metadata.
See Also cluster, Elasticsearch.
Domain Name System A service that routes internet traffic to websites by translating friendly domain
names like www.example.com into the numeric IP addresses like 192.0.2.1 that
computers use to connect to each other.
Donation button An HTML-coded button to provide an easy and secure way for US-based, IRS-
certified 501(c)3 nonprofit organizations to solicit donations.
DynamoDB stream An ordered flow of information about changes to items in anAmazon

DynamoDB (p. 409) table. When you enable a stream on a table, DynamoDB
captures information about every modification to data items in the table.
See Also Amazon DynamoDB Streams.
Version 1.0
429
E
Z (p. 460)
EBS See Amazon Elastic Block Store (Amazon EBS).
EC2 See Amazon Elastic Compute Cloud (Amazon EC2).
EC2 compute unit An AWS standard for compute CPU and memory. You can use this measure to
evaluate the CPU capacity of different EC2 instance (p. 430) types.
EC2 instance A compute instance (p. 436) in the Amazon EC2 (p. 409) service. Other AWS
services use the term EC2 instance to distinguish these instances from other types
of instances they support.
ECR See Amazon Elastic Container Registry (Amazon ECR).
ECS See Amazon Elastic Container Service (Amazon ECS).
edge location A site that CloudFront (p. 408) uses to cache copies of your content for faster
delivery to users at any location.
EFS See Amazon Elastic File System (Amazon EFS).
Elastic A company that provides open-source solutions—including Elasticsearch,

Logstash, Kibana, and Beats—that are designed to take data from any source and
search, analyze, and visualize it in real time.
Amazon Elasticsearch Service (Amazon ES) is an AWS managed service for

deploying, operating, and scaling Elasticsearch in the AWS Cloud.
See Also Amazon Elasticsearch Service (Amazon ES), Elasticsearch.
Elastic Block Store See Amazon Elastic Block Store (Amazon EBS).
Elastic IP address A fixed (static) IP address that you have allocated in Amazon EC2 (p. 409) or
Amazon VPC (p. 413) and then attached to an instance (p. 436). Elastic IP
addresses are associated with your account, not a specific instance. They are
elastic because you can easily allocate, attach, detach, and free them as your
needs change. Unlike traditional static IP addresses, Elastic IP addresses allow you
to mask instance or Availability Zone (p. 415) failures by rapidly remapping your
public IP addresses to another instance.
Elastic Load Balancing A web service that improves an application's availability by distributing incoming
traffic between two or more EC2 instance (p. 430)s.
See Also https://aws.amazon.com/elasticloadbalancing.
elastic network interface An additional network interface that can be attached to an instance (p. 436).
Elastic network interfaces include a primary private IP address, one or more
secondary private IP addresses, an Elastic IP Address (optional), a MAC address,
membership in specified security group (p. 451)s, a description, and a source/
destination check flag. You can create an elastic network interface, attach it to an
instance, detach it from an instance, and attach it to another instance.
Elasticsearch An open-source, real-time distributed search and analytics engine used for full-
text search, structured search, and analytics. Elasticsearch was developed by the
Elastic company.
Version 1.0
430
Amazon Elasticsearch Service (Amazon ES) is an AWS managed service for

deploying, operating, and scaling Elasticsearch in the AWS Cloud.
See Also Amazon Elasticsearch Service (Amazon ES), Elastic.
EMR See Amazon EMR (Amazon EMR).
encrypt To use a mathematical algorithm to make data unintelligible to unauthorized

user (p. 458)s while allowing authorized users a method (such as a key or
password) to convert the altered data back to its original state.
encryption context A set of key–value pairs that contains additional information associated with AWS
Key Management Service (AWS KMS) (p. 418)–encrypted information.
endpoint A URL that identifies a host and port as the entry point for a web service. Every
web service request contains an endpoint. Most AWS products provide endpoints
for a Region to enable faster connectivity.
Amazon ElastiCache (p. 410): The DNS name of a cache node (p. 423).
Amazon RDS (p. 412): The DNS name of a DB instance (p. 428).
AWS CloudFormation (p. 415): The DNS name or IP address of the server that
receives an HTTP request.
endpoint port Amazon ElastiCache (p. 410): The port number used by a cache node (p. 423).
Amazon RDS (p. 412): The port number used by a DB instance (p. 428).
envelope encryption The use of a master key and a data key to algorithmically protect data. The
master key is used to encrypt and decrypt the data key and the data key is used to
encrypt and decrypt the data itself.
environment AWS Elastic Beanstalk (p. 417): A specific running instance of an

application (p. 413). The application has a CNAME and includes an application
version and a customizable configuration (which is inherited from the default
container type).
AWS CodeDeploy (p. 416): Instances in a deployment group in a blue/green

deployment. At the start of a blue/green deployment, the deployment group is
made up of instances in the original environment. At the end of the deployment,
the deployment group is made up of instances in the replacement environment.
environment configuration A collection of parameters and settings that define how an environment and its
associated resources behave.
ephemeral store See instance store.
epoch The date from which time is measured. For most Unix environments, the epoch is
January 1, 1970.
ETL See extract, transform, and load (ETL).
evaluation Amazon Machine Learning: The process of measuring the predictive performance
of a machine learning (ML) model.
Also a machine learning object that stores the details and result of an ML model
evaluation.
evaluation datasource The data that Amazon Machine Learning uses to evaluate the predictive accuracy
of a machine learning model.
Version 1.0
431
eventual consistency The method through which AWS products achieve high availability, which involves
replicating data across multiple servers in Amazon's data centers. When data is
written or updated and Success is returned, all copies of the data are updated.
However, it takes time for the data to propagate to all storage locations. The data
will eventually be consistent, but an immediate read might not show the change.
Consistency is usually reached within seconds.
See Also data consistency, eventually consistent read, strongly consistent read.
eventually consistent read A read process that returns data from only one Region and might not show the
most recent write information. However, if you repeat your read request after a
short time, the response should eventually return the latest data.
See Also data consistency, eventual consistency, strongly consistent read.
eviction The deletion by CloudFront (p. 408) of an object from an edge

location (p. 430) before its expiration time. If an object in an edge location
isn't frequently requested, CloudFront might evict the object (remove the object
before its expiration date) to make room for objects that are more popular.
exbibyte A contraction of exa binary byte, an exbibyte is 2^60 or

1,152,921,504,606,846,976 bytes. An exabyte (EB) is 10^18 or
1,000,000,000,000,000,000 bytes. 1,024 EiB is a zebibyte (p. 460).
expiration For CloudFront (p. 408) caching, the time when CloudFront stops responding
to user requests with an object. If you don't use headers or CloudFront
distribution (p. 429) settings to specify how long you want objects to stay in
an edge location (p. 430), the objects expire after 24 hours. The next time a
user requests an object that has expired, CloudFront forwards the request to the
origin (p. 443).
explicit launch permission An Amazon Machine Image (AMI) (p. 411) launch permission granted to a
specific AWS account (p. 407).
exponential backoff A strategy that incrementally increases the wait between retry attempts in order
to reduce the load on the system and increase the likelihood that repeated
requests will succeed. For example, client applications might wait up to 400
milliseconds before attempting the first retry, up to 1600 milliseconds before the
second, up to 6400 milliseconds (6.4 seconds) before the third, and so on.
expression Amazon CloudSearch (p. 408): A numeric expression that you can use to control
how search hits are sorted. You can construct Amazon CloudSearch expressions
using numeric fields, other rank expressions, a document's default relevance
score, and standard numeric operators and functions. When you use the sort
option to specify an expression in a search request, the expression is evaluated for
each search hit and the hits are listed according to their expression values.
extract, transform, and load A process that is used to integrate data from multiple sources. Data is collected
(ETL) from sources (extract), converted to an appropriate format (transform), and
written to a target data store (load) for purposes of analysis and querying.
ETL tools combine these three functions to consolidate and move data from one
environment to another. AWS Glue (p. 417) is a fully managed ETL service for
discovering and organizing data, transforming it, and making it available for
search and analytics.
F
Version 1.0
432
Z (p. 460)
facet Amazon CloudSearch (p. 408): An index field that represents a category that you
want to use to refine and filter search results.
facet enabled Amazon CloudSearch (p. 408): An index field option that enables facet
information to be calculated for the field.
FBL See feedback loop.
feature transformation Amazon Machine Learning: The machine learning process of constructing more
predictive input representations or “features” from the raw input variables to
optimize a machine learning model’s ability to learn and generalize. Also known
as data transformation or feature engineering.
federated identity Allows individuals to sign in to different networks or services, using the same
management group or personal credentials to access data across all networks. With identity
federation in AWS, external identities (federated users) are granted secure access
to resource (p. 448)s in an AWS account (p. 407) without having to create IAM
user (p. 458)s. These external identities can come from a corporate identity
store (such as LDAP or Windows Active Directory) or from a third party (such as
Login with Amazon, Facebook, or Google). AWS federation also supports SAML
2.0.
federated user See federated identity management.
federation See federated identity management.
feedback loop The mechanism by which a mailbox provider (for example, an internet service
provider (p. 436)) forwards a recipient (p. 447)'s complaint (p. 425) back to
the sender (p. 451).
field weight The relative importance of a text field in a search index. Field weights control how
much matches in particular text fields affect a document's relevance score.
filter A criterion that you specify to limit the results when you list or describe your
Amazon EC2 (p. 409) resource (p. 448)s.
filter query A way to filter search results without affecting how the results are scored and
sorted. Specified with the Amazon CloudSearch (p. 408) fq parameter.
FIM See federated identity management.
Firehose See Amazon Kinesis Data Firehose.
format version See template format version.
forums See discussion forums.
function See intrinsic function.
fuzzy search A simple search query that uses approximate string matching (fuzzy matching) to
correct for typographical errors and misspellings.
G
Version 1.0
433
Z (p. 460)
geospatial search A search query that uses locations specified as a latitude and longitude to
determine matches and sort the results.
gibibyte A contraction of giga binary byte, a gibibyte is 2^30 or 1,073,741,824 bytes. A

