# Considerations for choosing an AWS Region
You can enable IAM Identity Center in a single, supported AWS Region of your choice and it is available to users globally. This global availability makes it easier for you to configure user access to multiple AWS accounts and applications. Following are key considerations for choosing an AWS Region.
+ **Geographical location of your users** – When you select a Region that is geographically closest to the majority of your end users, they'll have lower latency of access to the AWS access portal and AWS managed applications, such as Amazon SageMaker AI.
+ **Opt-in Regions (Regions that are disabled by default)** – An opt-in Region is an AWS Region that is disabled by default. To use an opt-in Region, you must enable it. For more information, see [Managing IAM Identity Center in an opt-in Region](regions.md#manually-enabled-regions).
+ **Replicating IAM Identity Center to additional Regions** – If you plan to replicate IAM Identity Center to additional AWS Regions, you must choose a Region enabled by default. For more information, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
+ **Choosing deployment Regions for AWS managed applications** – AWS managed applications can operate only in the AWS Regions in which they are available. Many AWS managed applications can also operate only in a Region where IAM Identity Center is enabled or replicated to (primary or additional Region). To confirm if your IAM Identity Center instance supports replication to additional Regions, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md). If replication is not an option, consider enabling IAM Identity Center in the Region where you plan to use AWS managed applications.
+ **Digital sovereignty** – Digital sovereignty regulations or company policies may mandate the use of a particular AWS Region. Consult with your company’s legal department.
+ **Identity source** – If you’re using [AWS Managed Microsoft AD](connectawsad.md) or your self-managed directory in [Active Directory (AD)](connectonpremad.md) as the identity source, its home Region must match the AWS Region in which you enabled IAM Identity Center.
+ **Cross-Region emails with Amazon Simple Email Service** – In some Regions, IAM Identity Center may call [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/ses/latest/dg/Welcome.html) in a different Region to send email. In these cross-Region calls, IAM Identity Center sends certain user attributes to the other Region. For more information, see [Cross-Region emails with Amazon SES](regions.md#cross-region-calls).
+ **AWS Control Tower** – If you’re enabling an organization instance of IAM Identity Center from AWS Control Tower, the instance will be created in the same Region as the AWS Control Tower landing zone.
**Topics**
+ [IAM Identity Center Region data storage and operations](regions.md)
+ [Switching AWS Regions](switching-regions.md)
+ [Disabling an AWS Region where IAM Identity Center is enabled](disabling-region-with-identity-center.md)
# IAM Identity Center Region data storage and operations
Learn how IAM Identity Center handles data storage and operations across AWS Regions.
## Understand how IAM Identity Center stores data
When you enable IAM Identity Center, all the data that you configure in IAM Identity Center is stored in the Region where you enabled it. This data includes directory configurations, permission sets, application instances, and user assignments to AWS account applications. If you are using the IAM Identity Center identity store, all users and groups that you create in IAM Identity Center are also stored in the same Region. If you replicate your IAM Identity Center instance to additional Regions, IAM Identity Center automatically replicates users, groups, permission sets and their assignments, and other metadata and configuration to those Regions.
## Cross-Region emails with Amazon SES
IAM Identity Center uses [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/ses/latest/dg/Welcome.html) to send emails to end users when they attempt to sign-in with one-time password (OTP) as a second authentication factor. These emails are also sent for certain identity and credential management events, such as when the user is invited to set up an initial password, to verify an email address, and reset their password. Amazon SES is available in a subset of AWS Regions that IAM Identity Center supports.
IAM Identity Center calls Amazon SES local endpoints when Amazon SES is available locally in an AWS Region. When Amazon SES isn't available locally, IAM Identity Center calls Amazon SES endpoints in a different AWS Region, as indicated in the following table.
