Considerations for choosing an Amazon Web Services Region - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Considerations for choosing an Amazon Web Services Region

You can enable IAM Identity Center in a single, supported Amazon Web Services Region of your choice and it is available to users globally. This global availability makes it easier for you to configure user access to multiple Amazon Web Services accounts and applications. Following are key considerations for choosing an Amazon Web Services Region.

  • Geographical location of your users – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the Amazon Web Services access portal and Amazon managed applications, such as Amazon SageMaker AI.

  • Opt-in Regions (Regions that are disabled by default) – An opt-in Region is an Amazon Web Services Region that is disabled by default. To use an opt-in Region, you must enable it. For more information, see Managing IAM Identity Center in an opt-in Region.

  • Replicating IAM Identity Center to additional Regions – If you plan to replicate IAM Identity Center to additional Amazon Web Services Regions, you must choose a Region enabled by default. For more information, see Using IAM Identity Center across multiple Amazon Web Services Regions.

  • Choosing deployment Regions for Amazon managed applications – Amazon managed applications can operate only in the Amazon Web Services Regions in which they are available. Many Amazon managed applications can also operate only in a Region where IAM Identity Center is enabled or replicated to (primary or additional Region). To confirm if your IAM Identity Center instance supports replication to additional Regions, see Using IAM Identity Center across multiple Amazon Web Services Regions. If replication is not an option, consider enabling IAM Identity Center in the Region where you plan to use Amazon managed applications.

  • Digital sovereignty – Digital sovereignty regulations or company policies may mandate the use of a particular Amazon Web Services Region. Consult with your company’s legal department.

  • Identity source – If you’re using Amazon Managed Microsoft AD or your self-managed directory in Active Directory (AD) as the identity source, its home Region must match the Amazon Web Services Region in which you enabled IAM Identity Center.

  • Cross-Region emails with Amazon Simple Email Service – In some Regions, IAM Identity Center may call Amazon Simple Email Service (Amazon SES) in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information, see Cross-Region emails with Amazon SES.

  • Amazon Control Tower – If you’re enabling an organization instance of IAM Identity Center from Amazon Control Tower, the instance will be created in the same Region as the Amazon Control Tower landing zone.

Topics