gigabyte (GB) is 10^9 or 1,000,000,000 bytes. 1,024 GiB is a tebibyte (p. 456).
GitHub A web-based repository that uses Git for version control.
global secondary index An index with a partition key and a sort key that can be different from those on
the table. A global secondary index is considered global because queries on the
index can span all of the data in a table, across all partitions.
See Also local secondary index.
grant AWS Key Management Service (AWS KMS) (p. 418): A mechanism for giving
AWS principal (p. 445)s long-term permissions to use customer master key
(CMK) (p. 427)s.
grant token A type of identifier that allows the permissions in a grant (p. 434) to take effect
immediately.
ground truth The observations used in the machine learning (ML) model training process
that include the correct value for the target attribute. To train an ML model to
predict house sales prices, the input observations would typically include prices
of previous house sales in the area. The sale prices of these houses constitute the
ground truth.
group A collection of IAM (p. 418) user (p. 458)s. You can use IAM groups to simplify
specifying and managing permissions for multiple users.
H
Z (p. 460)
Hadoop Software that enables distributed processing for big data by using clusters
and simple programming models. For more information, see http://
hadoop.apache.org.
hard bounce A persistent email delivery failure such as "mailbox does not exist."
hardware VPN A hardware-based IPsec VPN connection over the internet.
health check A system call to check on the health status of each instance in an Amazon EC2
Auto Scaling (p. 409) group.
high-quality email Email that recipients find valuable and want to receive. Value means different
things to different recipients and can come in the form of offers, order
confirmations, receipts, newsletters, etc.
highlights Amazon CloudSearch (p. 408): Excerpts returned with search results that show
where the search terms appear within the text of the matching documents.
highlight enabled Amazon CloudSearch (p. 408): An index field option that enables matches within
the field to be highlighted.
Version 1.0
434
hit A document that matches the criteria specified in a search request. Also referred
to as a search result.
HMAC Hash-based Message Authentication Code. A specific construction for calculating

a message authentication code (MAC) involving a cryptographic hash function in
combination with a secret key. You can use it to verify both the data integrity and
the authenticity of a message at the same time. AWS calculates the HMAC using a
standard, cryptographic hash algorithm, such as SHA-256.
hosted zone A collection of resource record (p. 448) sets that Amazon Route 53 (p. 412)
hosts. Like a traditional DNS zone file, a hosted zone represents a collection of
records that are managed together under a single domain name.
HTTP-Query See Query.
HVM virtualization Hardware Virtual Machine virtualization. Allows the guest VM to run as though it
is on a native hardware platform, except that it still uses paravirtual (PV) network
and storage drivers for improved performance.
See Also PV virtualization.
I
Z (p. 460)
IAM See AWS Identity and Access Management (IAM).
IAM group See group.
IAM policy simulator See policy simulator.
IAM role See role.
IAM user See user.
Identity and Access See AWS Identity and Access Management (IAM).
Management
identity provider (IdP) An IAM (p. 418) entity that holds metadata about external identity providers.
IdP See identity provider (IdP) .
image See Amazon Machine Image (AMI).
import/export station A machine that uploads or downloads your data to or from Amazon S3 (p. 412).
import log A report that contains details about how AWS Import/Export (p. 418) processed
your data.
in-place deployment CodeDeploy: A deployment method in which the application on each instance in
the deployment group is stopped, the latest application revision is installed, and
the new version of the application is started and validated. You can choose to use
a load balancer so each instance is deregistered during its deployment and then
restored to service after the deployment is complete.
index See search index.
index field A name–value pair that is included in an Amazon CloudSearch (p. 408) domain's
index. An index field can contain text or numeric data, dates, or a location.
Version 1.0
435
indexing options Configuration settings that define an Amazon CloudSearch (p. 408) domain's
index fields, how document data is mapped to those index fields, and how the
index fields can be used.
inline policy An IAM (p. 418) policy (p. 444) that is embedded in a single IAM
user (p. 458), group (p. 434), or role (p. 449).
input data Amazon Machine Learning: The observations that you provide to Amazon
Machine Learning to train and evaluate a machine learning model and generate
predictions.
instance A copy of an Amazon Machine Image (AMI) (p. 411) running as a virtual server in
the AWS Cloud.
instance family A general instance type (p. 436) grouping using either storage or CPU capacity.
instance group A Hadoop (p. 434) cluster contains one master instance group that contains
one master node (p. 440), a core instance group containing one or more core
node (p. 426) and an optional task node (p. 456) instance group, which can
contain any number of task nodes.
instance profile A container that passes IAM (p. 418) role (p. 449) information to an EC2
instance (p. 430) at launch.
instance store Disk storage that is physically attached to the host computer for an EC2
instance (p. 430), and therefore has the same lifespan as the instance. When the
instance is terminated, you lose any data in the instance store.
instance store-backed AMI A type of Amazon Machine Image (AMI) (p. 411) whose instance (p. 436)s use
an instance store (p. 436) volume (p. 459) as the root device. Compare this
with instances launched from Amazon EBS (p. 409)-backed AMIs, which use an
Amazon EBS volume as the root device.
instance type A specification that defines the memory, CPU, storage capacity, and usage
cost for an instance (p. 436). Some instance types are designed for standard
applications, whereas others are designed for CPU-intensive, memory-intensive
applications, and so on.
internet gateway Connects a network to the internet. You can route traffic for IP addresses outside
your VPC (p. 459) to the internet gateway.
internet service provider A company that provides subscribers with access to the internet. Many ISPs are
also mailbox provider (p. 439)s. Mailbox providers are sometimes referred to as
ISPs, even if they only provide mailbox services.
intrinsic function A special action in a AWS CloudFormation (p. 415) template that assigns values
to properties not available until runtime. These functions follow the format
Fn::Attribute, such as Fn::GetAtt. Arguments for intrinsic functions can be
parameters, pseudo parameters, or the output of other intrinsic functions.
IP address A numerical address (for example, 192.0.2.44) that networked devices use
to communicate with one another using the Internet Protocol (IP). All EC2
instance (p. 430)s are assigned two IP addresses at launch, which are directly
mapped to each other through network address translation (NAT (p. 441)):
a private IP address (following RFC 1918) and a public IP address. Instances
launched in a VPC (p. 413) are assigned only a private IP address. Instances
launched in your default VPC are assigned both a private IP address and a public
IP address.
IP match condition AWS WAF (p. 421): An attribute that specifies the IP addresses or IP
address ranges that web requests originate from. Based on the specified IP
Version 1.0
436
addresses, you can configure AWS WAF to allow or block web requests to AWS
resource (p. 448)s such as Amazon CloudFront (p. 408) distributions.
ISP See internet service provider.
issuer The person who writes a policy (p. 444) to grant permissions to a
resource (p. 448). The issuer (by definition) is always the resource owner. AWS
does not permit Amazon SQS (p. 412) users to create policies for resources they
don't own. If John is the resource owner, AWS authenticates John's identity when
he submits the policy he's written to grant permissions for that resource.
item A group of attributes that is uniquely identifiable among all of the other items.
Items in Amazon DynamoDB (p. 409) are similar in many ways to rows, records,
or tuples in other database systems.
J
Z (p. 460)
job flow Amazon EMR (p. 410): One or more step (p. 454)s that specify all of the
functions to be performed on the data.
job ID A five-character, alphanumeric string that uniquely identifies an AWS Import/

Export (p. 418) storage device in your shipment. AWS issues the job ID in
response to a CREATE JOB email command.
job prefix An optional string that you can add to the beginning of an AWS Import/
Export (p. 418) log file name to prevent collisions with objects of the same
name.
See Also key prefix.
JSON JavaScript Object Notation. A lightweight data interchange format. For

information about JSON, see http://www.json.org/.
junk folder The location where email messages that various filters determine to be of lesser
value are collected so that they do not arrive in the recipient (p. 447)'s inbox but
are still accessible to the recipient. This is also referred to as a spam (p. 453) or
bulk folder.
K
Z (p. 460)
key A credential that identifies an AWS account (p. 407) or user (p. 458) to AWS
(such as the AWS secret access key (p. 451)).
Amazon Simple Storage Service (Amazon S3) (p. 412), Amazon EMR (Amazon
EMR) (p. 410): The unique identifier for an object in a bucket (p. 423).
Every object in a bucket has exactly one key. Because a bucket and key
together uniquely identify each object, you can think of Amazon S3 as a
basic data map between the bucket + key, and the object itself. You can
Version 1.0
437
uniquely address every object in Amazon S3 through the combination of the

web service endpoint, bucket name, and key, as in this example: http://
doc.s3.amazonaws.com/2006-03-01/AmazonS3.wsdl, where doc is the
name of the bucket, and 2006-03-01/AmazonS3.wsdl is the key.
AWS Import/Export (p. 418): The name of an object in Amazon S3. It is a

