AWS Security ChangesHomeSearch

AWS whitepapers medium security documentation change

Service: whitepapers · 2026-05-22 · Security-related medium

File: whitepapers/latest/aws-fault-isolation-boundaries/global-services.md

Summary

Removed IAM Identity Center configuration guidance including Regional SAML endpoint recommendations and break-glass user provisioning instructions. Deleted related anti-patterns and summary recommendations.

Security assessment

The deletion of specific instructions for configuring fault-tolerant access (Regional SAML endpoints and break-glass users) directly impacts security posture. Evidence includes removal of guidance to avoid us-east-1 dependencies during outages, which could lead to account lockout during regional failures.

Diff

diff --git a/whitepapers/latest/aws-fault-isolation-boundaries/global-services.md b/whitepapers/latest/aws-fault-isolation-boundaries/global-services.md
index dd613604c..4683fb76a 100644
--- a//whitepapers/latest/aws-fault-isolation-boundaries/global-services.md
+++ b//whitepapers/latest/aws-fault-isolation-boundaries/global-services.md
@@ -194,8 +193,0 @@ Update your IAM role trust policies to accept SAML logins from multiple Regions.
-**AWS IAM Identity Center:** Identity Center is a cloud-based service that makes it easy to centrally manage single sign-on access to a customer’s AWS accounts and cloud applications. Identity Center must be deployed in a single Region of your choosing. However, the default behavior for the service is to use the global SAML endpoint ([https://signin.aws.amazon.com/saml](https://signin.aws.amazon.com/saml)), which is hosted in `us-east-1`. If you have deployed Identity Center into a different AWS Region, you should update the [relaystate](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtopermrelaystate.html) URL of every permission set to target the same Regional console endpoint as your Identity Center deployment. For example, if you deployed Identity Center into `us-west-2`, you should update the relaystate of your permissions sets to use [https://us-west-2.console.aws.amazon.com](https://us-west-2.console.aws.amazon.com). This will remove any dependency on `us-east-1` from your Identity Center deployment. 
-
-Additionally, because IAM Identity Center can only be deployed into a single Region, you should pre-provision “break-glass” users in case your deployment is impaired. Refer to [Appendix A - Partitional service guidance](./appendix-a---partitional-service-guidance.html) for details on how to create break-glass users in a statically-stable way. 
-
-###### Recommendation
-
-Set the relaystate URL of your permission sets in IAM Identity Center to match the Region where you have the service deployed. Create a break-glass user(s) in case your IAM Identity Center deployment is unavailable.
-
@@ -220,4 +211,0 @@ The following is a summary of some of the most common misconfigurations or anti-
-  * Relying on IAM Identity Center for operators to gain access to production environments during a failure event. 
-
-  * Relying on the default IAM Identity Center configuration to utilize the console in `us-east-1` when you have deployed Identity Center into a different Region. 
-
@@ -250,2 +237,0 @@ Update your IAM role trust policies to accept SAML logins from multiple Regions.
-
-Set the relaystate URL of your permission sets in IAM Identity Center to match the Region where you have the service deployed. Create a break-glass user(s) in case your Identity Center deployment is unavailable.