Using IAM Identity Center across multiple AWS Regions

Improved resiliency of AWS account access – Your workforce can access their AWS accounts even if the IAM Identity Center instance experiences a service disruption in its primary Region. This applies to access with permissions provisioned before the disruption.

Enhanced flexibility in choosing deployment Regions for AWS managed applications – You can deploy AWS managed applications in your preferred Regions to meet application data residency requirements and improve performance through proximity to users. Applications deployed in additional Regions access replicated workforce identities locally for optimal performance and reliability.

Instance type - Your IAM Identity Center instance must be an organization instance. Multi-Region support is not available in account instances.

Identity source - Your IAM Identity Center instance must be connected to an external identity provider (IdP), such as Okta. Multi-Region support is not available for instances that use Active Directory or the Identity Center directory as the identity source.

AWS Regions - Multi-Region support is available in commercial Regions enabled by default in your AWS account. Opt-in Regions are not currently supported.

KMS key type for encryption at rest - Your IAM Identity Center instance must be configured with a multi-Region customer managed KMS key. The KMS key must be located in the same AWS account as IAM Identity Center. For more information, see Implementing customer managed KMS keys in AWS IAM Identity Center.

AWS managed application compatibility - Visit the application table in AWS managed applications that you can use with IAM Identity Center to confirm the following two application requirements:

External IdP compatibility - To fully take advantage of multi-Region support, the external IdP must support multiple assertion consumer service (ACS) URLs. This is a SAML feature that is supported by IdPs such as Okta, Microsoft Entra ID, PingFederate, PingOne, and JumpCloud.

If you use an IdP that doesn't support multiple ACS URLs, such as Google Workspace, we recommend that you work with your IdP vendor to enable this feature. For options that are available without multiple ACS URLs, see Using AWS managed applications without multiple ACS URLs and AWS account access resiliency without multiple ACS URLs.

Compliance requirements – If you need to run AWS managed applications that access datasets limited to a specific Region for compliance reasons, choose the Region where the datasets reside.

Performance optimization – If data residency isn't a factor, select a Region closest to your application users to optimize their experience.

Application support – Verify that your required AWS applications are available in your chosen Region.

AWS account access resiliency – For continuity of access to AWS accounts, choose a Region geographically distant from the primary Region of your IAM Identity Center instance.