diff --git a/data/data/aws/bootstrap/main.tf b/data/data/aws/bootstrap/main.tf
index 2b5cbfa869b..6fd2240545d 100644
--- a/data/data/aws/bootstrap/main.tf
+++ b/data/data/aws/bootstrap/main.tf
@@ -1,5 +1,8 @@
+data "aws_partition" "current" {}
+
 locals {
   public_endpoints = var.publish_strategy == "External" ? true : false
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 }
 
 resource "aws_s3_bucket" "ignition" {
@@ -60,7 +63,7 @@ resource "aws_iam_role" "bootstrap" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -104,7 +107,7 @@ resource "aws_iam_role_policy" "bootstrap" {
       "Action" : [
         "s3:GetObject"
       ],
-      "Resource": "arn:aws:s3:::*",
+      "Resource": "arn:${data.aws_partition.current.partition}:s3:::*",
       "Effect": "Allow"
     }
   ]
diff --git a/data/data/aws/iam/main.tf b/data/data/aws/iam/main.tf
index 29d2ad29b87..38767106a48 100644
--- a/data/data/aws/iam/main.tf
+++ b/data/data/aws/iam/main.tf
@@ -1,5 +1,6 @@
+data "aws_partition" "current" {}
 locals {
-  arn = "aws"
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 }
 
 resource "aws_iam_instance_profile" "worker" {
@@ -19,7 +20,7 @@ resource "aws_iam_role" "worker_role" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""
diff --git a/data/data/aws/main.tf b/data/data/aws/main.tf
index 785ea52afb2..9fa3bca7d31 100644
--- a/data/data/aws/main.tf
+++ b/data/data/aws/main.tf
@@ -13,6 +13,9 @@ provider "aws" {
   # Validation of AWS Bahrain region was added in AWS TF provider v2.22
   # so we skip when installing in me-south-1.
   skip_region_validation = var.aws_region == "me-south-1"
+  endpoints {
+    route53 = var.aws_region == "cn-northwest-1" ? "api.route53.cn" : ""
+  }
 }
 
 module "bootstrap" {
diff --git a/data/data/aws/master/main.tf b/data/data/aws/master/main.tf
index 6a74f78e162..534720a120d 100644
--- a/data/data/aws/master/main.tf
+++ b/data/data/aws/master/main.tf
@@ -1,5 +1,6 @@
+data "aws_partition" "current" {}
 locals {
-  arn = "aws"
+  ec2_service_domain = "${data.aws_partition.current.partition}" == "aws-cn" ? "ec2.amazonaws.com.cn" : "ec2.amazonaws.com"
 
   // Because of the issue https://github.com/hashicorp/terraform/issues/12570, the consumers cannot use a dynamic list for count
   // and therefore are force to implicitly assume that the list is of aws_lb_target_group_arns_length - 1, in case there is no api_external
@@ -23,7 +24,7 @@ resource "aws_iam_role" "master_role" {
         {
             "Action": "sts:AssumeRole",
             "Principal": {
-                "Service": "ec2.amazonaws.com"
+                "Service": "${local.ec2_service_domain}"
             },
             "Effect": "Allow",
             "Sid": ""
@@ -62,7 +63,7 @@ resource "aws_iam_role_policy" "master_policy" {
       "Action" : [
         "s3:GetObject"
       ],
-      "Resource": "arn:${local.arn}:s3:::*",
+      "Resource": "arn:${data.aws_partition.current.partition}:s3:::*",
       "Effect": "Allow"
     },
     {
diff --git a/data/data/rhcos.json b/data/data/rhcos.json
index 773595ce4a1..f9ea0d9896e 100644
--- a/data/data/rhcos.json
+++ b/data/data/rhcos.json
@@ -18,6 +18,9 @@
         "ca-central-1": {
             "hvm": "ami-04c260ce1f154b3c6"
         },
+        "cn-northwest-1": {
+            "hvm": "ami-0ffcfd88e7e2a84ef"
+        },
         "eu-central-1": {
             "hvm": "ami-044dcfcf5ea21cb3c"
         },
@@ -132,4 +135,5 @@
     },
     "ostree-commit": "64f3825d0417c5411700b685c4736bd6be487234293e9128a2bd8c54b85b6337",
     "ostree-version": "44.81.202002071430-0"
-}
\ No newline at end of file
+}
+
diff --git a/pkg/asset/installconfig/aws/basedomain.go b/pkg/asset/installconfig/aws/basedomain.go
index d0f764c7eaa..fac020b90f6 100644
--- a/pkg/asset/installconfig/aws/basedomain.go
+++ b/pkg/asset/installconfig/aws/basedomain.go
@@ -27,9 +27,13 @@ func GetBaseDomain() (string, error) {
 	if err != nil {
 		return "", err
 	}
-
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1"{
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
 	logrus.Debugf("listing AWS hosted zones")
-	client := route53.New(session)
+	client := route53.New(session,awsConfig)
 	publicZoneMap := map[string]struct{}{}
 	exists := struct{}{}
 	if err := client.ListHostedZonesPages(
@@ -91,7 +95,12 @@ func GetPublicZone(name string) (*route53.HostedZone, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "getting AWS session")
 	}
-	client := route53.New(session)
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1"{
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
+	client := route53.New(session,awsConfig)
 	if err := client.ListHostedZonesPages(&route53.ListHostedZonesInput{}, f); err != nil {
 		return nil, errors.Wrap(err, "listing hosted zones")
 	}
diff --git a/pkg/destroy/aws/aws.go b/pkg/destroy/aws/aws.go
index 2eb2f60f8cd..1fb9faeb15c 100644
--- a/pkg/destroy/aws/aws.go
+++ b/pkg/destroy/aws/aws.go
@@ -125,7 +125,7 @@ func (o *ClusterUninstaller) Run() error {
 	tagClientNames := map[*resourcegroupstaggingapi.ResourceGroupsTaggingAPI]string{
 		tagClients[0]: o.Region,
 	}
-	if o.Region != "us-east-1" {
+	if o.Region != "us-east-1" && o.Region != "cn-north-1" && o.Region != "cn-northwest-1" {
 		tagClient := resourcegroupstaggingapi.New(
 			awsSession, aws.NewConfig().WithRegion("us-east-1"),
 		)
@@ -1708,8 +1708,12 @@ func deleteRoute53(session *session.Session, arn arn.ARN, logger logrus.FieldLog
 	if resourceType != "hostedzone" {
 		return errors.Errorf("unrecognized Route 53 resource type %s", resourceType)
 	}
-
-	client := route53.New(session)
+	awsConfig := &aws.Config{}
+	if *session.Config.Region == "cn-northwest-1" {
+		endpoint := "https://api.route53.cn"
+		awsConfig.Endpoint = &endpoint
+	}
+	client := route53.New(session, awsConfig)
 
