Update firewalls and gateways to allow access to the Amazon Web Services access portal - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Update firewalls and gateways to allow access to the Amazon Web Services access portal

The Amazon Web Services access portal provides users with single sign-on access to all your Amazon Web Services accounts and most commonly used cloud applications such as Office 365, Concur, Salesforce, and many more. You can quickly launch multiple applications simply by choosing the Amazon Web Services account or application icon in the portal.

Note

Amazon managed applications integrate with IAM Identity Center and use it for authentication and directory services, but might not use the Amazon Web Services access portal for application access.

If you filter access to specific Amazon domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must allowlist the domains and URL endpoints associated with the Amazon Web Services access portal.

The following list provides the domains and URL endpoints to add to your web-content filtering solution allowlists.

  • [Directory ID or alias].awsapps.com

  • *.aws.dev

  • *.awsstatic.com

  • *.console.aws.a2z.com

  • oidc.[Region].amazonaws.com

  • *.sso.amazonaws.com

  • *.sso.[Region].amazonaws.com

  • *.sso-portal.[Region].amazonaws.com

  • [Region].prod.pr.panorama.console.api.aws/panoramaroute

  • [Region].signin.aws

  • [Region].signin.aws.amazon.com

  • signin.aws.amazon.com

  • *.cloudfront.net

  • opfcaptcha-prod.s3.amazonaws.com

Considerations for allowlisting domains and URL endpoints

In addition to the allowlist requirements for the Amazon Web Services access portal, the other services and applications you use might require allowlisting of domains.

  • To access Amazon Web Services accounts, the Amazon Web Services Management Console, and the IAM Identity Center console from your Amazon Web Services access portal, you must allowlist additional domains. Refer to Troubleshooting in the Amazon Web Services Management Console Getting Started Guide for a list of Amazon Web Services Management Console domains.

  • To access Amazon managed applications from your Amazon Web Services access portal, you must allowlist their respective domains. Refer to the respective service documentation for guidance.

  • If you use external software, such as external IdPs (for example, Okta and Microsoft Entra ID), you'll need to include their domains in your allowlists.