|
At present, we’re saying the final availability of AWS IAM Id Heart multi-Area help to allow AWS account entry and managed software use in extra AWS Areas.
With this function, you possibly can replicate your workforce identities, permission units, and different metadata in your group occasion of IAM Id Heart linked to an exterior identification supplier (IdP), akin to Microsoft Entra ID and Okta, from its present main Area to extra Areas for improved resiliency of AWS account entry.
You can even deploy AWS managed purposes in your most popular Areas, near software customers and datasets for improved person expertise or to fulfill knowledge residency necessities. Your purposes deployed in extra Areas entry replicated workforce identities domestically for optimum efficiency and reliability.
If you replicate your workforce identities to an extra Area, your workforce will get an lively AWS entry portal endpoint in that Area. Because of this within the unlikely occasion of an IAM Id Heart service disruption in its main Area, your workforce can nonetheless entry their AWS accounts by the AWS entry portal in an extra Area utilizing already provisioned permissions. You may proceed to handle IAM Id Heart configurations from the first Area, sustaining centralized management.
Allow IAM Id Heart in a number of Areas
To get began, it is best to verify that the AWS managed purposes you’re at the moment utilizing help buyer managed AWS Key Administration Service (AWS KMS) key enabled in AWS Id Heart. Once we launched this function in October 2025, Seb really helpful utilizing multi-Area AWS KMS keys until your organization insurance policies limit you to single-Area keys. Multi-Area keys present constant key materials throughout Areas whereas sustaining impartial key infrastructure in every Area.
Earlier than replicating IAM Id Heart to an extra Area, you need to first replicate the client managed AWS KMS key to that Area and configure the duplicate key with the permissions required for IAM Id Heart operations. For directions on creating multi-Area duplicate keys, seek advice from Create multi-Area duplicate keys within the AWS KMS Developer Information.
Go to the IAM Id Heart console within the main Area, for instance, US East (N. Virginia), select Settings within the left-navigation pane, and choose the Administration tab. Verify that your configured encryption key’s a multi-Area buyer managed AWS KMS key. So as to add extra Areas, select Add Area.
You may select extra Areas to copy the IAM Id Heart in a listing of the obtainable Areas. When selecting an extra Area, contemplate your supposed use circumstances, for instance, knowledge compliance or person expertise.
If you wish to run AWS managed purposes that entry datasets restricted to a selected Area for compliance causes, select the Area the place the datasets reside. In the event you plan to make use of the extra Area to deploy AWS purposes, confirm that the required purposes help your chosen Area and deployment in extra Areas.
Select Add Area. This begins the preliminary replication whose period will depend on the scale of your Id Heart occasion.
After the replication is accomplished, your customers can entry their AWS accounts and purposes on this new Area. If you select View ACS URLs, you possibly can view SAML data, akin to an Assertion Client Service (ACS) URL, in regards to the main and extra Areas.
How your workforce can use an extra Area
AWS Id Heart helps SAML single sign-on with exterior IdPs, akin to Microsoft Entra ID and Okta. Upon authentication within the IdP, the person is redirected to the AWS entry portal. To allow the person to be redirected to the AWS entry portal within the newly added Area, you’ll want to add the extra Area’s ACS URL to the IdP configuration.
The next screenshots present you the way to do that within the Okta admin console:
Then, you possibly can create a bookmark software in your identification supplier for customers to find the extra Area. This bookmark app features like a browser bookmark and incorporates solely the URL to the AWS entry portal within the extra Area.
You can even deploy AWS managed purposes in extra Areas utilizing your current deployment workflows. Your customers can entry purposes or accounts utilizing the prevailing entry strategies, such because the AWS entry portal, an software hyperlink, or by the AWS Command Line Interface (AWS CLI).
To be taught extra about which AWS managed purposes help deployment in extra Areas, go to the IAM Id Heart Consumer Information.
Issues to know
Listed below are key issues to find out about this function:
- Consideration – To reap the benefits of this function at launch, you should be utilizing a company occasion of IAM Id Heart linked to an exterior IdP. Additionally, the first and extra Areas should be enabled by default in an AWS account. Account cases of IAM Id Heart, and the opposite two identification sources (Microsoft Lively Listing and IAM Id Heart listing) are presently not supported.
- Operation – The first Area stays the central place for managing workforce identities, account entry permissions, exterior IdP, and different configurations. You should utilize the IAM Id Heart console in extra Areas with a restricted function set. Most operations are read-only, aside from software administration and person session revocation.
- Monitoring – All workforce actions are emitted in AWS CloudTrail within the Area the place the motion was carried out. This function enhances account entry continuity. You may arrange break-glass entry for privileged customers to entry AWS if the exterior IdP has a service disruption.
Now obtainable
AWS IAM Id Heart multi-Area help is now obtainable within the 17 enabled-by-default industrial AWS Areas. For Regional availability and a future roadmap, go to the AWS Capabilities by Area. You should utilize this function at no extra price. Normal AWS KMS fees apply for storing and utilizing buyer managed keys.
Give it a strive within the AWS Id Heart console. To be taught extra, go to the IAM Id Heart Consumer Information and ship suggestions to AWS re:Publish for Id Heart or by your common AWS Assist contacts.
— Channy
Up to date on February fifth — Mounted the Okta admin console screenshot.
