Failover to an additional Region for Amazon Web Services account access
The topic of Amazon Web Services account access through IAM Identity Center is covered extensively in Configure access to Amazon Web Services accounts. This section provides additional details relevant to maintaining Amazon Web Services account access across multiple Amazon Web Services Regions in the event of a service disruption in the primary Region.
If your IAM Identity Center instance is experiencing a disruption in the primary Region, your workforce can switch to an additional Region to continue accessing Amazon Web Services accounts and unaffected applications. The section Workforce access through an additional Region explains how to access the Amazon Web Services access portal in an additional Region.
We recommend that you communicate the Amazon Web Services access portal endpoints in additional Regions and the external IdP setup (such as bookmark apps for the additional Regions) to your workforce as soon as you complete the setup in Replicate IAM Identity Center to an additional Region. This will enable them to be ready for failover to an additional Region if needed.
Similarly, we recommend that Amazon CLI users create Amazon CLI
profiles
Note
Continuity of access to Amazon Web Services accounts also depends on the health of your external IdP and permissions such as permission set assignments and group memberships being provisioned and replicated before a service disruption. We recommend your organization also set up Amazon break-glass access to maintain Amazon access to a small group of privileged users when the external IdP has a service disruption. Set up emergency access to the Amazon Web Services Management Console is a similar option that avoids using IAM users, but it too depends on the external IdP.
Amazon Web Services account access resiliency without multiple ACS URLs
Some external identity providers (IdPs) don't support multiple assertion consumer service (ACS) URLs in their IAM Identity Center application. Multiple ACS URLs are a SAML feature that is required for direct sign-in to a specific Region in a multi-Region IAM Identity Center.
To enable your users to access their Amazon Web Services accounts through multiple IAM Identity Center Regions, you must configure the respective regional ACS URLs in the external IdP. However, if the external IdP supports only a single ACS URL in their IAM Identity Center application, users can directly sign into a single IAM Identity Center Region.
To resolve this issue, work with your IdP vendor to enable support for multiple ACS URLs. In the meantime, you can use additional Regions as backup for access to Amazon Web Services accounts.
If an IAM Identity Center service disruption occurs in the primary Region, you must update the ACS URL in the external IdP with an additional Region's ACS URL. After this update, your users can access the Amazon Web Services access portal in the additional Region using the existing IAM Identity Center application in the external IdP portal, or through a direct link that you share with them.
We recommend that you test this setup periodically to ensure that it works when needed and communicate this failover process to your organization.
Note
When you use an additional Region for access to Amazon Web Services accounts in this setup, your users might not be able to access Amazon managed applications that are connected to the primary Region. Therefore, we recommend this only as a temporary measure to maintain access to Amazon Web Services accounts.