sequence of Unicode characters whose UTF-8 encoding cannot exceed 1024
bytes. If a key, for example, logPrefix + import-log-JOBID, is longer than 1024
bytes, AWS Elastic Beanstalk (p. 417) returns an InvalidManifestField
error.
IAM (p. 418): In a policy (p. 444), a specific characteristic that is the basis for
restricting access (such as the current time, or the IP address of the requester).
Tagging resources: A general tag (p. 456) label that acts like a category for more
specific tag values. For example, you might have EC2 instance (p. 430) with the
tag key of Owner and the tag value of Jan. You can tag an AWS resource (p. 448)
with up to 10 key–value pairs. Not all AWS resources can be tagged.
key pair A set of security credentials that you use to prove your identity electronically. A
key pair consists of a private key and a public key.
key prefix A logical grouping of the objects in a bucket (p. 423). The prefix value is similar
to a directory name that enables you to store similar data under the same
directory in a bucket.
kibibyte A contraction of kilo binary byte, a kibibyte is 2^10 or 1,024 bytes. A kilobyte (KB)
is 10^3 or 1,000 bytes. 1,024 KiB is a mebibyte (p. 440).
KMS See AWS Key Management Service (AWS KMS).
L
Z (p. 460)
labeled data In machine learning, data for which you already know the target or “correct”
answer.
launch configuration A set of descriptive parameters used to create new EC2 instance (p. 430)s in an
Amazon EC2 Auto Scaling (p. 409) activity.
A template that an Auto Scaling group (p. 414) uses to launch new EC2
instances. The launch configuration contains information such as the Amazon
Machine Image (AMI) (p. 411) ID, the instance type, key pairs, security
group (p. 451)s, and block device mappings, among other configuration
settings.
launch permission An Amazon Machine Image (AMI) (p. 411) attribute that allows users to launch
an AMI.
lifecycle The lifecycle state of the EC2 instance (p. 430) contained in an Auto Scaling
group (p. 414). EC2 instances progress through several states over their lifespan;
these include Pending, InService, Terminating and Terminated.
lifecycle action An action that can be paused by Auto Scaling, such as launching or terminating
an EC2 instance.
Version 1.0
438
lifecycle hook Enables you to pause Auto Scaling after it launches or terminates an EC2 instance
so that you can perform a custom action while the instance is not in service.
link to VPC The process of linking (or attaching) an EC2-Classic instance (p. 436) to a
ClassicLink-enabled VPC (p. 459).
See Also ClassicLink, unlink from VPC.
load balancer A DNS name combined with a set of ports, which together provide a destination
for all requests intended for your application. A load balancer can distribute
traffic to multiple application instances across every Availability Zone (p. 415)
within a Region (p. 447). Load balancers can span multiple Availability Zones
within an AWS Region into which an Amazon EC2 (p. 409) instance was
launched. But load balancers cannot span multiple Regions.
local secondary index An index that has the same partition key as the table, but a different sort key. A
local secondary index is local in the sense that every partition of a local secondary
index is scoped to a table partition that has the same partition key value.
See Also local secondary index.
logical name A case-sensitive unique string within an AWS CloudFormation (p. 415) template
that identifies a resource (p. 448), mapping (p. 440), parameter, or output. In
an AWS CloudFormation template, each parameter, resource (p. 448), property,
mapping, and output must be declared with a unique logical name. You use the
logical name when dereferencing these items using the Ref function.
M
Z (p. 460)
Mail Transfer Agent (MTA) Software that transports email messages from one computer to another by using
a client-server architecture.
mailbox provider An organization that provides email mailbox hosting services. Mailbox providers
are sometimes referred to as internet service provider (p. 436)s, even if they
only provide mailbox services.
mailbox simulator A set of email addresses that you can use to test an Amazon SES (p. 412)-based
email sending application without sending messages to actual recipients. Each
email address represents a specific scenario (such as a bounce or complaint) and
generates a typical response that is specific to the scenario.
main route table The default route table (p. 449) that any new VPC (p. 459) subnet (p. 455)
uses for routing. You can associate a subnet with a different route table of your
choice. You can also change which route table is the main route table.
managed policy A standalone IAM (p. 418) policy (p. 444) that you can attach to
multiple user (p. 458)s, group (p. 434)s, and role (p. 449)s in your IAM
account (p. 407). Managed policies can either be AWS managed policies (which
are created and managed by AWS) or customer managed policies (which you
create and manage in your AWS account).
manifest When sending a create job request for an import or export operation, you describe
your job in a text file called a manifest. The manifest file is a YAML-formatted
file that specifies how to transfer data between your storage device and the AWS
Cloud.
Version 1.0
439
manifest file Amazon Machine Learning: The file used for describing batch predictions. The
manifest file relates each input data file with its associated batch prediction
results. It is stored in the Amazon S3 output location.
mapping A way to add conditional parameter values to an AWS CloudFormation (p. 415)
template. You specify mappings in the template's optional Mappings section and
retrieve the desired value using the FN::FindInMap function.
marker See pagination token.
master node A process running on an Amazon Machine Image (AMI) (p. 411) that keeps track
of the work its core and task nodes complete.
maximum price The maximum price you will pay to launch one or more Spot Instance (p. 453)s.
If your maximum price exceeds the current Spot price (p. 453) and your
restrictions are met, Amazon EC2 (p. 409) launches instances on your behalf.
maximum send rate The maximum number of email messages that you can send per second using
Amazon SES (p. 412).
mebibyte A contraction of mega binary byte, a mebibyte is 2^20 or 1,048,576 bytes. A

megabyte (MB) is 10^6 or 1,000,000 bytes. 1,024 MiB is a gibibyte (p. 434).
member resources See resource.
message ID Amazon Simple Email Service (Amazon SES) (p. 412): A unique identifier that is
assigned to every email message that is sent.
Amazon Simple Queue Service (Amazon SQS) (p. 412): The identifier returned
when you send a message to a queue.
metadata Information about other data or objects. In Amazon Simple Storage Service
(Amazon S3) (p. 412) and Amazon EMR (Amazon EMR) (p. 410) metadata takes
the form of name–value pairs that describe the object. These include default
metadata such as the date last modified and standard HTTP metadata such as
Content-Type. Users can also specify custom metadata at the time they store
an object. In Amazon Elastic Compute Cloud (Amazon EC2) (p. 409) metadata
includes data about an EC2 instance (p. 430) that the instance can retrieve to
determine things about itself, such as the instance type, the IP address, and so on.
metric An element of time-series data defined by a unique combination of exactly

one namespace (p. 441), exactly one metric name, and between zero and ten
dimensions. Metrics and the statistics derived from them are the basis of Amazon
CloudWatch (p. 408).
metric name The primary identifier of a metric, used in combination with a

namespace (p. 441) and optional dimensions.
MFA See multi-factor authentication (MFA).
micro instance A type of EC2 instance (p. 430) that is more economical to use if you have
occasional bursts of high CPU activity.
MIME See Multipurpose Internet Mail Extensions (MIME).
ML model In machine learning (ML), a mathematical model that generates predictions by

finding patterns in data. Amazon Machine Learning supports three types of ML
models: binary classification, multiclass classification, and regression. Also known
as a predictive model.
See Also binary classification model, multiclass classification model, regression
model.
Version 1.0
440
MTA See Mail Transfer Agent (MTA).
Multi-AZ deployment A primary DB instance (p. 428) that has a synchronous standby replica in a
different Availability Zone (p. 415). The primary DB instance is synchronously
replicated across Availability Zones to the standby replica.
multiclass classification A machine learning model that predicts values that belong to a limited, pre-
model defined set of permissible values. For example, "Is this product a book, movie, or
clothing?"
multi-factor authentication An optional AWS account (p. 407) security feature. Once you enable AWS
(MFA) MFA, you must provide a six-digit, single-use code in addition to your sign-in
credentials whenever you access secure AWS webpages or the AWS Management
Console (p. 418). You get this single-use code from an authentication device
that you keep in your physical possession.
See Also https://aws.amazon.com/mfa/.
multi-valued attribute An attribute with more than one value.
multipart upload A feature that allows you to upload a single object as a set of parts.
Multipurpose Internet Mail An internet standard that extends the email protocol to include non-ASCII text
Extensions (MIME) and nontext elements like attachments.
Multitool A cascading application that provides a simple command-line interface for

managing large datasets.
N
Z (p. 460)
namespace An abstract container that provides context for the items (names, or technical
terms, or words) it holds, and allows disambiguation of homonym items residing
in different namespaces.
NAT Network address translation. A strategy of mapping one or more IP addresses

to another while data packets are in transit across a traffic routing device. This
is commonly used to restrict internet communication to private instances while
allowing outgoing traffic.
See Also Network Address Translation and Protocol Translation, NAT gateway,
NAT instance.
NAT gateway A NAT (p. 441) device, managed by AWS, that performs network address
translation in a private subnet (p. 455), to secure inbound internet traffic. A NAT
gateway uses both NAT and port address translation.
See Also NAT instance.
NAT instance A NAT (p. 441) device, configured by a user, that performs network address
translation in a VPC (p. 459) public subnet (p. 455) to secure inbound internet
traffic.
See Also NAT gateway.
network ACL An optional layer of security that acts as a firewall for controlling traffic in and
out of a subnet (p. 455). You can associate multiple subnets with a single
network ACL (p. 406), but a subnet can be associated with only one network ACL
at a time.
Version 1.0
441
Network Address Translation (NAT (p. 441)-PT) An internet protocol standard defined in RFC 2766.
and Protocol Translation See Also NAT instance, NAT gateway.
n-gram processor A processor that performs n-gram transformations.

