# Amazon STS Regions and endpoints
<a name="id_credentials_temp_region-endpoints"></a>

**Note**  
Amazon has made changes to the Amazon Security Token Service (Amazon STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. Amazon STS requests to the global endpoint are automatically served in the same Amazon Web Services Region as your workloads. These changes will not be deployed to opt-in Regions. We recommend that you use the appropriate Amazon STS regional endpoints. For more information, see [Amazon STS global endpoint changes](#reference_sts_global_endpoint_changes).

The following table lists the Regions and their endpoints. It indicates which ones are activated by default and which ones you can activate or deactivate.

[\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp_region-endpoints.html)

¹You must [enable the Region](https://docs.amazonaws.cn/general/latest/gr/rande-manage.html) to use it. This automatically activates Amazon STS. You cannot manually activate or deactivate Amazon STS in these Regions.

²To use Amazon in China, you need an account and credentials specific to Amazon in China.

## Amazon STS global endpoint changes
<a name="reference_sts_global_endpoint_changes"></a>

Amazon has made changes to the Amazon Security Token Service (Amazon STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. Previously, all requests to the Amazon STS global endpoint were served by a single Amazon Web Services Region, US East (N. Virginia). Now in Regions [enabled by default](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html), requests to the Amazon STS global endpoint are automatically served in the same Region where the request originates, rather than the US East (N. Virginia) Region. These changes will not be deployed to opt-in Regions.

With this change, Amazon STS will process your request based on the originating Region and DNS resolver used. Requests to the Amazon STS global endpoint are served in the same Region as your Amazon deployed workload if the DNS request for the Amazon STS global endpoint is handled by the Amazon DNS server in Regions that are enabled by default. Requests to the Amazon STS global endpoint will continue to be served in US East (N. Virginia) Region if your request originated from opt-in Regions or if your request was resolved using a DNS resolver other than the Amazon DNS server. For more information about Amazon DNS, see [ Amazon DNS server](https://docs.amazonaws.cn/vpc/latest/userguide/AmazonDNS-concepts.html#AmazonDNS) in the *Amazon Virtual Private Cloud User Guide*.

The following table shows how requests to the Amazon STS global endpoint are routed based on your DNS provider.


| DNS Resolver | Requests to the Amazon STS global endpoint routed to the local Amazon Web Services Region? | 
| --- | --- | 
|  Amazon DNS resolver in a Amazon VPC in an Region enabled by default  |  Yes  | 
|  Amazon DNS resolver in a Amazon VPC in an opt-in Region  |  No, the request will be routed to the US East (N. Virginia) Region  | 
|  DNS resolver provided by your ISP, a public DNS provider, or any other DNS provider  |  No, the request will be routed to the US East (N. Virginia) Region  | 

To ensure minimal disruption to your existing processes, Amazon has implemented the following measures:
+ Amazon CloudTrail logs for requests made to the Amazon STS global endpoint are sent to the US East (N. Virginia) Region. CloudTrail logs for requests served by Amazon STS Regional endpoints will continue to be logged to their respective Region in CloudTrail.
+ CloudTrail logs for operations performed by the Amazon STS global endpoint and Regional endpoints have additional fields `endpointType` and `awsServingRegion` to indicate which endpoint and Region served the request. For CloudTrail log examples, see [Example Amazon STS API event using the global endpoint in CloudTrail log file](cloudtrail-integration.md#stscloudtrailexample-assumerole-sts-global-endpoint).
+ Requests made to the Amazon STS global endpoint have a value of `us-east-1` for the `aws:RequestedRegion` condition key, regardless of which Region served the request.
+ Requests handled by the Amazon STS global endpoint do not share a requests per second quota with Regional Amazon STS endpoints.

If you have workloads in an opt-in Region and are still using the Amazon STS global endpoint, we recommend migrating to Amazon STS regional endpoints for improved resiliency and performance. For more information about configuring regional Amazon STS endpoints, see [Amazon STS Regional endpoints](https://docs.amazonaws.cn/sdkref/latest/guide/feature-sts-regionalized-endpoints.html) in the *Amazon SDKs and Tools Reference Guide*.

## Amazon CloudTrail and Regional endpoints
<a name="sts-regions-cloudtrail"></a>

Calls to regional and global endpoints are logged in the `tlsDetails` field in Amazon CloudTrail. Calls to regional endpoints, such as `us-west-2.amazonaws.com.cn`, are logged in CloudTrail to their appropriate region. Calls to the global endpoint, `sts.amazonaws.com`, are logged as calls to a global service. Events for global Amazon STS endpoints are logged to us-east-1.

**Note**  
 `tlsDetails` can only be viewed for services that support this field. See [Services that support TLS details in CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-supported-tls-details.html) in the *Amazon CloudTrail User Guide*  
For more information, see [Logging IAM and Amazon STS API calls with Amazon CloudTrail](cloudtrail-integration.md).