Can I create a cross account role between AWS and AWS Gov

Question

The use case is as follows:

Account 1 has a public hosted zone with the cert (ACM)

Account 2 (GOV cloud, linked to Account 1, only private HZ allowed)

Is it possible to grant cross access to Account 2 to access HZ in Account 1 or would it need to be a manual process of creating the private HZ and then have Route53 in Account 1 divert traffic to Account 2 private HZ?

Accepted Answer

https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53.html -> ITAR limits this.

Answer

In general, you can't create cross-account roles between AWS and AWS Gov for ANY AWS service. Ran into something similar while running a Cloud Formation template. See explanation below:

"AWS groups Regions into partitions. Every Region is in exactly one partition, and each partition has one or more Regions. Partitions have independent instances of AWS Identity and Access Management (IAM) and provide a hard boundary between Regions in different partitions. AWS commercial Regions are in the aws partition, Regions in China are in the aws-cn partition, and AWS GovCloud Regions are in the aws-us-gov partition. Some AWS services are designed to provide cross-Region functionality, such as Amazon S3 Cross-Region Replication or AWS Transit Gateway Inter-Region peering. These types of capabilities are only supported between Regions in the same partition. You cannot use IAM credentials from one partition to interact with resources in a different partition"

Can I create a cross account role between AWS and AWS Gov

Relevant content