See Also n-gram transformation.
n-gram transformation Amazon Machine Learning: A transformation that aids in text string analysis.
An n-gram transformation takes a text variable as input and outputs strings by
sliding a window of size n words, where n is specified by the user, over the text,
and outputting every string of words of size n and all smaller sizes. For example,
specifying the n-gram transformation with window size =2 returns all the two-
word combinations and all of the single words.
NICE Desktop Cloud A remote visualization technology for securely connecting users to graphic-
Visualization intensive 3D applications hosted on a remote, high-performance server.
node Amazon Elasticsearch Service (Amazon ES) (p. 410): An Elasticsearch instance. A
node can be either a data instance or a dedicated master instance.
See Also dedicated master node.
NoEcho A property of AWS CloudFormation (p. 415) parameters that prevent the
otherwise default reporting of names and values of a template parameter.
Declaring the NoEcho property causes the parameter value to be masked with
asterisks in the report by the cfn-describe-stacks command.
NoSQL Nonrelational database systems that are highly available, scalable, and optimized
for high performance. Instead of the relational model, NoSQL databases (like
Amazon DynamoDB (p. 409)) use alternate models for data management, such
as key–value pairs or document storage.
null object A null object is one whose version ID is null. Amazon S3 (p. 412) adds a null
object to a bucket (p. 423) when versioning (p. 458) for that bucket is
suspended. It is possible to have only one null object for each key in a bucket.
number of passes The number of times that you allow Amazon Machine Learning to use the same
data records to train a machine learning model.
O
Z (p. 460)
object Amazon Simple Storage Service (Amazon S3) (p. 412): The fundamental entity
type stored in Amazon S3. Objects consist of object data and metadata. The data
portion is opaque to Amazon S3.
Amazon CloudFront (p. 408): Any entity that can be served either over HTTP or
a version of RTMP.
observation Amazon Machine Learning: A single instance of data that Amazon Machine
Learning (Amazon ML) uses to either train a machine learning model how to
predict or to generate a prediction. Each row in an Amazon ML input data file is
an observation.
On-Demand Instance An Amazon EC2 (p. 409) pricing option that charges you for compute capacity
by the hour with no long-term commitment.
Version 1.0
442
operation An API function. Also called an action.
optimistic locking A strategy to ensure that an item that you want to update has not been modified
by others before you perform the update. For Amazon DynamoDB (p. 409),
optimistic locking support is provided by the AWS SDKs.
organization AWS Organizations (p. 419): An entity that you create to consolidate and
manage your AWS accounts. An organization has one master account along with
zero or more member accounts.
organizational unit AWS Organizations (p. 419): A container for accounts within a root (p. 449) of
an organization. An organizational unit (OU) can contain other OUs.
origin access identity Also called OAI. When using Amazon CloudFront (p. 408) to serve content with
an Amazon S3 (p. 412) bucket (p. 423) as the origin, a virtual identity that you
use to require users to access your content through CloudFront URLs instead of
Amazon S3 URLs. Usually used with CloudFront private content (p. 445).
origin server The Amazon S3 (p. 412) bucket (p. 423) or custom origin containing
the definitive original version of the content you deliver through
CloudFront (p. 408).
original environment The instances in a deployment group at the start of an CodeDeploy blue/green
deployment.
OSB transformation Orthogonal sparse bigram transformation. In machine learning, a transformation

that aids in text string analysis and that is an alternative to the n-gram
transformation. OSB transformations are generated by sliding the window of size
n words over the text, and outputting every pair of words that includes the first
word in the window.
See Also n-gram transformation.
OU See organizational unit.
output location Amazon Machine Learning: An Amazon S3 location where the results of a batch
prediction are stored.
P
Z (p. 460)
pagination The process of responding to an API request by returning a large list of records in
small separate parts. Pagination can occur in the following situations:
• The client sets the maximum number of returned records to a value below the
total number of records.
• The service has a default maximum number of returned records that is lower
than the total number of records.
When an API response is paginated, the service sends a subset of the large list
of records and a pagination token that indicates that more records are available.
The client includes this pagination token in a subsequent API request, and the
service responds with the next subset of records. This continues until the service
responds with a subset of records and no pagination token, indicating that all
records have been sent.
Version 1.0
443
pagination token A marker that indicates that an API response contains a subset of a larger list of
records. The client can return this marker in a subsequent API request to retrieve
the next subset of records until the service responds with a subset of records and
no pagination token, indicating that all records have been sent.
See Also pagination.
paid AMI An Amazon Machine Image (AMI) (p. 411) that you sell to other Amazon
EC2 (p. 409) users on AWS Marketplace (p. 419).
paravirtual virtualization See PV virtualization.
part A contiguous portion of the object's data in a multipart upload request.
partition key A simple primary key, composed of one attribute (also known as a hash attribute).
See Also partition key, sort key.
PAT Port address translation.
pebibyte A contraction of peta binary byte, a pebibyte is 2^50 or 1,125,899,906,842,624

bytes. A petabyte (PB) is 10^15 or 1,000,000,000,000,000 bytes. 1,024 PiB is an
exbibyte (p. 432).
period See sampling period.
permission A statement within a policy (p. 444) that allows or denies access to a particular
resource (p. 448). You can state any permission like this: "A has permission
to do B to C." For example, Jane (A) has permission to read messages (B) from
John's Amazon SQS (p. 412) queue (C). Whenever Jane sends a request to
Amazon SQS to use John's queue, the service checks to see if she has permission.
It further checks to see if the request satisfies the conditions John set forth in the
permission.
persistent storage A data storage solution where the data remains intact until it is deleted. Options
within AWS (p. 413) include: Amazon S3 (p. 412), Amazon RDS (p. 412),
Amazon DynamoDB (p. 409), and other services.
physical name A unique label that AWS CloudFormation (p. 415) assigns to each
resource (p. 448) when creating a stack (p. 454). Some AWS CloudFormation
commands accept the physical name as a value with the --physical-name
parameter.
pipeline AWS CodePipeline (p. 416): A workflow construct that defines the way software
changes go through a release process.
plaintext Information that has not been encrypted (p. 431), as opposed to
ciphertext (p. 424).
policy IAM (p. 418): A document defining permissions that apply to a user, group,
or role; the permissions in turn determine what users can do in AWS. A
policy typically allow (p. 407)s access to specific actions, and can optionally
grant that the actions are allowed for specific resource (p. 448)s, like EC2
instance (p. 430)s, Amazon S3 (p. 412) bucket (p. 423)s, and so on. Policies
can also explicitly deny (p. 428) access.
Amazon EC2 Auto Scaling (p. 409): An object that stores the information
needed to launch or terminate instances for an Auto Scaling group. Executing
the policy causes instances to be launched or terminated. You can configure an
alarm (p. 407) to invoke an Auto Scaling policy.
policy generator A tool in the IAM (p. 418) AWS Management Console (p. 418) that helps you
build a policy (p. 444) by selecting elements from lists of available options.
Version 1.0
444
policy simulator A tool in the IAM (p. 418) AWS Management Console (p. 418) that helps you
test and troubleshoot policies (p. 444) so you can see their effects in real-world
scenarios.
policy validator A tool in the IAM (p. 418) AWS Management Console (p. 418) that examines
your existing IAM access control policies (p. 444) to ensure that they comply
with the IAM policy grammar.
presigned URL A web address that uses query string authentication (p. 446).
prefix See job prefix.
Premium Support A one-on-one, fast-response support channel that AWS customers can subscribe
to for support for AWS infrastructure services.
See Also https://aws.amazon.com/premiumsupport/.
primary key One or two attributes that uniquely identify each item in a Amazon
DynamoDB (p. 409) table, so that no two items can have the same key.
See Also partition key, sort key.
primary shard See shard.
principal The user (p. 458), service, or account (p. 407) that receives permissions that
are defined in a policy (p. 444). The principal is A in the statement "A has
permission to do B to C."
private content When using Amazon CloudFront (p. 408) to serve content with an Amazon
S3 (p. 412) bucket (p. 423) as the origin, a method of controlling access to
your content by requiring users to use signed URLs. Signed URLs can restrict
user access based on the current date and time and/or the IP addresses that the
requests originate from.
private IP address A private numerical address (for example, 192.0.2.44) that networked devices
use to communicate with one another using the Internet Protocol (IP). All EC2
instance (p. 430)ss are assigned two IP addresses at launch, which are directly
mapped to each other through network address translation (NAT (p. 441)): a
private address (following RFC 1918) and a public address. Exception: Instances
launched in Amazon VPC (p. 413) are assigned only a private IP address.
private subnet A VPC (p. 459) subnet (p. 455) whose instances cannot be reached from the
internet.
product code An identifier provided by AWS when you submit a product to AWS
Marketplace (p. 419).
properties See resource property.
property rule A JSON (p. 437)-compliant markup standard for declaring properties, mappings,
and output values in an AWS CloudFormation (p. 415) template.
Provisioned IOPS A storage option designed to deliver fast, predictable, and consistent I/O
performance. When you specify an IOPS rate while creating a DB instance,
Amazon RDS (p. 412) provisions that IOPS rate for the lifetime of the DB
instance.
pseudo parameter A predefined setting, such as AWS:StackName that can be used in AWS
CloudFormation (p. 415) templates without having to declare them. You can use
pseudo parameters anywhere you can use a regular parameter.
public AMI An Amazon Machine Image (AMI) (p. 411) that all AWS account (p. 407)s have
permission to launch.
Version 1.0
445
public dataset A large collection of public information that can be seamlessly integrated into
applications that are based in the AWS Cloud. Amazon stores public datasets at
no charge to the community and, like all AWS services, users pay only for the
compute and storage they use for their own applications. These datasets currently
include data from the Human Genome Project, the U.S. Census, Wikipedia, and
other sources.
See Also https://aws.amazon.com/publicdatasets.
public IP address A public numerical address (for example, 192.0.2.44) that networked devices
use to communicate with one another using the Internet Protocol (IP). EC2
instance (p. 430)s are assigned two IP addresses at launch, which are directly
mapped to each other through Network Address Translation (NAT (p. 441)): a
private address (following RFC 1918) and a public address. Exception: Instances
launched in Amazon VPC (p. 413) are assigned only a private IP address.
public subnet A subnet (p. 455) whose instances can be reached from the internet.
PV virtualization Paravirtual virtualization. Allows guest VMs to run on host systems that do
not have special support extensions for full hardware and CPU virtualization.
Because PV guests run a modified operating system that does not use hardware
emulation, they cannot provide hardware-related features such as enhanced
networking or GPU support.
See Also HVM virtualization.
Q
Z (p. 460)
quartile binning Amazon Machine Learning: A process that takes two inputs, a numerical variable
transformation and a parameter called a bin number, and outputs a categorical variable. Quartile
binning transformations discover non-linearity in a variable's distribution by
enabling the machine learning model to learn separate importance values for
parts of the numeric variable’s distribution.
Query A type of web service that generally uses only the GET or POST HTTP method and
a query string with parameters in the URL.
See Also REST.
query string authentication An AWS feature that lets you place the authentication information in the HTTP
request query string instead of in the Authorization header, which enables
URL-based access to objects in a bucket (p. 423).
queue A sequence of messages or jobs that are held in temporary storage awaiting
transmission or processing.
queue URL A web address that uniquely identifies a queue.
quota Amazon RDS (p. 412): The maximum number of DB instance (p. 428)s and
available storage you can use.
Amazon ElastiCache (p. 410): The maximum number of the following items:
• The number of cache clusters for each AWS account (p. 407)
• The number of cache nodes per cache cluster
Version 1.0
446
• The total number of cache nodes per AWS account across all cache clusters
created by that AWS account
R
Z (p. 460)
range GET A request that specifies a byte range of data to get for a download. If an object is
large, you can break up a download into smaller units by sending multiple range
GET requests that each specify a different byte range to GET.
raw email A type of sendmail request with which you can specify the email headers and
MIME types.
RDS See Amazon Relational Database Service (Amazon RDS).
read replica Amazon RDS (p. 412): An active copy of another DB instance. Any updates to
the data on the source DB instance are replicated to the read replica DB instance
using the built-in replication feature of MySQL 5.1.
real-time predictions Amazon Machine Learning: Synchronously generated predictions for individual
data observations.
See Also batch prediction.
receipt handle Amazon SQS (p. 412): An identifier that you get when you receive a message
from the queue. This identifier is required to delete a message from the queue or
when changing a message's visibility timeout.
receiver The entity that consists of the network systems, software, and policies that
manage email delivery for a recipient (p. 447).
recipient Amazon Simple Email Service (Amazon SES) (p. 412): The person or entity
receiving an email message. For example, a person named in the "To" field of a
message.
Redis A fast, open-source, in-memory key-value data structure store. Redis comes with
a set of versatile in-memory data structures with which you can easily create a
variety of custom applications.
reference A means of inserting a property from one AWS resource (p. 448) into another.
For example, you could insert an Amazon EC2 (p. 409) security group (p. 451)
property into an Amazon RDS (p. 412) resource.
Region A named set of AWS resource (p. 448)s in the same geographical area. A Region
comprises at least two Availability Zone (p. 415)s.
regression model Amazon Machine Learning: Preformatted instructions for common data
transformations that fine-tune machine learning model performance.
regression model A type of machine learning model that predicts a numeric value, such as the exact
purchase price of a house.
regularization A machine learning (ML) parameter that you can tune to obtain higher-quality
ML models. Regularization helps prevent ML models from memorizing training
Version 1.0
447
data examples instead of learning how to generalize the patterns it sees (called
overfitting). When training data is overfitted, the ML model performs well on the
training data but does not perform well on the evaluation data or on new data.
replacement environment The instances in a deployment group after the CodeDeploy blue/green
deployment.
replica shard See shard.
reply path The email address to which an email reply is sent. This is different from the return
path (p. 449).
representational state See REST.

