Prerequisites and considerations
The following topics provide information about prerequisites and other considerations for setting up IAM Identity Center.
Considerations for choosing an Amazon Web Services Region
You can enable an IAM Identity Center instance in a single, supported Amazon Web Services Region of your choice. Choosing a Region requires an assessment of your priorities based on your use cases and company policies. Access to Amazon Web Services accounts and cloud applications from your IAM Identity Center doesn't depend on this choice; however, access to Amazon managed applications and the ability to use Amazon Managed Microsoft AD as the identity source can depend on this choice. Refer to Amazon IAM Identity Center endpoints and quotas in the Amazon Web Services General Reference for a list of Regions that IAM Identity Center supports.
Key considerations for choosing an Amazon Web Services Region.
Geographical location – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the Amazon Web Services access portal and Amazon managed applications, such as Amazon SageMaker Studio.
Availability of Amazon managed applications – Amazon managed applications, such as Amazon SageMaker, can operate only in the Amazon Web Services Regions they support. Enable IAM Identity Center in a Region supported by the Amazon managed application(s) you want to use with it. Many Amazon managed applications can also operate only in the same Region where you enabled IAM Identity Center.
Digital sovereignty – Digital sovereignty regulations or company policies may mandate the use of a particular Amazon Web Services Region. Consult with your company’s legal department.
Identity source – If you’re using Amazon Managed Microsoft AD or AD Connector as the identity source, its home Region must match the Amazon Web Services Region in which you enabled IAM Identity Center.
-
Regions disabled by default – Amazon originally enabled all new Amazon Web Services Regions for use in Amazon Web Services accounts by default, which automatically enabled your users to create resources in any Region. Now when Amazon adds a new Region, its use is disabled by default in all accounts. If you deploy IAM Identity Center in a Region disabled by default, then you must enable this Region in all the accounts for which you want to manage access to IAM Identity Center. This is required even if you don’t plan to create any resources in that Region in those accounts.
You can enable a Region for the current accounts in your organization and you must repeat this action for new accounts you might add later. For instructions, see Enable or disable a Region in your organization in the Amazon Organizations user guide. To avoid repeating these additional steps, you can choose to deploy your IAM Identity Center in a Region enabled by default. For reference, the following Regions are enabled by default:
US East (Ohio)
US East (N. Virginia)
US West (Oregon)
US West (N. California)
Europe (Paris)
South America (São Paulo)
Asia Pacific (Mumbai)
Europe (Stockholm)
Asia Pacific (Seoul)
Asia Pacific (Tokyo)
Europe (Ireland)
Europe (Frankfurt)
Europe (London)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Canada (Central)
Asia Pacific (Osaka)
Cross-Region calls – In some Regions, IAM Identity Center may call Amazon Simple Email Service in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information about Regions, see Amazon IAM Identity Center Region availability.
Switching Amazon Web Services Regions
You can switch your IAM Identity Center Region only by deleting the current instance and creating a new instance in another Region. If you already enabled an Amazon managed application with your existing instance, you should delete it first before deleting your IAM Identity Center. You must recreate users, groups, permission sets, applications, and assignments in the new instance. You can use the IAM Identity Center account and application assignment APIs to get a snapshot of your configuration and then use that snapshot to rebuild your configuration in a new Region. You may also need to recreate some IAM Identity Center configuration through the Management Console of your new instance. For instructions on deleting IAM Identity Center, see Delete your IAM Identity Center configuration.
Quota for IAM roles created by IAM Identity Center
IAM Identity Center creates IAM roles to give users permissions to resources. When you assign a permission set, IAM Identity Center creates corresponding IAM Identity Center- controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. IAM Identity Center manages the role, and allows the authorized users you’ve defined to assume the role, by using the Amazon Web Services access portal or Amazon CLI. As you modify the permission set, IAM Identity Center ensures that the corresponding IAM policies and roles are updated accordingly.
If you've already configured IAM roles in your Amazon Web Services account, we recommend that you check
whether your account is approaching the quota for IAM roles. The default quota for IAM roles
per account is 1000 roles. For more information, see IAM object quotas
If you're nearing the quota, consider requesting a quota increase. Otherwise, you might experience problems with IAM Identity Center when you provision permission sets to accounts that have exceeded the IAM role quota. For information about how to request a quota increase, see Requesting a quota increase in the Service Quotas User Guide.
Note
If you are reviewing IAM roles in an account that's already using IAM Identity Center, you might notice role names beginning with “AWSReservedSSO_”. These are the roles which the IAM Identity Center service has created in the account, and they came from assigning a permission set to the account.
IAM Identity Center and Amazon Organizations
Amazon Organizations is recommended, but not required, for use with IAM Identity Center. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to enable the service with Amazon Organizations. When you set up an organization, the Amazon Web Services account that sets up the organization becomes the management account of the organization. The root user of the Amazon Web Services account is now the owner of the organizational management account. Any additional Amazon Web Services accounts you invite to your organization are member accounts. The management account creates the organizations resources, organizational units, and policies that manage the member accounts. Permissions are delegated to member accounts by the management account.
Note
We recommend that you enable IAM Identity Center with Amazon Organizations, which creates an organization instance of IAM Identity Center. An organization instance is our recommended best practice because it supports all features of IAM Identity Center and provides central management capabilities. For more information, see Manage organization and account instances of IAM Identity Center.
If you've already set up Amazon Organizations and are going to add IAM Identity Center to your organization, make sure
that all Amazon Organizations features are enabled. When you create an organization, enabling all features is
the default. For more information, see Enabling all features in your organization
To enable IAM Identity Center, you must sign in to the Amazon Web Services Management Console by signing in to your Amazon Organizations
management account as a user that has administrative credentials or as the root user(not recommended
unless no other administrative users exist). You can't enable IAM Identity Center while signed in with
administrative credentials from an Amazon Organizations member account. For more information, see Creating
and managing an Amazon Organization