IAM Identity Center
With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their Amazon Web Services accounts and applications. You can use multi-account permissions to assign your workforce users access to Amazon Web Services accounts. You can use application assignments to assign your users access to Amazon Web Services managed and customer managed applications.
Topics
Region Availability
IAM Identity Center is available in the following Regions in China:
-
China (Beijing) Region
-
China (Ningxia) Region
Feature Availability and Implementation Differences
The Amazon Web Services in China implementation of IAM Identity Center is unique in the following way:
-
IAM Identity Center integrates with Amazon Organizations to manage access across your Amazon Web Services accounts, and therefore, IAM Identity Center is subject to any Amazon Organizations differences.
-
The Amazon Web Services access portal URL has a URL pattern of
https://start.home.awsapps.cn/directory/[IdentityStoreId]orhttps://start.home.awsapps.cn/directory/[CustomAlias].You can find this URL on the Settings page in the IAM Identity Center console.
-
The Amazon Resource Name (ARN) for your IAM Identity Center instance has a pattern of
arn:aws-cn:sso:::instance/[InstanceId]You can find this ARN on the Settings page in the IAM Identity Center console. -
The ARNs for IAM Identity Center permission sets has a pattern of
arn:aws-cn:sso:::permissionSet/[InstanceID]/[PermissionSetID]You can find these ARNs on the Permission sets tab under the Amazon Web Services accounts page in the IAM Identity Center console. -
The email address
no-reply@login.awsapps.cnis used for sending email-verification, password reset, and user invitation emails in the Beijing and Ningxia Regions. The email addressno-reply@signin.amazonaws.com.cnis used for sending forgotten password emails. -
Google Workspace (formerly G Suite) is not available in China.
-
The solutions provided by Amazon Security Competency partners CyberArk, Ermetic, and Okta are not hosted in China. Their capabilities and integration with IAM Identity Center for the purposes of temporary elevated access management have not been tested with IAM Identity Center in China.
-
Single sign-on to Amazon EC2 Windows instances for IAM Identity Center users is not supported.
-
IAM Identity Center integrates with Amazon Web Services applications to provide single sign-on and centralized identity and access management for those applications. The Amazon Web Services
products page lists the Amazon Web Services applications available in China. Refer to the China-specific user guide of an Amazon Web Services application for details on its integration with IAM Identity Center. -
The application and identity providers referenced in the IAM Identity Center documentation are third parties. Their instances may be located outside of China. Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws. If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon (for example, if the third party's servers are outside of China), and customers should work with the third-party provider directly to address latency.
-
The cloud application, External Amazon Web Services Account, is presently not available in the cloud application catalog. If you need to configure a federation to an Amazon Web Services account, which is not part of the same Amazon organization, you can use a custom SAML application. Instructions on how to set up the federation in the account are available in IAM User Guide.
-
Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD, are enabled by default. Therefore, they do not need to be manually enabled.
-
The following Amazon Web Services managed application is supported for account instances of IAM Identity Center:
-
Amazon S3 Access Grants
-
-
If you filter access to specific Amazon Web Services domains by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains to your web-content filtering solution allowlists. Doing so enables you to access your Amazon Web Services access portal.
-
start.home.awsapps.cn -
start.[Region].home.awsapps.cn -
oidc.[Region].amazonaws.com.cn -
*.applicationcatalog.amazonaws.com.cn -
*.sso.[Region].amazonaws.com.cn -
*.sso.amazonaws.cn -
*.sso-portal.[Region].amazonaws.com.cn -
*.sso.[Region].amazonaws.cn -
aws-access-portal-website-prod-bjs-assets.s3.cn-north-1.amazonaws.com.cn -
aws-access-portal-website-prod-zhy-assets.s3.cn-northwest-1.amazonaws.com.cn -
s3.cn-north-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-bjs-assets -
s3.cn-northwest-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-zhy-assets -
[Region].signin.amazonaws.cn -
*.cloudfront.net -
opfcaptcha-prod.s3.amazonaws.com
-
Guides and References
Amazon Web Services in China user guides are available in HTML and PDF, in both Chinese and English. API references are available in HTML and PDF. Some API references may be available only in English. Currently, not all API references are available in the Beijing and Ningxia Regions. Links to some API references will take you to the global Amazon Web Services site. Note that some features and functionality described in the guides and references may not be available in the current Amazon Web Services in China release.
General Information About Amazon Web Services in China
The following information applies to all Amazon Web Services that are available in the China Regions.
Amazon Web Services Accounts in the China Regions
To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to each of those Regions.
-
Accounts and credentials for other Amazon Regions will not work for services operating in the Beijing and Ningxia Regions.
-
Accounts and credentials for the Beijing and Ningxia Regions will not work for other Amazon Regions.
-
For more information, see Signup, Accounts, and Credentials.
Domain for Amazon Web Services in China
The domain for Amazon Web Services in China is www.amazonaws.cn.
Endpoints & Amazon Resource Names (ARNs)
For information about endpoints and ARNs in Amazon Web Services in China, see Endpoints and ARNs for Amazon Web Services in China.
Availability Zones for the China Regions
-
In the Beijing Region, there are three Availability Zones.
-
In the Ningxia Region, there are three Availability Zones.
General Information for Amazon Web Services in China
The following applies to all Amazon Web Services that are available in the China Regions. For detailed information about specific Amazon Web Services, see the service-specific topic in this guide.
-
Amazon Identity and Access Management (IAM)
-
You can grant or deny a service access to resources using the
Principalpolicy element. -
Service principal values vary by Region.
-
-
EC2-Classic Platform
-
The EC2-Classic platform is not supported.
-
-
Free Usage Tier
-
The free usage tier is supported in the Ningxia Region.
-
The free usage tier is not supported in the Beijing Region.
-
Amazon Web Services Console
The console for Amazon Web Services in China is unique to China. The screenshots in the Amazon Web Services guides might differ from what you see on your console. For information about differences in service functionality, see the topics for each service in this guide.
Code Examples
The Amazon Web Services documentation might include endpoints and ARNs in code examples that are not specific to the Beijing and Ningxia Regions. When using examples, verify you are using the endpoints and ARNs for your Region.