Resiliency design and Regional behavior - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resiliency design and Regional behavior

The IAM Identity Center service is fully managed and uses highly available and durable Amazon services, such as Amazon S3 and Amazon EC2. To ensure availability in the event of an availability zone disruption, IAM Identity Center operates across multiple availability zones. For information about the availability design goals for IAM Identity Center, see Appendix A: Designed-For Availability for Select Amazon Services in the Reliability Pillar Guide.

You enable IAM Identity Center in your Amazon Organizations management account. This is required so that IAM Identity Center can provision, de-provision, and update roles across all your Amazon Web Services accounts. When you enable IAM Identity Center, it is deployed to the Amazon Web Services Region that is currently selected. If you want to deploy to a specific Amazon Web Services Region, change the region selection before enabling IAM Identity Center.


IAM Identity Center controls access to its permission sets and applications from its primary Region only. We recommend that you consider the risks associated with access control when IAM Identity Center operates in a single Region.

Although IAM Identity Center determines access from the Region in which you enable the service, Amazon Web Services accounts are global. This means that after users sign in to IAM Identity Center, they can operate in any Region when they access Amazon Web Services accounts through IAM Identity Center. Most Amazon managed applications such as Amazon SageMaker, however, must be installed in the same Region as IAM Identity Center for users to authenticate and assign access to these applications. For information about Regional constraints when using an application with IAM Identity Center, see the documentation for the application.

You can also use IAM Identity Center to authenticate and authorize access to SAML-based applications that are reachable through a public URL, regardless of the platform or cloud on which the application is built.

We do not recommend using Account instances of IAM Identity Center as a means to implement resiliency as it creates a second, isolated control point that is not connected to your organization instance.