AWS Security ChangesHomeSearch

AWS govcloud-us documentation change

Service: govcloud-us · 2026-02-28 · Documentation low

File: govcloud-us/latest/UserGuide/govcloud-sso.md

Summary

Added documentation for dual-stack (IPv4/IPv6) endpoint support in IAM Identity Center and expanded allowlist domain requirements for web-content filtering solutions.

Security assessment

The change adds configuration guidance for allowlisting security-related domains (e.g., threat-mitigation, CAPTCHA) to ensure proper service functionality. While this improves security posture, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/govcloud-us/latest/UserGuide/govcloud-sso.md b/govcloud-us/latest/UserGuide/govcloud-sso.md
index eeeab89d0..92608349d 100644
--- a//govcloud-us/latest/UserGuide/govcloud-sso.md
+++ b//govcloud-us/latest/UserGuide/govcloud-sso.md
@@ -16,0 +17,2 @@ The following list details the differences for using this service in the AWS Gov
+  * IAM Identity Center supports dual-stack endpoints in AWS GovCloud (US) Regions. You can use either IPv4, IPv6, or dual-stack to access IAM Identity Center services and the AWS access portal.
+
@@ -22,0 +25,4 @@ You can find this URL on the **Settings** page in the IAM Identity Center consol
+  * The new AWS access portal URL format for AWS GovCloud (US) follows the pattern `https://{idcInstanceId}.portal.{region}.app.aws`, similar to the commercial region format.
+
+This new URL format provides a consistent experience across all AWS regions.
+
@@ -66,0 +73,32 @@ The email address `no-reply@<identitystore_id>.us-gov-home.awsapps.com` is used
+  * For dual-stack (IPv4 and IPv6) endpoint access, you must also add the following domains to your web-content filtering solution allowlists:
+
+    * `[idcInstanceId].portal.[Region].app.aws`
+
+    * `portal.sso.[Region].api.aws`
+
+    * `oidc.[Region].api.aws`
+
+    * `oidc-fips.[Region].api.aws`
+
+    * `sso.[Region].api.aws`
+
+    * `scim.[Region].api.aws`
+
+    * `identitystore.[Region].api.aws`
+
+    * `identity-sync.[Region].api.aws`
+
+    * `dual-stack.auth-control.[Region].prod.apps-auth.aws.a2z.com`
+
+    * `pvs-controlplane.[Region].api.aws`
+
+    * `[Region].sso.signin.amazonaws-us-gov.com`
+
+    * `[Region].sso.signin-fips.amazonaws-us-gov.com`
+
+    * `cdn.us-east-1.threat-mitigation.aws.amazon.com`
+
+    * `us-east-1.threat-mitigation.aws.amazon.com`
+
+    * `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com`
+