AWS has 7 partitions, not 3 — the classified ones are in endpoints.json
Everyone knows three AWS partitions: aws (commercial), aws-cn (China), aws-us-gov (GovCloud). I work in two of them daily.
Botocore’s endpoints.json lists seven.
{
"partitions": [
{"partition": "aws"},
{"partition": "aws-cn"},
{"partition": "aws-us-gov"},
{"partition": "aws-iso"},
{"partition": "aws-iso-b"},
{"partition": "aws-iso-e"},
{"partition": "aws-iso-f"}
]
}
The four I’d never seen:
| Partition | ARN prefix | DNS suffix | What |
|---|---|---|---|
aws-iso | arn:aws-iso | c2s.ic.gov | C2S — Top Secret (IC/DoD) |
aws-iso-b | arn:aws-iso-b | sc2s.sgov.gov | SC2S — Secret |
aws-iso-e | arn:aws-iso-e | cloud.adc-e.uk | European sovereign |
aws-iso-f | arn:aws-iso-f | csp.hci.ic.gov | Australian sovereign |
Each partition is a fully separate AWS universe. Its own ARN prefix, its own DNS suffix, its own IAM boundary. Credentials don’t cross partitions. Not all services exist in all partitions — GovCloud has about 80% of commercial, and the iso partitions have fewer.
The regions inside them are real:
us-iso-east-1
us-iso-west-1
us-isob-east-1
us-isof-south-1
eu-isoe-west-1
You can’t reach them from the commercial internet. They’re air-gapped. But botocore publishes their existence in the same endpoints.json that powers every AWS SDK, and the region names show up in any tool that reads it — including my completer that now offers us-isof-south-1 on tab.
Nobody outside those facilities can use it. But the contract says it exists, and the catalog doesn’t lie.