AWS IAM Identity Center Region availability
You can enable IAM Identity Center in most AWS Regions and it's available to users globally. This global availability makes it easier for you to configure user access to multiple AWS accounts and applications. When your users sign in to the AWS access portal, they can select the AWS account to which they have permissions, and then access the AWS Management Console. For a full list of the AWS Regions that IAM Identity Center supports, see IAM Identity Center endpoints and quotas.
IAM Identity Center Region data
When you enable IAM Identity Center, all the data that you configure in IAM Identity Center is stored in the Region where you configured it. This data includes directory configurations, permission sets, application instances, and user assignments to AWS account applications. If you are using the IAM Identity Center identity store, all users and groups that you create in IAM Identity Center are also stored in the same Region.
Choosing your Region
We recommend that you install IAM Identity Center in a Region that you intend to keep available for users, not a Region that you might need to disable. See Considerations for choosing an AWS Region.
If you enable an organization instance of IAM Identity Center in the management account of your AWS organization in one Region and later decide to switch to a different Region, you must first delete your current IAM Identity Center instance. Switching to a different Region also changes the URL for the AWS access portal, and you must reconfigure all permission sets and assignments.
Cross-Region calls
IAM Identity Center uses Amazon Simple Email Service (Amazon SES) to send emails to end users when they attempt to sign-in with one-time password (OTP) as a second authentication factor. These emails are also sent for certain identity and credential management events, such as when the user is invited to set up an initial password, to verify an email address, and reset their password. Amazon SES is available in a subset of AWS Regions that IAM Identity Center supports.
IAM Identity Center calls Amazon SES local endpoints when Amazon SES is available locally in an AWS Region. When Amazon SES isn't available locally, IAM Identity Center calls Amazon SES endpoints in a different AWS Region, as indicated in the following table.
IAM Identity Center Region code | IAM Identity Center Region name | Amazon SES Region code | Amazon SES Region name |
---|---|---|---|
ap-east-1 | Asia Pacific (Hong Kong) | ap-northeast-2 | Asia Pacific (Seoul) |
ap-south-2 | Asia Pacific (Hyderabad) | ap-south-1 | Asia Pacific (Mumbai) |
ap-southeast-4 | Asia Pacific (Melbourne) | ap-southeast-2 | Asia Pacific (Sydney) |
ca-west-1 | Canada West (Calgary) | ca-central-1 | Canada (Central) |
eu-south-2 | Europe (Spain) | eu-west-3 | Europe (Paris) |
eu-central-2 | Europe (Zurich) | eu-central-1 | Europe (Frankfurt) |
me-central-1 | Middle East (UAE) | eu-central-1 | Europe (Frankfurt) |
us-gov-east-1 | AWS GovCloud (US-East) | us-gov-west-1 | AWS GovCloud (US-West) |
In these cross-Region calls, IAM Identity Center might send the following user attributes:
Email address
First name
Last name
Account in AWS Organizations
AWS access portal URL
Username
Directory ID
User ID
Managing IAM Identity Center in an opt-in Region (Region that is disabled by default)
Most AWS Regions are enabled for operations in all AWS services by default. Those Regions are automatically activated for use with IAM Identity Center. The following AWS Regions are opt-in Regions and you must enable them if you want to use IAM Identity Center:
Africa (Cape Town)
Asia Pacific (Hong Kong)
Asia Pacific (Hyderabad)
Asia Pacific (Jakarta)
Asia Pacific (Melbourne)
Canada West (Calgary)
Europe (Milan)
Europe (Spain)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (Bahrain)
Middle East (UAE)
When you enable IAM Identity Center for a management account in an opt-in AWS Region, the following IAM Identity Center metadata for any member accounts is stored in the Region.
Account ID
Account name
Account email
Amazon Resource Names (ARNs) of the IAM roles that IAM Identity Center creates in the member account
Disabling an AWS Region where IAM Identity Center is enabled
If you disable an AWS Region in which IAM Identity Center is installed, IAM Identity Center is also disabled. After IAM Identity Center is disabled in a Region, users in that Region won’t have single sign-on access to AWS accounts and applications. AWS retains the data in your IAM Identity Center configuration for at least 10 days. If you re-enable the AWS Region within this time frame, your IAM Identity Center configuration data will still be available in the Region.
To re-enable IAM Identity Center in opt-in AWS Regions, you must re-enable the Region. Because IAM Identity Center must reprocess all paused events again, re-enabling IAM Identity Center might take some time.
Note
IAM Identity Center can manage access only to the AWS accounts that are enabled for use in an AWS Region. To manage access across all accounts in your organization, enable IAM Identity Center in the management account in an AWS Region that's automatically activated for use with IAM Identity Center.
For more information about enabling and disabling AWS Regions, see Managing AWS Regions in the AWS General Reference.