Considerations for choosing an AWS Region - AWS IAM Identity Center
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Considerations for choosing an AWS Region

You can enable IAM Identity Center in a single, supported AWS Region of your choice and it is available to users globally. This global availability makes it easier for you to configure user access to multiple AWS accounts and applications. Following are key considerations for choosing an AWS Region.

  • Geographical location of your users – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the AWS access portal and AWS managed applications, such as Amazon SageMaker AI.

  • Opt-in Regions (Regions that are disabled by default) – An opt-in Region is an AWS Region that is disabled by default. To use an opt-in Region, you must enable it. For more information, see Managing IAM Identity Center in an opt-in Region.

  • Replicating IAM Identity Center to additional Regions – If you plan to replicate IAM Identity Center to additional AWS Regions, you must choose a Region enabled by default. For more information, see Using IAM Identity Center across multiple AWS Regions.

  • Choosing deployment Regions for AWS managed applications – AWS managed applications can operate only in the AWS Regions in which they are available. Many AWS managed applications can also operate only in a Region where IAM Identity Center is enabled or replicated to (primary or additional Region). To confirm if your IAM Identity Center instance supports replication to additional Regions, see Using IAM Identity Center across multiple AWS Regions. If replication is not an option, consider enabling IAM Identity Center in the Region where you plan to use AWS managed applications.

  • Digital sovereignty – Digital sovereignty regulations or company policies may mandate the use of a particular AWS Region. Consult with your company’s legal department.

  • Identity source – If you’re using AWS Managed Microsoft AD or your self-managed directory in Active Directory (AD) as the identity source, its home Region must match the AWS Region in which you enabled IAM Identity Center.

  • Cross-Region emails with Amazon Simple Email Service – In some Regions, IAM Identity Center may call Amazon Simple Email Service (Amazon SES) in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information, see Cross-Region emails with Amazon SES.

  • AWS Control Tower – If you’re enabling an organization instance of IAM Identity Center from AWS Control Tower, the instance will be created in the same Region as the AWS Control Tower landing zone.

Topics