US International Traffic in Arms Regulations
(ITAR)
Overview
AWS GovCloud (US) supports compliance with United States International Traffic in Arms Regulations (ITAR). As a part of managing a comprehensive ITAR compliance program, companies that are subject to ITAR export regulations must control unintended exports by enabling access to only authorized persons. AWS GovCloud (US) provides an environment that is physically located in the US, and access by AWS personnel is limited to US Citizens, thereby allowing qualified companies to use AWS to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party assessment organization (3PAO) to validate that proper controls are in place to support customer export compliance programs.

Page topics
FAQs
Open allWhat is ITAR?
International Traffic in Arms Regulations (ITAR) controls the export from the US of defense-related articles, and the regulations state that no non-US person can have physical or logical access to the articles stored in the ITAR environment.
Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens.
How do ITAR requirements apply in the cloud?
ITAR compliance in the cloud focuses on ensuring that information considered ITAR technical data is not inadvertently released to foreign persons or foreign nations without proper authorization.
How does AWS support customers who are subject to ITAR export regulations?
AWS provides customers with the option to store their data in AWS GovCloud (US), which is managed solely by US Citizens in US locations. AWS GovCloud (US) is Amazon’s isolated cloud environment where accounts are only granted to US Persons working for US organizations.
Because AWS does not have any visibility into what customers are uploading onto our network, including whether or not that data is deemed subject to ITAR regulations, all customer data within AWS GovCloud (US) is treated as ITAR data.
How does AWS GovCloud (US) provide assurance to customers that it meets ITAR requirements?
There is no formal ITAR certification. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO) and has been issued a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline. The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security, and General Services Administration represent the JAB. For more information, see Achieve FedRAMP High Compliance in AWS GovCloud (US).