AWS IAM Identity Center Multi-Region Replication Guide
By Braincuber Team
Published on February 4, 2026
When your identity provider goes down, everything stops. Engineers can't access production. Finance can't reach their dashboards. At GlobalTech Industries, a single-region IAM Identity Center configuration left 2,000 employees locked out during a 4-hour regional AWS incident. After that painful morning, they implemented multi-region replication—ensuring workforce access survives even complete regional failures.
AWS IAM Identity Center now supports multi-region replication, allowing you to replicate workforce identities, permission sets, and metadata across multiple AWS regions. This guide walks through implementing multi-region replication for improved resiliency, better user experience for globally distributed teams, and compliance with data residency requirements.
Key Benefits:
- Improved Resiliency: Workforce access continues during regional outages
- Better Performance: Applications access local identity data
- Data Residency: Meet compliance requirements for specific regions
- No Additional Cost: Only standard AWS KMS charges apply
Understanding Multi-Region Identity Replication
Before diving into implementation, let's understand what gets replicated and how it works:
What Gets Replicated
- Workforce identities (users, groups)
- Permission sets and policies
- AWS account assignments
- Application configurations
How It Works
- Primary region remains management hub
- Changes sync automatically to replicas
- Each region has active access portal
- Users can authenticate in any region
Prerequisites for Multi-Region Replication
Before enabling multi-region support, ensure your environment meets these requirements:
| Requirement | Details | Status Check |
|---|---|---|
| Organization Instance | Must use organization-level IAM Identity Center | Settings → Instance type |
| External IdP | Connected to Okta, Microsoft Entra ID, or similar | Settings → Identity source |
| Multi-Region KMS Key | Customer managed KMS key with multi-region capability | Settings → Encryption |
| Enabled-by-Default Regions | Both primary and target regions must be enabled | Account Settings → Regions |
Note: IAM Identity Center directory and Microsoft Active Directory as identity sources are not currently supported for multi-region replication. You must use an external SAML IdP.
Step 1: Create a Multi-Region KMS Key
Multi-region replication requires a customer managed KMS key that can be replicated to target regions. Here's how to create one:
Using AWS CLI
# Create multi-region primary KMS key
aws kms create-key \
--description "IAM Identity Center Multi-Region Key" \
--multi-region \
--region us-east-1
# Note the KeyId from the output, then create replica in target region
aws kms replicate-key \
--key-id arn:aws:kms:us-east-1:123456789012:key/mrk-1234abcd \
--replica-region eu-west-1
# Create alias for easier management
aws kms create-alias \
--alias-name alias/identity-center-key \
--target-key-id mrk-1234abcd \
--region us-east-1KMS Key Policy for IAM Identity Center
The KMS key requires specific permissions for IAM Identity Center operations. Add this policy to your key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMIdentityCenterAccess",
"Effect": "Allow",
"Principal": {
"Service": "sso.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:sso:::instance/*"
}
}
},
{
"Sid": "AllowKeyAdministration",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}Step 2: Enable Multi-Region Replication in IAM Identity Center
With your multi-region KMS key ready, you can now add additional regions to IAM Identity Center:
- Access IAM Identity Center Console: Navigate to your primary region (e.g., us-east-1)
- Open Settings: Click
Settingsin the left navigation - Select Management Tab: Verify your encryption key is a multi-region customer managed KMS key
- Add Region: Click
Add Regionto start the replication wizard - Choose Target Region: Select the region where you want to replicate (e.g., eu-west-1)
- Confirm Replication: Review settings and click
Add Region
Tip: Initial replication time depends on the size of your Identity Center instance. Large organizations with thousands of users may take longer.
Step 3: Configure Your Identity Provider
After replication completes, you need to configure your external IdP to support the new region's access portal. Each region has its own Assertion Consumer Service (ACS) URL.
