Considerations for choosing an AWS Region - AWS IAM Identity Center

Considerations for choosing an AWS Region

You can enable an IAM Identity Center instance in a single, supported AWS Region of your choice. Choosing a Region requires an assessment of your priorities based on your use cases and company policies. Access to AWS accounts and cloud applications from your IAM Identity Center doesn't depend on this choice; however, access to AWS managed applications and the ability to use AWS Managed Microsoft AD as the identity source can depend on this choice. Refer to AWS IAM Identity Center endpoints and quotas in the AWS General Reference for a list of Regions that IAM Identity Center supports.

Key considerations for choosing an AWS Region.

  • Geographical location – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the AWS access portal and AWS managed applications, such as Amazon SageMaker Studio.

  • Availability of AWS managed applications – AWS managed applications, such as Amazon SageMaker, can operate only in the AWS Regions they support. Enable IAM Identity Center in a Region supported by the AWS managed application(s) you want to use with it. Many AWS managed applications can also operate only in the same Region where you enabled IAM Identity Center.

  • Digital sovereignty – Digital sovereignty regulations or company policies may mandate the use of a particular AWS Region. Consult with your company’s legal department.

  • Identity source – If you’re using AWS Managed Microsoft AD or AD Connector as the identity source, its home Region must match the AWS Region in which you enabled IAM Identity Center.

  • Regions disabled by default – AWS originally enabled all new AWS Regions for use in AWS accounts by default, which automatically enabled your users to create resources in any Region. Now when AWS adds a new Region, its use is disabled by default in all accounts. If you deploy IAM Identity Center in a Region disabled by default, then you must enable this Region in all the accounts for which you want to manage access to IAM Identity Center. This is required even if you don’t plan to create any resources in that Region in those accounts.

    You can enable a Region for the current accounts in your organization and you must repeat this action for new accounts you might add later. For instructions, see Enable or disable a Region in your organization in the AWS Organizations user guide. To avoid repeating these additional steps, you can choose to deploy your IAM Identity Center in a Region enabled by default. For reference, the following Regions are enabled by default:

    • US East (Ohio)

    • US East (N. Virginia)

    • US West (Oregon)

    • US West (N. California)

    • Europe (Paris)

    • South America (São Paulo)

    • Asia Pacific (Mumbai)

    • Europe (Stockholm)

    • Asia Pacific (Seoul)

    • Asia Pacific (Tokyo)

    • Europe (Ireland)

    • Europe (Frankfurt)

    • Europe (London)

    • Asia Pacific (Singapore)

    • Asia Pacific (Sydney)

    • Canada (Central)

    • Asia Pacific (Osaka)

  • Cross-Region calls – In some Regions, IAM Identity Center may call Amazon Simple Email Service in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information about Regions, see AWS IAM Identity Center Region availability.

Switching AWS Regions

You can switch your IAM Identity Center Region only by deleting the current instance and creating a new instance in another Region. If you already enabled an AWS managed application with your existing instance, you should delete it first before deleting your IAM Identity Center. You must recreate users, groups, permission sets, applications, and assignments in the new instance. You can use the IAM Identity Center account and application assignment APIs to get a snapshot of your configuration and then use that snapshot to rebuild your configuration in a new Region. You may also need to recreate some IAM Identity Center configuration through the Management Console of your new instance. For instructions on deleting IAM Identity Center, see Delete your IAM Identity Center instance.