IAM Identity Center Region data storage and operations
Learn how IAM Identity Center handles data storage and operations across Amazon Web Services Regions.
Understand how IAM Identity Center stores data
When you enable IAM Identity Center, all the data that you configure in IAM Identity Center is stored in the Region where you configured it. This data includes directory configurations, permission sets, application instances, and user assignments to Amazon Web Services account applications. If you are using the IAM Identity Center identity store, all users and groups that you create in IAM Identity Center are also stored in the same Region.
Cross-Region emails with Amazon SES
When attempting to sign-in with one-time password (OTP) as a second authentication factor and for certain identity and credential management events, such as when the user is invited to set up an initial password, verify an email address, and reset their password, IAM Identity Center in China (Beijing) Region makes cross-Region API calls to China (Ningxia) Region to send emails. In these cross-Region calls, user attributes include:
Email address
First name
Last name
Amazon Web Services account in Amazon Organizations
Amazon Web Services access portal URL
Username
Directory ID
User ID
Managing IAM Identity Center in an opt-in Region (Region that is disabled by default)
Most Amazon Web Services Regions are enabled for operations in all Amazon services by default, but you
must enable the following opt-in Regions
Africa (Cape Town)
Asia Pacific (Hong Kong)
Asia Pacific (Hyderabad)
Asia Pacific (Jakarta)
Asia Pacific (Melbourne)
Asia Pacific (Malaysia)
Canada West (Calgary)
Europe (Milan)
Europe (Spain)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (Bahrain)
Middle East (UAE)
If you deploy IAM Identity Center in an opt-in Region, then you must enable this Region in all the accounts for which you want to manage access to IAM Identity Center. All accounts need this configuration, whether or not you'll create resources in that Region. You can enable a Region for the current accounts in your organization and you must repeat this action when you add new accounts. For instructions, see Enable or disable a Region in your organization in the Amazon Organizations User Guide. To avoid repeating these additional steps, you can choose to deploy your IAM Identity Center in a Region enabled by default.
Note
Your Amazon member account must be opted into the same Region as the opt-in Region where your IAM Identity Center instance is located, so you can access the Amazon member account from the Amazon Web Services access portal.
Metadata stored in opt-in Regions
When you enable IAM Identity Center for a management account in an opt-in Amazon Web Services Region, the following IAM Identity Center metadata for any member accounts is stored in the Region.
Account ID
Account name
Account email
Amazon Resource Names (ARNs) of the IAM roles that IAM Identity Center creates in the member account
Amazon Web Services Regions that are enabled by default
The following Regions are enabled by default and you can enable IAM Identity Center in these Regions.
US East (Ohio)
US East (N. Virginia)
US West (Oregon)
US West (N. California)
Europe (Paris)
South America (São Paulo)
Asia Pacific (Mumbai)
Europe (Stockholm)
Asia Pacific (Seoul)
Asia Pacific (Tokyo)
Europe (Ireland)
Europe (Frankfurt)
Europe (London)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Canada (Central)
Asia Pacific (Osaka)