Getting ACS URLs
View SAML information for all regions:
# Primary Region ACS URL (example)
https://us-east-1.signin.aws.amazon.com/saml
# Additional Region ACS URL (example)
https://eu-west-1.signin.aws.amazon.com/saml
# Access Portal URLs
# Primary: https://d-1234567890.awsapps.com/start
# Additional: https://d-1234567890.awsapps.com/start?region=eu-west-1Configuring Okta for Multi-Region
In your Okta admin console, add the additional region's ACS URL:
- Navigate to
Applications→AWS IAM Identity Center - Go to
Sign Ontab →SAML Settings - Click
Editand add the new ACS URL to the allowed reply URLs - Save changes
Configuring Microsoft Entra ID
For Microsoft Entra ID (Azure AD), add the additional reply URL:
- Go to
Enterprise Applications→AWS IAM Identity Center - Select
Single sign-on→SAML - Click
Editon Basic SAML Configuration - Add the additional region's ACS URL under Reply URL
- Save configuration
Step 4: Create Regional Bookmark Applications
Help users discover the additional region by creating bookmark applications in your IdP:
# Bookmark Application URLs for User Portal
# Primary Region (US East)
Name: AWS Access Portal (US)
URL: https://d-1234567890.awsapps.com/start
# Additional Region (EU West)
Name: AWS Access Portal (EU)
URL: https://d-1234567890.awsapps.com/start?region=eu-west-1
# Additional Region (Asia Pacific)
Name: AWS Access Portal (APAC)
URL: https://d-1234567890.awsapps.com/start?region=ap-southeast-1Step 5: Verify Replication Status
Monitor replication status and verify everything is working correctly:
Check Replication Status via CLI
# List all regions where Identity Center is enabled
aws sso-admin list-instances --region us-east-1
# Check instance details
aws sso-admin describe-instance \
--instance-arn arn:aws:sso:::instance/ssoins-1234567890abcdef \
--region us-east-1
# Verify users are replicated (check in additional region)
aws identitystore list-users \
--identity-store-id d-1234567890 \
--region eu-west-1Operational Considerations
Understanding how multi-region IAM Identity Center operates is crucial for day-to-day management:
Management Operations
All configuration changes happen in the primary region. Changes automatically replicate to additional regions.
Read Operations
Additional regions support read-only console access. View users, groups, and assignments but cannot modify them.
Application Management
Deploy AWS managed applications in additional regions. Applications access local identity data for optimal performance.
Session Revocation
User session revocation is available in all regions for security incident response.
Monitoring with CloudTrail
All workforce actions emit CloudTrail events in the region where they occur. Set up centralized logging for complete visibility:
# Create organization trail for multi-region events
aws cloudtrail create-trail \
--name identity-center-audit \
--s3-bucket-name my-cloudtrail-logs \
--is-multi-region-trail \
--is-organization-trail \
--include-global-service-events
# Enable logging
aws cloudtrail start-logging \
--name identity-center-audit
# Example CloudWatch Insights query for SSO events
fields @timestamp, eventName, userIdentity.arn, awsRegion
| filter eventSource = "sso.amazonaws.com"
| sort @timestamp desc
| limit 100Disaster Recovery Architecture
With multi-region replication, your workforce has automatic failover capability. Here's how to document your DR procedures:
Primary Region Incident Detected
Users report inability to access AWS access portal in primary region
Communicate Failover URL
Direct users to additional region access portal via Slack, email, or status page
Users Authenticate via Additional Region
IdP redirects to additional region's ACS URL (already configured)
Access Restored
Users access their AWS accounts with existing permissions
Frequently Asked Questions
Conclusion
Multi-region replication for AWS IAM Identity Center transforms your identity infrastructure from a single point of failure into a resilient, globally distributed system. Your workforce can continue accessing AWS accounts even during regional outages, applications authenticate users locally for better performance, and you can meet data residency requirements without compromising centralized identity management.
The implementation is straightforward: create a multi-region KMS key, add regions through the console, and update your IdP configuration. There's no additional cost beyond standard KMS charges, and you maintain full control from your primary region. For organizations running critical workloads on AWS, multi-region identity replication should be a standard part of your resilience architecture.
Need Help with AWS Identity Setup?
Our AWS certified architects can design and implement enterprise identity solutions, including multi-region IAM Identity Center, external IdP integration, and comprehensive security controls for your organization.