Resiliency design and Regional behavior - Amazon IAM Identity Center
Designed for availability
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resiliency design and Regional behavior

The IAM Identity Center service is fully managed and uses highly available and durable Amazon services, such as Amazon S3 and Amazon EC2. To ensure availability in the event of an availability zone disruption, IAM Identity Center operates across multiple availability zones. You can replicate your IAM Identity Center instance to additional Regions to maintain account access in the event of a Regional disruption. For more information, see Using IAM Identity Center across multiple Amazon Web Services Regions.

You enable IAM Identity Center in your Amazon Organizations management account. This is required so that IAM Identity Center can provision, de-provision, and update roles across all your Amazon Web Services accounts. When you enable IAM Identity Center, it is deployed to the Amazon Web Services Region that is currently selected, referred to as the "primary Region". If you want to deploy to a specific Amazon Web Services Region, change the Region selection before enabling IAM Identity Center as you won’t be able to change the primary Region.

Note

IAM Identity Center is administered from its primary Region only. This includes its connection to an external identity provider, synchronization of users and groups, and the creation and assignment of permission sets to users/groups. We recommend that you account for this behavior when planning for operational resilience, and set up emergency access with an external IdP. Another option is Amazon break-glass access, which relies on IAM users.

Although IAM Identity Center determines access from the Region in which you enable the service, Amazon Web Services accounts are global. This means that after users sign in to IAM Identity Center, they can operate in any Region when they access Amazon Web Services accounts through IAM Identity Center. Most Amazon managed applications such as Amazon SageMaker AI, however, must be installed in a Region of your IAM Identity Center instance for users to authenticate and assign access to these applications. For information about Regional constraints when using an application with IAM Identity Center, see the documentation for the application.

You can also use IAM Identity Center to authenticate and authorize access to SAML-based applications that are reachable through a public URL, regardless of the platform or cloud on which the application is built.

We do not recommend using Account instances of IAM Identity Center as a means to implement resiliency as it creates a second, isolated control point that isn't connected to your organization instance.

Designed for availability

The following table provides the availability that IAM Identity Center is designed to achieve in a single Amazon Region. These values don’t represent a Service Level Agreement or guarantee, but rather provide insight to the design goals. The availability percentages reference access to data or functions, and aren’t a reference to durability (for example, long term retention of data).

Service component Availability design goal
Data plane (including sign-in) 99.95%
Control plane 99.90%