transfer
reputation 1. An Amazon SES (p. 412) metric, based on factors that might include
bounce (p. 422)s, complaint (p. 425)s, and other metrics, regarding whether or
not a customer is sending high-quality email.
2. A measure of confidence, as judged by an internet service provider (p. 436) or

other entity that an IP address that they are receiving email from is not the source
of spam (p. 453).
requester The person (or application) that sends a request to AWS to perform a specific
action. When AWS receives a request, it first evaluates the requester's permissions
to determine whether the requester is allowed to perform the request action (if
applicable, for the requested resource (p. 448)).
Requester Pays An Amazon S3 (p. 412) feature that allows a bucket owner (p. 423) to specify
that anyone who requests access to objects in a particular bucket (p. 423) must
pay the data transfer and request costs.
reservation A collection of EC2 instance (p. 430)s started as part of the same launch
request. Not to be confused with a Reserved Instance (p. 448).
Reserved Instance A pricing option for EC2 instance (p. 430)s that discounts the on-
demand (p. 442) usage charge for instances that meet the specified parameters.
Customers pay for the entire term of the instance, regardless of how they use it.
Reserved Instance An online exchange that matches sellers who have reserved capacity that they
Marketplace no longer need with buyers who are looking to purchase additional capacity.
Reserved Instance (p. 448)s that you purchase from third-party sellers have less
than a full standard term remaining and can be sold at different upfront prices.
The usage or reoccurring fees remain the same as the fees set when the Reserved
Instances were originally purchased. Full standard terms for Reserved Instances
available from AWS run for one year or three years.
resource An entity that users can work with in AWS, such as an EC2 instance (p. 430), an
Amazon DynamoDB (p. 409) table, an Amazon S3 (p. 412) bucket (p. 423), an
IAM (p. 418) user, an AWS OpsWorks (p. 419) stack (p. 454), and so on.
resource property A value required when including an AWS resource (p. 448) in an AWS
CloudFormation (p. 415) stack (p. 454). Each resource may have one or more
properties associated with it. For example, an AWS::EC2::Instance resource
may have a UserData property. In an AWS CloudFormation template, resources
must declare a properties section, even if the resource has no properties.
resource record Also called resource record set. The fundamental information elements in the
Domain Name System (DNS).
Version 1.0
448
See Also Domain Name System in Wikipedia.
REST Representational state transfer. A simple stateless architecture that generally runs
over HTTPS/TLS. REST emphasizes that resources have unique and hierarchical
identifiers (URIs), are represented by common media types (HTML, XML,
JSON (p. 437), and so on), and that operations on the resources are either
predefined or discoverable within the media type. In practice, this generally
results in a limited number of operations.
See Also Query, WSDL, SOAP.
RESTful web service Also known as RESTful API. A web service that follows REST (p. 449)
architectural constraints. The API operations must use HTTP methods explicitly;
expose hierarchical URIs; and transfer either XML, JSON (p. 437), or both.
return enabled Amazon CloudSearch (p. 408): An index field option that enables the field's
values to be returned in the search results.
return path The email address to which bounced email is returned. The return path is
specified in the header of the original email. This is different from the reply
path (p. 448).
revision AWS CodePipeline (p. 416): A change made to a source that is configured in a
source action, such as a pushed commit to a GitHub (p. 434) repository or an
update to a file in a versioned Amazon S3 (p. 412) bucket (p. 423).
role A tool for giving temporary access to AWS resource (p. 448)s in your AWS
account (p. 407).
rollback A return to a previous state that follows the failure to create an object, such as
AWS CloudFormation (p. 415) stack (p. 454). All resource (p. 448)s associated
with the failure are deleted during the rollback. For AWS CloudFormation, you can
override this behavior using the --disable-rollback option on the command
line.
root AWS Organizations (p. 419): A parent container for the accounts in your
organization. If you apply a service control policy (p. 451) to the root, it applies
to every organizational unit (p. 443) and account in the organization.
root credentials Authentication information associated with the AWS account (p. 407) owner.
root device volume A volume (p. 459) that contains the image used to boot the instance (p. 436)
(also known as a root device). If you launched the instance from an AMI (p. 411)
backed by instance store (p. 436), this is an instance store volume (p. 459)
created from a template stored in Amazon S3 (p. 412). If you launched the
instance from an AMI backed by Amazon EBS (p. 409), this is an Amazon EBS
volume created from an Amazon EBS snapshot.
route table A set of routing rules that controls the traffic leaving any subnet (p. 455) that is
associated with the route table. You can associate multiple subnets with a single
route table, but a subnet can be associated with only one route table at a time.
row identifier Amazon Machine Learning: An attribute in the input data that you can include
in the evaluation or prediction output to make it easier to associate a prediction
with an observation.
rule AWS WAF (p. 421): A set of conditions that AWS WAF searches for in web
requests to AWS resource (p. 448)s such as Amazon CloudFront (p. 408)
distributions. You add rules to a web ACL (p. 459), and then specify whether you
want to allow or block web requests based on each rule.
Version 1.0
449
S
Z (p. 460)
S3 See Amazon Simple Storage Service (Amazon S3).
sampling period A defined duration of time, such as one minute, over which Amazon
CloudWatch (p. 408) computes a statistic (p. 454).
sandbox A testing location where you can test the functionality of your application without
affecting production, incurring charges, or purchasing products.
Amazon SES (p. 412): An environment that is designed for developers to test
and evaluate the service. In the sandbox, you have full access to the Amazon SES
API, but you can only send messages to verified email addresses and the mailbox
simulator. To get out of the sandbox, you need to apply for production access.
Accounts in the sandbox also have lower sending limits (p. 451) than production
accounts.
scale in To remove EC2 instances from an Auto Scaling group (p. 414).
scale out To add EC2 instances to an Auto Scaling group (p. 414).
scaling policy A description of how Auto Scaling should automatically scale an Auto Scaling
group (p. 414) in response to changing demand.
See Also scale in, scale out.
scaling activity A process that changes the size, configuration, or makeup of an Auto Scaling
group (p. 414) by launching or terminating instances.
scheduler The method used for placing task (p. 456)s on container instance (p. 425)s.
schema Amazon Machine Learning: The information needed to interpret the input data
for a machine learning model, including attribute names and their assigned data
types, and the names of special attributes.
score cut-off value Amazon Machine Learning: A binary classification model outputs a score that
ranges from 0 to 1. To decide whether an observation should be classified as 1
or 0, you pick a classification threshold, or cut-off, and Amazon ML compares the
score against it. Observations with scores higher than the cut-off are predicted as
target equals 1, and scores lower than the cut-off are predicted as target equals 0.
SCP See service control policy.
search API Amazon CloudSearch (p. 408): The API that you use to submit search requests to
a search domain (p. 450).
search domain Amazon CloudSearch (p. 408): Encapsulates your searchable data and the
search instances that handle your search requests. You typically set up a separate
Amazon CloudSearch domain for each different collection of data that you want
to search.
search domain configuration Amazon CloudSearch (p. 408): An domain's indexing options, analysis
scheme (p. 413)s, expression (p. 432)s, suggester (p. 455)s, access policies,
and scaling and availability options.
Version 1.0
450
search enabled Amazon CloudSearch (p. 408): An index field option that enables the field data
to be searched.
search endpoint Amazon CloudSearch (p. 408): The URL that you connect to when sending
search requests to a search domain. Each Amazon CloudSearch domain has a
unique search endpoint that remains the same for the life of the domain.
search index Amazon CloudSearch (p. 408): A representation of your searchable data that
facilitates fast and accurate data retrieval.
search instance Amazon CloudSearch (p. 408): A compute resource (p. 448) that indexes
your data and processes search requests. An Amazon CloudSearch domain
has one or more search instances, each with a finite amount of RAM and CPU
resources. As your data volume grows, more search instances or larger search
instances are deployed to contain your indexed data. When necessary, your index
is automatically partitioned across multiple search instances. As your request
volume or complexity increases, each search partition is automatically replicated
to provide additional processing capacity.
search request Amazon CloudSearch (p. 408): A request that is sent to an Amazon CloudSearch
domain's search endpoint to retrieve documents from the index that match
particular search criteria.
search result Amazon CloudSearch (p. 408): A document that matches a search request. Also
referred to as a search hit.
secret access key A key that is used in conjunction with the access key ID (p. 406) to
cryptographically sign programmatic AWS requests. Signing a request identifies
the sender and prevents the request from being altered. You can generate secret
access keys for your AWS account (p. 407), individual IAM user (p. 458)s, and
temporary sessions.
security group A named set of allowed inbound network connections for an instance. (Security
groups in Amazon VPC (p. 413) also include support for outbound connections.)
Each security group consists of a list of protocols, ports, and IP address ranges. A
security group can apply to multiple instances, and multiple groups can regulate a
single instance.
sender The person or entity sending an email message.
Sender ID A Microsoft-controlled version of SPF (p. 453). An email authentication and