 	sharedZoneID, err := getSharedHostedZone(client, id, logger)
 	if err != nil {
diff --git a/pkg/terraform/exec/plugins/vendor/github.com/terraform-providers/terraform-provider-aws/aws/config.go b/pkg/terraform/exec/plugins/vendor/github.com/terraform-providers/terraform-provider-aws/aws/config.go
index 4a3a56a7075..57047df0608 100644
--- a/pkg/terraform/exec/plugins/vendor/github.com/terraform-providers/terraform-provider-aws/aws/config.go
+++ b/pkg/terraform/exec/plugins/vendor/github.com/terraform-providers/terraform-provider-aws/aws/config.go
@@ -422,7 +422,7 @@ func (c *Config) Client() (interface{}, error) {
 		pinpointconn:                        pinpoint.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["pinpoint"])})),
 		pricingconn:                         pricing.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["pricing"])})),
 		quicksightconn:                      quicksight.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["quicksight"])})),
-		r53conn:                             route53.New(sess.Copy(&aws.Config{Region: aws.String("us-east-1"), Endpoint: aws.String(c.Endpoints["route53"])})),
+		r53conn:                             route53.New(sess.Copy(&aws.Config{Region: aws.String("cn-northwest-1"), Endpoint: aws.String(c.Endpoints["route53"])})),
 		ramconn:                             ram.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["ram"])})),
 		rdsconn:                             rds.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["rds"])})),
 		redshiftconn:                        redshift.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["redshift"])})),
@@ -460,7 +460,7 @@ func (c *Config) Client() (interface{}, error) {
 		client.kinesisanalyticsconn = kinesisanalytics.New(sess.Copy(&aws.Config{Endpoint: aws.String(c.Endpoints["kinesis_analytics"])}))
 	}
 	if c.Endpoints["r53"] != "" {
-		client.r53conn = route53.New(sess.Copy(&aws.Config{Region: aws.String("us-east-1"), Endpoint: aws.String(c.Endpoints["r53"])}))
+		client.r53conn = route53.New(sess.Copy(&aws.Config{Region: aws.String("cn-northwest-1"), Endpoint: aws.String(c.Endpoints["r53"])}))
 	}
 
 	// Workaround for https://github.com/aws/aws-sdk-go/issues/1376
diff --git a/pkg/types/aws/validation/platform.go b/pkg/types/aws/validation/platform.go
index 183bfb13e8f..6bd4cd43748 100644
--- a/pkg/types/aws/validation/platform.go
+++ b/pkg/types/aws/validation/platform.go
@@ -21,8 +21,8 @@ var (
 		"ap-southeast-1": "Singapore",
 		"ap-southeast-2": "Sydney",
 		"ca-central-1":   "Central",
-		//"cn-north-1":     "Beijing",
-		//"cn-northwest-1": "Ningxia",
+		"cn-north-1":     "Beijing",
+		"cn-northwest-1": "Ningxia",
 		"eu-central-1": "Frankfurt",
 		"eu-north-1":   "Stockholm",
 		"eu-west-1":    "Ireland",
diff --git a/vendor/github.com/openshift/cloud-credential-operator/pkg/aws/client.go b/vendor/github.com/openshift/cloud-credential-operator/pkg/aws/client.go
index 39a74105ba2..bda303b2d54 100644
--- a/vendor/github.com/openshift/cloud-credential-operator/pkg/aws/client.go
+++ b/vendor/github.com/openshift/cloud-credential-operator/pkg/aws/client.go
@@ -104,7 +104,8 @@ func (c *awsClient) TagUser(input *iam.TagUserInput) (*iam.TagUserOutput, error)
 // NewClient creates our client wrapper object for the actual AWS clients we use.
 func NewClient(accessKeyID, secretAccessKey []byte, infraName string) (Client, error) {
 	awsConfig := &awssdk.Config{}
-
+	region := "cn-north-1"
+	awsConfig.Region = &region
 	awsConfig.Credentials = credentials.NewStaticCredentials(
 		string(accessKeyID), string(secretAccessKey), "")