How AWS IAM Identity Center differs in AWS European Sovereign Cloud - AWS European Sovereign Cloud User Guide
Service DifferencesDocumentation References
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

How AWS IAM Identity Center differs in AWS European Sovereign Cloud

This topic describes the functionality of IAM Identity Center in the AWS European Sovereign Cloud Region.

IAM Identity Center is the recommended service for managing workforce access to AWS applications. It enables you to connect your existing source of workforce identities to AWS once and to offer your users a single sign-on experience across AWS. It powers the personalized experiences provided by AWS applications, and the ability to define and audit user-aware access to data in AWS services. It can also help you manage access to multiple AWS accounts from a central place.

Service Differences

The following differences apply to IAM Identity Center in AWS European Sovereign Cloud:

  • IAM Identity Center integrates with AWS Organizations to manage access across your AWS accounts, and therefore, IAM Identity Center is subject to any AWS Organizations AWS European Sovereign Cloud differences.

  • IAM Identity Center supports both IPv4 only and dual-stack endpoints in the AWS European Sovereign Cloud.

  • The IPv4 only AWS access portal URL has an AWS European Sovereign Cloud URL pattern of https://{IAM-Identity-Center-instance-ID}.eusc-de-east-1.portal.amazonaws.eu. The dual-stack AWS access portal URL is https://{IAM-Identity-Center-instance-ID}.portal.eusc-de-east-1.app.amazonwebservices.eu. You can find the URLs on the Settings page in the IAM Identity Center console.

  • AWS access portal URL does not support custom aliases.

  • The Amazon Resource Name (ARN) for your IAM Identity Center instance has an AWS European Sovereign Cloud pattern of arn:aws-eusc:sso:::instance/{IAM-Identity-Center-instance-ID}. You can find this ARN on the Settings page in the IAM Identity Center console.

  • The ARNs for IAM Identity Center permission sets have an AWS European Sovereign Cloud pattern of arn:aws-eusc:sso:::permissionSet/{IAM-Identity-Center-instance-ID}/{PermissionSet-ID}. You can find these ARNs on the Permission sets tab under the AWS accounts page in the IAM Identity Center console.

  • The email address no-reply@sso.signin.amazonaws-eusc.eu is used for sending email-verification, password reset, and user invitation emails to AWS European Sovereign Cloud. The email address no-reply@signin.amazonaws-eusc.eu is used for sending forgotten password emails.

  • Multi-Region support is presently not available.

  • IAM Identity Center integrates with AWS applications to provide single sign-on and centralized identity and access management for those applications. The AWS capabilities page lists the AWS applications available in the AWS European Sovereign Cloud. Refer to the AWS European Sovereign Cloud-specific user guide of an AWS application for details on its integration with IAM Identity Center.

  • If you filter access to specific AWS domains by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains to your web-content filtering solution allowlists. Doing so enables you to access your AWS access portal.

    IPv4 only domains:

    • [Identity Center instance ID].[Region].portal.amazonaws.eu

    • *.aws.dev

    • *.awsstatic.eu

    • *.console.a2z.eu

    • oidc.[Region].amazonaws.eu

    • static.global.applicationcatalog.amazonaws.eu

    • *.sso.[Region].amazonaws.eu

    • *.sso.amazonaws.eu

    • [Region].signin.amazonaws-eusc.eu

    • signin.amazonaws-eusc.eu

    • [Region].threat-mitigation.aws.eu

    • amcs-captcha-prod-[Region].s3.dualstack.[Region].amazonaws.eu

  • For dual-stack (IPv4 and IPv6) endpoint access, you must also add the following domains to your web-content filtering solution allowlists:

    • [Identity Center instance ID].portal.[Region].app.amazonwebservices.eu

    • *.aws.dev

    • *.awsstatic.eu

    • *.console.a2z.eu

    • oidc.[Region].api.amazonwebservices.eu

    • static.global.applicationcatalog.amazonaws.eu

    • *.sso.[Region].api.amazonwebservices.eu

    • [Region].sso.signin.amazonaws-eusc.eu

    • *.signin.amazonaws-eusc.eu

    • [Region].threat-mitigation.aws.eu

    • amcs-captcha-prod-[Region].s3.dualstack.[Region].amazonaws.eu

Documentation References