anti-spoofing system. For more information about Sender ID, see Sender ID in
Wikipedia.
sending limits The sending quota (p. 451) and maximum send rate (p. 440) that are
associated with every Amazon SES (p. 412) account.
sending quota The maximum number of email messages that you can send using Amazon
SES (p. 412) in a 24-hour period.
server-side encryption (SSE) The encrypting (p. 431) of data at the server level. Amazon S3 (p. 412)
supports three modes of server-side encryption: SSE-S3, in which Amazon S3
manages the keys; SSE-C, in which the customer manages the keys; and SSE-KMS,
in which AWS Key Management Service (AWS KMS) (p. 418) manages keys.
service See Amazon ECS service.
service control policy AWS Organizations (p. 419): A policy-based control that specifies the services
and actions that users and roles can use in the accounts that the service control
policy (SCP) affects.
Version 1.0
451
service endpoint See endpoint.
service health dashboard A web page showing up-to-the-minute information about AWS service
availability. The dashboard is located at http://status.aws.amazon.com/.
Service Quotas A service for viewing and managing your quotas easily and at scale as your AWS
workloads grow. Quotas, also referred to as limits, are the maximum number of
resources that you can create in an AWS account.
service role An IAM (p. 418) role (p. 449) that grants permissions to an AWS service so it
can access AWS resource (p. 448)s. The policies that you attach to the service
role determine which AWS resources the service can access and what it can do
with those resources.
SES See Amazon Simple Email Service (Amazon SES).
session The period during which the temporary security credentials provided by AWS
Security Token Service (AWS STS) (p. 420) allow access to your AWS account.
SHA Secure Hash Algorithm. SHA1 is an earlier version of the algorithm, which AWS
has deprecated in favor of SHA256.
shard Amazon Elasticsearch Service (Amazon ES) (p. 410): A partition of data in an
index. You can split an index into multiple shards, which can include primary
shards (original shards) and replica shards (copies of the primary shards). Replica
shards provide failover, which means that a replica shard is promoted to a primary
shard if a cluster node that contains a primary shard fails. Replica shards also can
handle requests.
shared AMI An Amazon Machine Image (AMI) (p. 411) that a developer builds and makes
available for others to use.
shutdown action Amazon EMR (p. 410): A predefined bootstrap action that launches a script that
executes a series of commands in parallel before terminating the job flow.
signature Refers to a digital signature, which is a mathematical way to confirm the

authenticity of a digital message. AWS uses signatures to authenticate the
requests you send to our web services. For more information, to https://
aws.amazon.com/security.
SIGNATURE file AWS Import/Export (p. 418): A file you copy to the root directory of your
storage device. The file contains a job ID, manifest file, and a signature.
Signature Version 4 Protocol for authenticating inbound API requests to AWS services in all AWS
Regions.
Simple Mail Transfer Protocol See SMTP.
Simple Object Access Protocol See SOAP.
Simple Storage Service See Amazon Simple Storage Service (Amazon S3).
Single Sign-On See AWS Single Sign-On.
Single-AZ DB instance A standard (non-Multi-AZ) DB instance (p. 428) that is deployed in one
Availability Zone (p. 415), without a standby replica in another Availability Zone.
See Also Multi-AZ deployment.
sloppy phrase search A search for a phrase that specifies how close the terms must be to one another
to be considered a match.
Version 1.0
452
SMTP Simple Mail Transfer Protocol. The standard that is used to exchange email
messages between internet hosts for the purpose of routing and delivery.
snapshot Amazon Elastic Block Store (Amazon EBS) (p. 409): A backup of your
volume (p. 459)s that is stored in Amazon S3 (p. 412). You can use these
snapshots as the starting point for new Amazon EBS volumes or to protect your
data for long-term durability.
See Also DB snapshot.
SNS See Amazon Simple Notification Service (Amazon SNS).
SOAP Simple Object Access Protocol. An XML-based protocol that lets you exchange
information over a particular protocol (HTTP or SMTP, for example) between
applications.
See Also REST, WSDL.
soft bounce A temporary email delivery failure such as one resulting from a full mailbox.
software VPN A software appliance-based VPN connection over the internet.
sort enabled Amazon CloudSearch (p. 408): An index field option that enables a field to be
used to sort the search results.
sort key An attribute used to sort the order of partition keys in a composite primary key
(also known as a range attribute).
See Also partition key, primary key.
source/destination checking A security measure to verify that an EC2 instance (p. 430) is the origin of all
traffic that it sends and the ultimate destination of all traffic that it receives; that
is, that the instance is not relaying traffic. Source/destination checking is enabled
by default. For instances that function as gateways, such as VPC (p. 459)
NAT (p. 441) instances, source/destination checking must be disabled.
spam Unsolicited bulk email.
spamtrap An email address that is set up by an anti-spam (p. 453) entity, not for
correspondence, but to monitor unsolicited email. This is also called a honeypot.
SPF Sender Policy Framework. A standard for authenticating email.
Spot Instance A type of EC2 instance (p. 430) that you can bid on to take advantage of unused
Amazon EC2 (p. 409) capacity.
Spot price The price for a Spot Instance (p. 453) at any given time. If your maximum price
exceeds the current price and your restrictions are met, Amazon EC2 (p. 409)
launches instances on your behalf.
SQL injection match condition AWS WAF (p. 421): An attribute that specifies the part of web requests, such
as a header or a query string, that AWS WAF inspects for malicious SQL code.
Based on the specified conditions, you can configure AWS WAF to allow or block
web requests to AWS resource (p. 448)s such as Amazon CloudFront (p. 408)
distributions.
SQS See Amazon Simple Queue Service (Amazon SQS).
SSE See server-side encryption (SSE).
SSL Secure Sockets Layer

