Resilience in Amazon Identity and Access Management

The Amazon global infrastructure is built around Amazon Regions and Availability Zones. Amazon Regions have multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. For more information about Amazon Regions and Availability Zones, see Amazon Global Infrastructure.

Amazon Identity and Access Management (IAM) and Amazon Security Token Service (Amazon STS) are self-sustaining, Region-based services that are available globally.

IAM is a critical Amazon Web Service. Every operation performed in Amazon must be authenticated and authorized by IAM. IAM checks each request against the identities and policies stored in IAM to determine if the request is allowed or denied. IAM was designed with a separate control plane and data plane so that the service authenticates even during unexpected failures. IAM resources that are used in authorizations, such as roles and policies, are stored in the control plane. IAM customers can change the configuration of these resources by using IAM operations such as DeletePolicy and AttachRolePolicy. Those configuration change requests go to the control plane. There is one IAM control plane for all commercial Amazon Web Services Regions, which is located in the US East (N. Virginia) Region. The IAM system then propagates configuration changes to the IAM data planes in every enabled Amazon Web Services Region. The IAM data plane is essentially a read-only replica of the IAM control plane configuration data. Each Amazon Web Services Region has a completely independent instance of the IAM data plane, which performs authentication and authorization for requests from the same Region. In each Region, the IAM data plane is distributed across at least three Availability Zones, and has sufficient capacity to tolerate the loss of an Availability Zone without any customer impairment. Both the IAM control and data planes were built for zero planned downtime, with all software updates and scaling operations performed in a manner that is invisible to customers.

Amazon STS requests always go to a single global endpoint by default. You can use a Regional Amazon STS endpoint to reduce latency or provide additional redundancy for your applications. To learn more, see Managing Amazon STS in an Amazon Web Services Region.

Certain events can interrupt communication between Amazon Web Services Regions over the network. However, even when you can't communicate with the global IAM endpoint, Amazon STS can still authenticate IAM principals and IAM can authorize your requests. The specific details of an event that interrupts communication will determine your ability to access Amazon services. In most situations, you can continue to use IAM credentials in your Amazon environment. The following conditions might apply to an event that interrupts communication.

Best practices for IAM resilience

Amazon has built resilience into Amazon Web Services Regions and Availability Zones. When you observe the following IAM best practices in the systems that interact with your environment, you take advantage of that resilience.