Assign IAM Identity Center user from a different region as AWS Grafana workspace Admin User

Question

Hello community,

I have created an IAM Identity Center in use1. Currently I have created an AWS Grafana workspace in use2. When I assigned that user for workspace authentication, I got warning message suggesting that "By continuing, you will configure your application to access user and group information from IAM Identity Center, which is deployed in a different AWS Region. If you don’t know the Region where IAM Identity Center is deployed, contact the owner of the management account for your organization". But I still proceeded and this user could still log into the workspace. Could this be potential security issue? Is this a bad practice? Your help is much appreciated!

Adeleke Adebowale .J. · Accepted Answer

Assigning an IAM Identity Center user from a different region as an admin for an Amazon Managed Grafana workspace isn’t a security issue but does come with some important considerations. The warning highlights that cross-region communication is being set up between IAM Identity Center and Grafana, which could affect latency, availability, and compliance. Although AWS ensures secure communication, there are potential drawbacks, such as increased latency, reliance on the IAM Identity Center region’s availability, and possible conflicts with compliance requirements. This approach works well for organizations operating across multiple regions, but it’s generally better to keep IAM Identity Center and Grafana in the same region to minimize latency and simplify the architecture. It’s also important to monitor, audit, and document the configuration to address any potential challenges

Assign IAM Identity Center user from a different region as AWS Grafana workspace Admin User

Add your answer

Relevant content