| IAM Identity Center Region code | IAM Identity Center Region name | Amazon SES Region code | Amazon SES Region name |
| --- | --- | --- | --- |
| ap-east-1 | Asia Pacific (Hong Kong) | ap-northeast-2 | Asia Pacific (Seoul) |
| ap-east-2 | Asia Pacific (Taipei) | ap-northeast-1 | Asia Pacific (Tokyo) |
| ap-south-2 | Asia Pacific (Hyderabad) | ap-south-1 | Asia Pacific (Mumbai) |
| ap-southeast-4 | Asia Pacific (Melbourne) | ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-5 | Asia Pacific (Malaysia) | ap-southeast-1 | Asia Pacific (Singapore) |
| ap-southeast-6 | Asia Pacific (New Zealand) | ap-southeast-2 | Asia Pacific (Sydney) |
| ap-southeast-7 | Asia Pacific (Thailand) | ap-northeast-3 | Asia Pacific (Osaka) |
| ca-west-1 | Canada West (Calgary) | ca-central-1 | Canada (Central) |
| eu-south-2 | Europe (Spain) | eu-west-3 | Europe (Paris) |
| eu-central-2 | Europe (Zurich) | eu-central-1 | Europe (Frankfurt) |
| mx-central-1 | Mexico (Central) | us-east-2 | US East (Ohio) |
| me-central-1 | Middle East (UAE) | eu-central-1 | Europe (Frankfurt) |
| us-gov-east-1 | AWS GovCloud (US-East) | us-gov-west-1 | AWS GovCloud (US-West) |
In these cross-Region calls, IAM Identity Center might send the following user attributes:
+ Email address
+ First name
+ Last name
+ Account in AWS Organizations
+ AWS access portal URL
+ Username
+ Directory ID
+ User ID
## Managing IAM Identity Center in an opt-in Region (Region that is disabled by default)
Most AWS Regions are enabled for operations in all AWS services by default, but you must enable the following [opt-in Regions](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#optinregion) if you want to use IAM Identity Center:
+ Africa (Cape Town)
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Taipei)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Jakarta)
+ Asia Pacific (Melbourne)
+ Asia Pacific (Malaysia)
+ Asia Pacific (New Zealand)
+ Asia Pacific (Thailand)
+ Canada West (Calgary)
+ Europe (Milan)
+ Europe (Spain)
+ Europe (Zurich)
+ Israel (Tel Aviv)
+ Mexico (Central)
+ Middle East (Bahrain)
+ Middle East (UAE)
If you deploy IAM Identity Center in an opt-in Region, then you must enable this Region in all the accounts for which you want to manage access to IAM Identity Center. All accounts need this configuration, whether or not you'll create resources in that Region. You can enable a Region for the current accounts in your organization and you must repeat this action when you add new accounts. For instructions, see [Enable or disable a Region in your organization](https://docs.aws.amazon.com//accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization) in the *AWS Organizations User Guide*. To avoid repeating these additional steps, you can choose to deploy your IAM Identity Center in a [Region enabled by default](#regions-enabled-by-default).
**Note**
Your AWS member account must be opted into the same Region as the opt-in Region where your IAM Identity Center instance is located, so you can access the AWS member account from the AWS access portal.
**Metadata stored in opt-in Regions**
When you enable IAM Identity Center for a management account in an opt-in AWS Region, the following IAM Identity Center metadata for any member accounts is stored in the Region.
+ Account ID
+ Account name
+ Account email
+ Amazon Resource Names (ARNs) of the IAM roles that IAM Identity Center creates in the member account
## AWS Regions that are enabled by default
The following Regions are enabled by default and you can enable IAM Identity Center in these Regions.
+ US East (Ohio)
+ US East (N. Virginia)
+ US West (Oregon)
+ US West (N. California)
+ Europe (Paris)
+ South America (São Paulo)
+ Asia Pacific (Mumbai)
+ Europe (Stockholm)
+ Asia Pacific (Seoul)
+ Asia Pacific (Tokyo)
+ Europe (Ireland)
+ Europe (Frankfurt)
+ Europe (London)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Canada (Central)
+ Asia Pacific (Osaka)
# Switching AWS Regions
We recommend that you install IAM Identity Center in a Region that you intend to keep available for users, not a Region that you might need to disable. For more information, see [Considerations for choosing an AWS Region](identity-center-region-considerations.md).
You can switch your IAM Identity Center Region only by [deleting your current IAM Identity Center instance](delete-config.md) and creating an instance in another Region. If you already enabled an AWS managed application with your existing IAM Identity Center instance, disable the application before deleting IAM Identity Center. For instructions on disabling AWS managed applications, see [Disabling an AWS managed application](awsapps-remove.md).
**Note**
If you are considering switching your IAM Identity Center Region to enable the deployment of an AWS managed application in another Region, consider replicating your IAM Identity Center instance to that Region instead. For more information, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).
**Configuration considerations in the new Region**
You must recreate users, groups, permission sets, applications, and assignments in the new IAM Identity Center instance. You can use the IAM Identity Center account and application assignment [APIs](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) to get a snapshot of your configuration and then use that snapshot to rebuild your configuration in a new Region. Switching to a different Region also changes the URL for the [AWS access portal](using-the-portal.md), which provides your users with single sign-on access to their AWS accounts and applications. You might also need to recreate some IAM Identity Center configuration through the Management Console of your new instance.
# Disabling an AWS Region where IAM Identity Center is enabled
If you disable an AWS Region in which IAM Identity Center is installed, IAM Identity Center is also disabled. After IAM Identity Center is disabled in a Region, users in that Region won’t have single sign-on access to AWS accounts and applications.
To re-enable IAM Identity Center in [opt-in AWS Regions](regions.md#manually-enabled-regions), you must re-enable the Region. Because IAM Identity Center must reprocess all paused events, re-enabling IAM Identity Center might take some time.
**Note**
IAM Identity Center can manage access only to the AWS accounts that are enabled for use in an AWS Region. To manage access across all accounts in your organization, enable IAM Identity Center in the management account in an AWS Region that is automatically activated for use with IAM Identity Center.
For more information about enabling and disabling AWS Regions, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*.