See Also Transport Layer Security.
SSO See AWS Single Sign-On.
Version 1.0
453
stack AWS CloudFormation (p. 415): A collection of AWS resource (p. 448)s that you
create and delete as a single unit.
AWS OpsWorks (p. 419): A set of instances that you manage collectively,
typically because they have a common purpose such as serving PHP applications.
A stack serves as a container and handles tasks that apply to the group of
instances as a whole, such as managing applications and cookbooks.
station AWS CodePipeline (p. 416): A portion of a pipeline workflow where one or more
actions are performed.
station A place at an AWS facility where your AWS Import/Export data is transferred on
to, or off of, your storage device.
statistic One of five functions of the values submitted for a given sampling
period (p. 450). These functions are Maximum, Minimum, Sum, Average, and
SampleCount.
stem The common root or substring shared by a set of related words.
stemming The process of mapping related words to a common stem. This enables matching
on variants of a word. For example, a search for "horse" could return matches for
horses, horseback, and horsing, as well as horse. Amazon CloudSearch (p. 408)
supports both dictionary based and algorithmic stemming.
step Amazon EMR (p. 410): A single function applied to the data in a job
flow (p. 437). The sum of all steps comprises a job flow.
step type Amazon EMR (p. 410): The type of work done in a step. There are a limited
number of step types, such as moving data from Amazon S3 (p. 412) to Amazon
EC2 (p. 409) or from Amazon EC2 to Amazon S3.
sticky session A feature of the Elastic Load Balancing (p. 430) load balancer that binds a user's
session to a specific application instance so that all requests coming from the user
during the session are sent to the same application instance. By contrast, a load
balancer defaults to route each request independently to the application instance
with the smallest load.
stopping The process of filtering stop words from an index or search request.
stopword A word that is not indexed and is automatically filtered out of search requests
because it is either insignificant or so common that including it would result in
too many matches to be useful. Stopwords are language specific.
streaming Amazon EMR (Amazon EMR) (p. 410): A utility that comes with
Hadoop (p. 434) that enables you to develop MapReduce executables in
languages other than Java.
Amazon CloudFront (p. 408): The ability to use a media file in real time—as it is
transmitted in a steady stream from a server.
streaming distribution A special kind of distribution (p. 429) that serves streamed media files using a
Real Time Messaging Protocol (RTMP) connection.
Streams See Amazon Kinesis Data Streams.
string-to-sign Before you calculate an HMAC (p. 435) signature, you first assemble the required
components in a canonical order. The preencrypted string is the string-to-sign.
string match condition AWS WAF (p. 421): An attribute that specifies the strings that AWS WAF
searches for in a web request, such as a value in a header or a query string. Based
Version 1.0
454
on the specified strings, you can configure AWS WAF to allow or block web
requests to AWS resource (p. 448)s such as CloudFront (p. 408) distributions.
strongly consistent read A read process that returns a response with the most up-to-date data, reflecting
the updates from all prior write operations that were successful—regardless of
the Region.
See Also data consistency, eventual consistency, eventually consistent read.
structured query Search criteria specified using the Amazon CloudSearch (p. 408) structured
query language. You use the structured query language to construct compound
queries that use advanced search options and combine multiple search criteria
using Boolean operators.
STS See AWS Security Token Service (AWS STS).
subnet A segment of the IP address range of a VPC (p. 459) that EC2
instance (p. 430)s can be attached to. You can create subnets to group instances
according to security and operational needs.
Subscription button An HTML-coded button that enables an easy way to charge customers a recurring
fee.
suggester Amazon CloudSearch (p. 408): Specifies an index field you want to use to get
autocomplete suggestions and options that can enable fuzzy matches and control
how suggestions are sorted.
suggestions Documents that contain a match for the partial search string in the field
designated by the suggester (p. 455). Amazon CloudSearch (p. 408)
suggestions include the document IDs and field values for each matching
document. To be a match, the string must match the contents of the field starting
from the beginning of the field.
supported AMI An Amazon Machine Image (AMI) (p. 411) similar to a paid AMI (p. 444), except
that the owner charges for additional software or a service that customers use
with their own AMIs.
SWF See Amazon Simple Workflow Service (Amazon SWF).
symmetric encryption Encryption (p. 431) that uses a private key only.
See Also asymmetric encryption.
synchronous bounce A type of bounce (p. 422) that occurs while the email servers of the
sender (p. 451) and receiver (p. 447) are actively communicating.
synonym A word that is the same or nearly the same as an indexed word and that should
produce the same results when specified in a search request. For example, a
search for "Rocky Four" or "Rocky 4" should return the fourth Rocky movie. This
can be done by designating that four and 4 are synonyms for IV. Synonyms are
language specific.
T
Z (p. 460)
table A collection of data. Similar to other database systems, DynamoDB stores data in
tables.
Version 1.0
455
tag Metadata that you can define and assign to AWS resource (p. 448)s, such as an
EC2 instance (p. 430). Not all AWS resources can be tagged.
tagging Tagging resources: Applying a tag (p. 456) to an AWS resource (p. 448).
Amazon SES (p. 412): Also called labeling. A way to format return path (p. 449)
email addresses so that you can specify a different return path for each
recipient of a message. Tagging enables you to support VERP (p. 458). For
example, if Andrew manages a mailing list, he can use the return paths andrew
[email protected] and [email protected] so that he can
determine which email bounced.
target attribute Amazon Machine Learning (Amazon ML ): The attribute in the input data that
contains the “correct” answers. Amazon ML uses the target attribute to learn how
to make predictions on new data. For example, if you were building a model for
predicting the sale price of a house, the target attribute would be “target sale
price in USD.”
target revision AWS CodeDeploy (p. 416): The most recent version of the application revision
that has been uploaded to the repository and will be deployed to the instances in
a deployment group. In other words, the application revision currently targeted
for deployment. This is also the revision that will be pulled for automatic
deployments.
task An instantiation of a task definition (p. 456) that is running on a container

instance (p. 425).
task definition The blueprint for your task. Specifies the name of the task (p. 456), revisions,
container definition (p. 425)s, and volume (p. 459) information.
task node An EC2 instance (p. 430) that runs Hadoop (p. 434) map and reduce tasks,
but does not store data. Task nodes are managed by the master node (p. 440),
which assigns Hadoop tasks to nodes and monitors their status. While a job flow
is running you can increase and decrease the number of task nodes. Because they
don't store data and can be added and removed from a job flow, you can use task
nodes to manage the EC2 instance capacity your job flow uses, increasing capacity
to handle peak loads and decreasing it later.
Task nodes only run a TaskTracker Hadoop daemon.
tebibyte A contraction of tera binary byte, a tebibyte is 2^40 or 1,099,511,627,776

bytes. A terabyte (TB) is 10^12 or 1,000,000,000,000 bytes. 1,024 TiB is a
pebibyte (p. 444).
template format version The version of an AWS CloudFormation (p. 415) template design that
determines the available features. If you omit the AWSTemplateFormatVersion
section from your template, AWS CloudFormation assumes the most recent
format version.
template validation The process of confirming the use of JSON (p. 437) code in an AWS
CloudFormation (p. 415) template. You can validate any AWS CloudFormation
template using the cfn-validate-template command.
temporary security Authentication information that is provided by AWS STS (p. 420) when you
credentials call an STS API action. Includes an access key ID (p. 406), a secret access
key (p. 451), a session (p. 452) token, and an expiration time.
throttling The automatic restricting or slowing down of a process based on one or more
limits. Examples: Amazon Kinesis Data Streams (p. 411) throttles operations if
an application (or group of applications operating on the same stream) attempts
Version 1.0
456
to get data from a shard at a rate faster than the shard limit. Amazon API
Gateway (p. 408) uses throttling to limit the steady-state request rates for a
single account. Amazon SES (p. 412) uses throttling to reject attempts to send
email that exceeds the sending limits (p. 451).
time series data Data provided as part of a metric. The time value is assumed to be when the value
occurred. A metric is the fundamental concept for Amazon CloudWatch (p. 408)
and represents a time-ordered set of data points. You publish metric data points
into CloudWatch and later retrieve statistics about those data points as a time-
series ordered dataset.
timestamp A date/time string in ISO 8601 format.
TLS See Transport Layer Security.
tokenization The process of splitting a stream of text into separate tokens on detectable
boundaries such as white space and hyphens.
topic A communication channel to send messages and subscribe to notifications. It

provides an access point for publishers and subscribers to communicate with each
other.
Traffic Mirroring An Amazon VPC feature that you can use to copy network traffic from an elastic
network interface of Amazon EC2 instances, and then send it to out-of-band
security and monitoring appliances for content inspection, threat monitoring, and
troubleshooting.
See Also https://aws.amazon.com/vpc/.
training datasource A datasource that contains the data that Amazon Machine Learning uses to train
the machine learning model to make predictions.
transition AWS CodePipeline (p. 416): The act of a revision in a pipeline continuing from
one stage to the next in a workflow.
Transport Layer Security A cryptographic protocol that provides security for communication over the
internet. Its predecessor is Secure Sockets Layer (SSL).
trust policy An IAM (p. 418) policy (p. 444) that is an inherent part of an IAM
role (p. 449). The trust policy specifies which principal (p. 445)s are allowed to
use the role.
trusted signers AWS account (p. 407)s that the CloudFront (p. 408) distribution owner has
given permission to create signed URLs for a distribution's content.
tuning Selecting the number and type of AMIs (p. 411) to run a Hadoop (p. 434) job
flow most efficiently.
tunnel A route for transmission of private network traffic that uses the internet to
connect nodes in the private network. The tunnel uses encryption and secure
protocols such as PPTP to prevent the traffic from being intercepted as it passes
through public routing nodes.
U
Z (p. 460)
Version 1.0
457
unbounded The number of potential occurrences is not limited by a set number. This
value is often used when defining a data type that is a list (for example,
maxOccurs="unbounded"), in WSDL (p. 459).
unit Standard measurement for the values submitted to Amazon

CloudWatch (p. 408) as metric data. Units include seconds, percent, bytes, bits,
count, bytes/second, bits/second, count/second, and none.
unlink from VPC The process of unlinking (or detaching) an EC2-Classic instance (p. 436) from a
ClassicLink-enabled VPC (p. 459).
See Also ClassicLink, link to VPC.
usage report An AWS record that details your usage of a particular AWS service. You can
generate and download usage reports from https://aws.amazon.com/usage-
reports/.
user A person or application under an account (p. 407) that needs to make API calls
to AWS products. Each user has a unique name within the AWS account, and a set
of security credentials not shared with other users. These credentials are separate
from the AWS account's security credentials. Each user is associated with one and
only one AWS account.
V
Z (p. 460)
validation See template validation.
value Instances of attributes (p. 414) for an item, such as cells in a spreadsheet. An
attribute might have multiple values.
Tagging resources: A specific tag (p. 456) label that acts as a descriptor within a
tag category (key). For example, you might have EC2 instance (p. 430) with the
tag key of Owner and the tag value of Jan. You can tag an AWS resource (p. 448)
with up to 10 key–value pairs. Not all AWS resources can be tagged.
Variable Envelope Return See VERP.

