In the present day, we’re asserting the overall availability of AWS IAM Identification Heart multi-Area assist to allow AWS account entry and managed software use in further AWS Areas.
With this characteristic, you’ll be able to replicate your workforce identities, permission units, and different metadata in your group occasion of IAM Identification Heart linked to an exterior identification supplier (IdP), akin to Microsoft Entra ID and Okta, from its present main Area to further Areas for improved resiliency of AWS account entry.
It’s also possible to deploy AWS managed functions in your most well-liked Areas, near software customers and datasets for improved person expertise or to fulfill information residency necessities. Your functions deployed in further Areas entry replicated workforce identities domestically for optimum efficiency and reliability.
While you replicate your workforce identities to an extra Area, your workforce will get an energetic AWS entry portal endpoint in that Area. Which means within the unlikely occasion of an IAM Identification Heart service disruption in its main Area, your workforce can nonetheless entry their AWS accounts by means of the AWS entry portal in an extra Area utilizing already provisioned permissions. You possibly can proceed to handle IAM Identification Heart configurations from the first Area, sustaining centralized management.
Allow IAM Identification Heart in a number of Areas
To get began, you need to verify that the AWS managed functions you’re at the moment utilizing assist buyer managed AWS Key Administration Service (AWS KMS) key enabled in AWS Identification Heart. Once we launched this characteristic in October 2025, Seb beneficial utilizing multi-Area AWS KMS keys until your organization insurance policies prohibit you to single-Area keys. Multi-Area keys present constant key materials throughout Areas whereas sustaining unbiased key infrastructure in every Area.
Earlier than replicating IAM Identification Heart to an extra Area, you need to first replicate the client managed AWS KMS key to that Area and configure the reproduction key with the permissions required for IAM Identification Heart operations. For directions on creating multi-Area reproduction keys, seek advice from Create multi-Area reproduction keys within the AWS KMS Developer Information.
Go to the IAM Identification Heart console within the main Area, for instance, US East (N. Virginia), select Settings within the left-navigation pane, and choose the Administration tab. Verify that your configured encryption secret’s a multi-Area buyer managed AWS KMS key. So as to add extra Areas, select Add Area.
You possibly can select further Areas to duplicate the IAM Identification Heart in an inventory of the out there Areas. When selecting an extra Area, contemplate your meant use circumstances, for instance, information compliance or person expertise.
If you wish to run AWS managed functions that entry datasets restricted to a selected Area for compliance causes, select the Area the place the datasets reside. For those who plan to make use of the extra Area to deploy AWS functions, confirm that the required functions assist your chosen Area and deployment in further Areas.
Select Add Area. This begins the preliminary replication whose period depends upon the dimensions of your Identification Heart occasion.
After the replication is accomplished, your customers can entry their AWS accounts and functions on this new Area. While you select View ACS URLs, you’ll be able to view SAML data, akin to an Assertion Shopper Service (ACS) URL, in regards to the main and extra Areas.
How your workforce can use an extra Area
AWS Identification Heart helps SAML single sign-on with exterior IdPs, akin to Microsoft Entra ID and Okta. Upon authentication within the IdP, the person is redirected to the AWS entry portal. To allow the person to be redirected to the AWS entry portal within the newly added Area, you might want to add the extra Area’s ACS URL to the IdP configuration.
The next screenshots present you ways to do that within the Okta admin console:
Then, you’ll be able to create a bookmark software in your identification supplier for customers to find the extra Area. This bookmark app capabilities like a browser bookmark and incorporates solely the URL to the AWS entry portal within the further Area.
It’s also possible to deploy AWS managed functions in further Areas utilizing your current deployment workflows. Your customers can entry functions or accounts utilizing the present entry strategies, such because the AWS entry portal, an software hyperlink, or by means of the AWS Command Line Interface (AWS CLI).
To study extra about which AWS managed functions assist deployment in further Areas, go to the IAM Identification Heart Person Information.
Issues to know
Listed below are key concerns to find out about this characteristic:
- Consideration – To make the most of this characteristic at launch, you should be utilizing a company occasion of IAM Identification Heart linked to an exterior IdP. Additionally, the first and extra Areas should be enabled by default in an AWS account. Account situations of IAM Identification Heart, and the opposite two identification sources (Microsoft Lively Listing and IAM Identification Heart listing) are presently not supported.
- Operation – The first Area stays the central place for managing workforce identities, account entry permissions, exterior IdP, and different configurations. You need to use the IAM Identification Heart console in further Areas with a restricted characteristic set. Most operations are read-only, apart from software administration and person session revocation.
- Monitoring – All workforce actions are emitted in AWS CloudTrail within the Area the place the motion was carried out. This characteristic enhances account entry continuity. You possibly can arrange break-glass entry for privileged customers to entry AWS if the exterior IdP has a service disruption.
Now out there
AWS IAM Identification Heart multi-Area assist is now out there within the 17 enabled-by-default business AWS Areas. For Regional availability and a future roadmap, go to the AWS Capabilities by Area. You need to use this characteristic at no further value. Normal AWS KMS prices apply for storing and utilizing buyer managed keys.
Give it a strive within the AWS Identification Heart console. To study extra, go to the IAM Identification Heart Person Information and ship suggestions to AWS re:Put up for Identification Heart or by means of your common AWS Assist contacts.
— Channy
