AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2026-03-16 · Security-related medium

File: singlesignon/latest/userguide/resiliency-regional-behavior.md

Summary

Updated documentation about resiliency behaviors and administrative constraints in IAM Identity Center. Changes include: clarifying availability zone capitalization, expanding details about primary Region constraints, emphasizing break-glass access over emergency access for IdP disruptions, adding cross-region application management references, and clarifying account instance limitations.

Security assessment

The change emphasizes AWS break-glass access as a resilience measure during external IdP disruptions (security best practice) and explicitly warns against relying solely on emergency access that depends on an external IdP. This addresses potential access risks during IdP outages.

Diff

diff --git a/singlesignon/latest/userguide/resiliency-regional-behavior.md b/singlesignon/latest/userguide/resiliency-regional-behavior.md
index 8b46909ca..af7ca7425 100644
--- a//singlesignon/latest/userguide/resiliency-regional-behavior.md
+++ b//singlesignon/latest/userguide/resiliency-regional-behavior.md
@@ -9 +9 @@ Designed for availability
-The IAM Identity Center service is fully managed and uses highly available and durable AWS services, such as Amazon S3 and Amazon EC2. To ensure availability in the event of an availability zone disruption, IAM Identity Center operates across multiple availability zones. You can replicate your IAM Identity Center instance to additional Regions to maintain account access in the event of a Regional disruption. For more information, see [Using IAM Identity Center across multiple AWS Regions](./multi-region-iam-identity-center.html). 
+The IAM Identity Center service is fully managed and uses highly available and durable AWS services, such as Amazon S3 and Amazon EC2. To ensure availability in the event of an Availability Zone disruption, IAM Identity Center operates across multiple Availability Zones. You can replicate your IAM Identity Center instance to additional Regions to maintain account access with already provisioned permissions in the event of a Regional disruption. For more information, see [Using IAM Identity Center across multiple AWS Regions](./multi-region-iam-identity-center.html). 
@@ -11 +11,3 @@ The IAM Identity Center service is fully managed and uses highly available and d
-You enable IAM Identity Center in your AWS Organizations management account. This is required so that IAM Identity Center can provision, de-provision, and update roles across all your AWS accounts. When you enable IAM Identity Center, it is deployed to the AWS Region that is currently selected, referred to as the "primary Region". If you want to deploy to a specific AWS Region, change the Region selection before enabling IAM Identity Center as you won’t be able to change the primary Region. 
+You enable IAM Identity Center in your AWS Organizations management account. This is required for IAM Identity Center to provision, deprovision, and update roles across all your AWS accounts. When you enable IAM Identity Center, it is deployed to the AWS Region that is currently selected, referred to as the "primary Region". If you want to deploy to a specific AWS Region, change the Region selection before enabling IAM Identity Center because the primary Region cannot be changed after IAM Identity Center is enabled. 
+
+IAM Identity Center supports most administrative functions only from the primary Region. This includes the connection to an external identity provider, synchronization of users and groups, and the creation and assignment of permission sets to users and groups. In contrast, the management of applications and their assignments must take place in the IAM Identity Center Region where the application was created.
@@ -15 +17 @@ You enable IAM Identity Center in your AWS Organizations management account. Thi
-IAM Identity Center is administered from its primary Region only. This includes its connection to an external identity provider, synchronization of users and groups, and the creation and assignment of permission sets to users/groups. We recommend that you account for this behavior when planning for operational resilience, and set up [emergency access](./emergency-access.html) with an external IdP. Another option is [AWS break-glass access](https://docs.aws.amazon.com/wellarchitected/latest/devops-guidance/ag.sad.5-implement-break-glass-procedures.html), which relies on IAM users.
+Even if your IAM Identity Center is replicated to additional Regions, we recommend that you set up [AWS break-glass access](https://docs.aws.amazon.com/wellarchitected/latest/devops-guidance/ag.sad.5-implement-break-glass-procedures.html). This helps you maintain AWS access for a small group of privileged users during events such as a service disruption in the external IdP. [Emergency access](./emergency-access.html) is another option that uses identities from an external IdP instead of IAM users; however, it does not protect against a disruption in the external IdP. 
@@ -17 +19 @@ IAM Identity Center is administered from its primary Region only. This includes
-Although IAM Identity Center determines access from the Region in which you enable the service, AWS accounts are global. This means that after users sign in to IAM Identity Center, they can operate in any Region when they access AWS accounts through IAM Identity Center. Most AWS managed applications such as Amazon SageMaker AI, however, must be installed in a Region of your IAM Identity Center instance for users to authenticate and assign access to these applications. For information about Regional constraints when using an application with IAM Identity Center, see the documentation for the application.
+Although IAM Identity Center determines access from the Region in which you enable the service, AWS accounts are global. This means that after users sign in to IAM Identity Center, they can operate in any Region when they access AWS accounts through IAM Identity Center. Most AWS managed applications such as Amazon SageMaker AI, however, must be installed in a Region of your IAM Identity Center instance for users to authenticate and assign access to these applications. For information about Regional constraints when using an application with IAM Identity Center, see the documentation for the application and [Deploying and managing AWS managed applications across multiple AWS Regions](./multi-region-application-use.html#multi-region-aws-managed-applications).
@@ -19 +21 @@ Although IAM Identity Center determines access from the Region in which you enab
-You can also use IAM Identity Center to authenticate and authorize access to SAML-based applications that are reachable through a public URL, regardless of the platform or cloud on which the application is built.
+You can also use IAM Identity Center to authenticate and authorize access to SAML-based customer managed applications that are reachable through a public URL, regardless of the platform or cloud on which the application is built.
@@ -21 +23 @@ You can also use IAM Identity Center to authenticate and authorize access to SAM
-We do not recommend using [Account instances of IAM Identity Center](./account-instances-identity-center.html) as a means to implement resiliency as it creates a second, isolated control point that isn't connected to your organization instance. 
+We do not recommend using [Account instances of IAM Identity Center](./account-instances-identity-center.html) as a means to implement resiliency because they do not support AWS account access and because they create a second, isolated control point that isn't connected to your organization instance.