Path
verification The process of confirming that you own an email address or a domain so that you
can send email from or to it.
VERP Variable Envelope Return Path. A way in which email sending applications can
match bounce (p. 422)d email with the undeliverable address that caused
the bounce by using a different return path (p. 449) for each recipient. VERP
is typically used for mailing lists. With VERP, the recipient's email address is
embedded in the address of the return path, which is where bounced email is
returned. This makes it possible to automate the processing of bounced email
without having to open the bounce messages, which may vary in content.
versioning Every object in Amazon S3 (p. 412) has a key and a version ID. Objects with the
same key, but different version IDs can be stored in the same bucket (p. 423).
Versioning is enabled at the bucket layer using PUT Bucket versioning.
VGW See virtual private gateway.
Version 1.0
458
virtualization Allows multiple guest virtual machines (VM) to run on a host operating system.
Guest VMs can run on one or more levels above the host hardware, depending on
the type of virtualization.
See Also PV virtualization, HVM virtualization.
virtual private cloud See VPC.
virtual private gateway (VGW) The Amazon side of a VPN connection (p. 459) that maintains
connectivity. The internal interfaces of the virtual private gateway connect to
your VPC (p. 459) via the VPN attachment and the external interfaces connect
to the VPN connection, which leads to the customer gateway (p. 427).
visibility timeout The period of time that a message is invisible to the rest of your application after
an application component gets it from the queue. During the visibility timeout,
the component that received the message usually processes it, and then deletes
it from the queue. This prevents multiple components from processing the same
message.
volume A fixed amount of storage on an instance (p. 436). You can share volume
data between container (p. 425)s and persist the data on the container
instance (p. 425) when the containers are no longer running.
VPC Virtual private cloud. An elastic network populated by infrastructure, platform,

and application services that share common security and interconnection.
VPC endpoint A feature that enables you to create a private connection between your
VPC (p. 459) and another AWS service without requiring access over the
internet, through a NAT (p. 441) instance, a VPN connection (p. 459), or AWS
Direct Connect (p. 416).
VPG See virtual private gateway.
VPN CloudHub See AWS VPN CloudHub.
VPN connection Amazon Web Services (AWS) (p. 413): The IPsec connection between a
VPC (p. 459) and some other network, such as a corporate data center, home
network, or colocation facility.
W
Z (p. 460)
WAM See Amazon WorkSpaces Application Manager (Amazon WAM).
web access control list AWS WAF (p. 421): A set of rules that defines the conditions that AWS WAF
searches for in web requests to AWS resource (p. 448)s such as Amazon
CloudFront (p. 408) distributions. A web access control list (web ACL) specifies
whether to allow, block, or count the requests.
Web Services Description See WSDL.

Language
WSDL Web Services Description Language. A language used to describe the actions
that a web service can perform, along with the syntax of action requests and
responses.
See Also REST, SOAP.
Version 1.0
459
X, Y, Z
X.509 certificate A digital document that uses the X.509 public key infrastructure (PKI) standard to
verify that a public key belongs to the entity described in the certificate (p. 424).
yobibyte A contraction of yotta binary byte, a yobibyte is 2^80 or

1,208,925,819,614,629,174,706,176 bytes. A yottabyte (YB) is 10^24 or
1,000,000,000,000,000,000,000,000 bytes.
zebibyte A contraction of zetta binary byte, a zebibyte is 2^70 or

1,180,591,620,717,411,303,424 bytes. A zettabyte (ZB) is 10^21 or
1,000,000,000,000,000,000,000 bytes. 1,024 ZiB is a yobibyte (p. 460).
zone awareness Amazon Elasticsearch Service (Amazon ES) (p. 410): A configuration that
distributes nodes in a cluster across two Availability Zone (p. 415)s in the same
Region. Zone awareness helps to prevent data loss and minimizes downtime in
the event of node and data center failure. If you enable zone awareness, you must
have an even number of data instances in the instance count, and you also must
use the Amazon Elasticsearch Service Configuration API to replicate your data for
your Elasticsearch cluster.
Version 1.0
460

Aws General

Uploaded by

Copyright:

Available Formats

Aws General

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws General

Uploaded by

Copyright:

Available Formats

AWS General Reference

AWS General Reference: Reference guide

Amazon Comprehend Medical .................................................................................................... 53

AWS IoT Device Operations ............................................................................................. 114

Resource Groups Tagging API ................................................................................................... 160

AWS Account Identiﬁers .......................................................................................................... 219

CodeCommit .......................................................................................................................... 250

AWS IoT Greengrass ................................................................................................................ 288

AWS Storage Gateway ............................................................................................................. 326

More Information on Tagging .................................................................................................. 403

AWS General Reference

• AWS Service Endpoints (p. 2)

AWS Service Endpoints

aws kms create-key --endpoint-url https://kms-fips.us-west-2.amazonaws.com

Learn More About Endpoints

You can ﬁnd endpoint information from the following sources:

AWS Regions and Endpoints by Service

Alexa for Business

US East (N. us-east-1 a4b.us-east-1.amazonaws.com HTTPS

Amazon API Gateway

Amazon API Gateway Control Plane

US East us-east-2 apigateway.us-east-2.amazonaws.com HTTPS

US East (N. us-east-1 apigateway.us-east-1.amazonaws.com HTTPS

US us-west-1 apigateway.us-west-1.amazonaws.com HTTPS

Region Region Endpoint Protocol

US West us-west-2 apigateway.us-west-2.amazonaws.com HTTPS

Asia ap-east-1 apigateway.ap-east-1.amazonaws.com HTTPS

Asia ap- apigateway.ap-south-1.amazonaws.com HTTPS

Asia ap- apigateway.ap-northeast-2.amazonaws.com HTTPS

Asia ap- apigateway.ap-southeast-1.amazonaws.com HTTPS

Asia ap- apigateway.ap-southeast-2.amazonaws.com HTTPS

Asia ap- apigateway.ap-northeast-1.amazonaws.com HTTPS

Canada ca- apigateway.ca-central-1.amazonaws.com HTTPS

China cn-north-1 apigateway.cn-north-1.amazonaws.com.cn HTTPS

China cn- apigateway.cn-northwest-1.amazonaws.com.cn HTTPS

EU eu- apigateway.eu-central-1.amazonaws.com HTTPS

EU eu-west-1 apigateway.eu-west-1.amazonaws.com HTTPS

EU eu-west-2 apigateway.eu-west-2.amazonaws.com HTTPS

EU (Paris) eu-west-3 apigateway.eu-west-3.amazonaws.com HTTPS

EU eu-north-1 apigateway.eu-north-1.amazonaws.com HTTPS

Middle me- apigateway.me-south-1.amazonaws.com HTTPS

Region Region Endpoint Protocol

South sa-east-1 apigateway.sa-east-1.amazonaws.com HTTPS

AWS us-gov- apigateway.us-gov-east-1.amazonaws.com HTTPS

AWS us-gov- apigateway.us-gov-west-1.amazonaws.com HTTPS

Amazon API Gateway Data Plane

Region Region Endpoint Protocol Route 53

US East us-east-2 execute-api.us-east-2.amazonaws.com HTTPS ZOJJZC49E0EPZ

US us-east-1 execute-api.us-east-1.amazonaws.com HTTPS Z1UJRXOUMOOFQ8

US us- execute-api.us-west-1.amazonaws.com HTTPS Z2MUQ32089INYE

US West us- execute-api.us-west-2.amazonaws.com HTTPS Z2OJLYMUO9EFXC

Asia ap-east-1 execute-api.ap-east-1.amazonaws.com HTTPS Z3FD1VL90ND7K5

Asia ap- execute-api.ap-south-1.amazonaws.com HTTPS Z3VO1THU9YC4UR

Asia ap- execute-api.ap-northeast-2.amazonaws.com HTTPS Z20JF4UZKIW1U8

Asia ap- execute-api.ap-southeast-1.amazonaws.com HTTPS ZL327KTPIQFUL

Asia ap- execute-api.ap-southeast-2.amazonaws.com HTTPS Z2RPCDW04V8134

Region Region Endpoint Protocol Route 53

Asia ap- execute-api.ap-northeast-1.amazonaws.com HTTPS Z1YSHQZHG15GKL

Canada ca- execute-api.ca-central-1.amazonaws.com HTTPS Z19DQILCV0OWEC