Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deploying and managing applications across multiple Amazon Regions

The topic of application access through IAM Identity Center is covered extensively in Configure access to applications. This section provides additional details relevant to the deployment and management of applications across multiple Amazon Web Services Regions.

Deploying and managing Amazon managed applications across multiple Amazon Web Services Regions

With a single-Region IAM Identity Center instance, you can deploy Amazon managed applications in the same Region as your instance. Some applications such as Amazon Q Business support a cross-Region connection to IAM Identity Center, which enables their deployment outside the IAM Identity Center's Region if the application of interest is available there. However, cross-Region calls can cause slower application performance, and most Amazon managed applications don't support this type of connection.

A multi-Region IAM Identity Center instance lets you deploy Amazon managed applications in any enabled Region with a connection to IAM Identity Center in the same Region ("Region-local connection"). This requires that the Amazon managed application is available in the Region and supports deployment in additional Regions. With a Region-local connection to IAM Identity Center, Amazon managed applications access workforce identities in the same Region for optimal performance and reliability. We recommend choosing a Region-local connection when deploying an Amazon managed application whenever the prerequisites are met.

To deploy an Amazon managed application in an additional Region of IAM Identity Center, start the deployment in that Region through the application console or API in the same way that you deploy in the primary Region.

Considerations:

An application's management Region

After you deploy an Amazon managed application in an additional Region of IAM Identity Center using a Region-local connection, you manage the application and its assignments to users and groups in the same Region. IAM Identity Center replicates the application metadata including assignments to users and groups to other enabled Regions so that your workforce can launch applications from any enabled Region.

If your Amazon managed application is using a cross-Region connection to IAM Identity Center, you can manage the application details such as name and description, and application assignments to users and groups through IAM Identity Center console and API in the connected Region. Regardless of the connection type, you can manage the application through its console in its deployment Region.

Trusted identity propagation

You can use trusted identity propagation with Amazon managed applications that support it in any enabled Region of your IAM Identity Center instance.

All applications that propagate identity context to each other must be in the same Region.

An application’s dependency on its connected IAM Identity Center Region

Each Amazon managed application connects to a specific IAM Identity Center Region during deployment. The application then depends on that Region for user sign-in, even if your IAM Identity Center is enabled in multiple Regions. If your IAM Identity Center is experiencing a disruption in that Region, users might not be able to access Amazon managed applications connected to the Region.

Deploying and managing customer managed applications across multiple Amazon Web Services Regions

IAM Identity Center supports SAML and OAuth2 Customer managed applications. You can choose to create them in any enabled Region of your IAM Identity Center instance. After you create one, you manage the application and its assignments to users and groups in the same Region.