Resiliency design and Regional behavior - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resiliency design and Regional behavior

The IAM Identity Center service is fully managed and uses highly available and durable Amazon services, such as Amazon S3 and Amazon EC2. To ensure availability in the event of an availability zone disruption, IAM Identity Center operates across multiple availability zones.

You enable IAM Identity Center in your Amazon Organizations management account. This is required so that IAM Identity Center can provision, de-provision, and update roles across all your Amazon Web Services accounts. When you enable IAM Identity Center, it's deployed to the Amazon Web Services Region that's currently selected. If you want to deploy to a specific Amazon Web Services Region, change the region selection before enabling IAM Identity Center.

Note

IAM Identity Center controls access to its permission sets and applications from its primary Region only. We recommend that you consider the risks associated with access control when IAM Identity Center operates in a single Region.

Although IAM Identity Center determines access from the Region in which you enable the service, Amazon Web Services accounts are global. This means that after users sign in to IAM Identity Center, they can operate in any Region when they access Amazon Web Services accounts through IAM Identity Center. Most Amazon managed applications such as Amazon SageMaker, however, must be installed in the same Region as IAM Identity Center for users to authenticate and assign access to these applications. For information about Regional constraints when using an application with IAM Identity Center, see the documentation for the application.

You can also use IAM Identity Center to authenticate and authorize access to SAML-based applications that are reachable through a public URL, regardless of the platform or cloud on which the application is built.

We don't recommend using Account instances of IAM Identity Center as a means to implement resiliency as it creates a second, isolated control point that isn't connected to your organization instance.

Designed for availability

The following table provides the availability that IAM Identity Center is designed to achieve. These values don’t represent a Service Level Agreement or guarantee, but rather provide insight to the design goals. The availability percentages reference access to data or functions, and aren’t a reference to durability (for example, long term retention of data).

Service component Availability design goal
Data plane (including sign-in) 99.95%
Control plane 99.90%