Resilience in Amazon Identity and Access Management - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resilience in Amazon Identity and Access Management

The Amazon global infrastructure is built around Amazon Regions and Availability Zones. Amazon Regions have multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. For more information about Amazon Regions and Availability Zones, see Amazon Global Infrastructure.

Amazon Identity and Access Management (IAM) and Amazon Security Token Service (Amazon STS) are self-sustaining, Region-based services that are available globally.

IAM is a critical Amazon Web Services service. Every operation performed in Amazon must be authenticated and authorized by IAM. IAM checks each request against the identities and policies stored in IAM to determine if the request is allowed or denied. IAM was designed with a separate control plane and data plane so that the service authenticates even during unexpected failures. IAM resources that are used in authorizations, such as roles and policies, are stored in the control plane. IAM customers can change the configuration of these resources by using IAM operations such as DeletePolicy and AttachRolePolicy. Those configuration change requests go to the control plane. There is one IAM control plane for all commercial Amazon Web Services Regions, which is located in the US East (N. Virginia) Region. The IAM system then propagates configuration changes to the IAM data planes in every enabled Amazon Web Services Region. The IAM data plane is essentially a read-only replica of the IAM control plane configuration data. Each Amazon Web Services Region has a completely independent instance of the IAM data plane, which performs authentication and authorization for requests from the same Region. In each Region, the IAM data plane is distributed across at least three Availability Zones, and has sufficient capacity to tolerate the loss of an Availability Zone without any customer impairment. Both the IAM control and data planes were built for zero planned downtime, with all software updates and scaling operations performed in a manner that is invisible to customers.

Amazon STS requests always go to a single global endpoint by default. You can use a Regional Amazon STS endpoint to reduce latency or provide additional redundancy for your applications. To learn more, see Manage Amazon STS in an Amazon Web Services Region.

Certain events can interrupt communication between Amazon Web Services Regions over the network. However, even when you can't communicate with the global IAM endpoint, Amazon STS can still authenticate IAM principals and IAM can authorize your requests. The specific details of an event that interrupts communication will determine your ability to access Amazon services. In most situations, you can continue to use IAM credentials in your Amazon environment. The following conditions might apply to an event that interrupts communication.

Access keys for IAM users

You can authenticate indefinitely in a Region with long-term access keys for IAM users. When you use the Amazon Command Line Interface and APIs, you can provide Amazon access keys so that Amazon can verify your identity in programmatic requests.

Important

As a best practice, we recommend that your users sign in with temporary credentials instead of long-term access keys.

Temporary credentials

You can request new temporary credentials with the Amazon STS Regional service endpoint for at least 24 hours. The following API operations generate temporary credentials.

  • AssumeRole

  • AssumeRoleWithWebIdentity

  • AssumeRoleWithSAML

  • GetFederationToken

  • GetSessionToken

Principals and permissions
Amazon Web Services Management Console
  • You might be able to use a Regional sign-in endpoint to sign in to the Amazon Web Services Management Console as an IAM user. Regional sign-in endpoints have the following URL format.

    https://{Account ID}.signin.aws.amazon.com/console?region={Region}

    Example: https://111122223333.signin.aws.amazon.com/console?region=us-west-2

  • You might not be able to complete Universal 2nd Factor (U2F) multi-factor authentication (MFA).

Best practices for IAM resilience

Amazon has built resilience into Amazon Web Services Regions and Availability Zones. When you observe the following IAM best practices in the systems that interact with your environment, you take advantage of that resilience.

  1. Use an Amazon STS Regional service endpoint instead of the default global endpoint.

  2. Review the configuration of your environment for vital resources that routinely create or modify IAM resources, and prepare a fallback solution that uses existing IAM resources.