AWS STS Regions and endpoints
Note
Starting in early 2025, in AWS Regions that are enabled by default, AWS STS
requests to the global endpoint (https://sts.amazonaws.com) will be
automatically served in the same AWS Region as your workloads. These changes will be
gradually deployed by mid-2025. These changes will not be deployed to opt-in Regions. We
recommend that you use the appropriate AWS STS regional endpoints. For more information, see
AWS STS global endpoint
changes.
The following table lists the Regions and their endpoints. It indicates which ones are activated by default and which ones you can activate or deactivate.
| Region name | Endpoint | Active by default | Manually activate/deactivate |
|---|---|---|---|
| --Global-- | sts.amazonaws.com | ||
| US East (Ohio) | sts.us-east-2.amazonaws.com | ||
| US East (N. Virginia) | sts.us-east-1.amazonaws.com | ||
| US West (N. California) | sts.us-west-1.amazonaws.com | ||
| US West (Oregon) | sts.us-west-2.amazonaws.com | ||
| Africa (Cape Town) | sts.af-south-1.amazonaws.com | ||
| Asia Pacific (Hong Kong) | sts.ap-east-1.amazonaws.com | ||
| Asia Pacific (Hyderabad) | sts.ap-south-2.amazonaws.com | ||
| Asia Pacific (Jakarta) | sts.ap-southeast-3.amazonaws.com | ||
| Asia Pacific (Malaysia) | sts.ap-southeast-5.amazonaws.com | ||
| Asia Pacific (Melbourne) | sts.ap-southeast-4.amazonaws.com | ||
| Asia Pacific (Mumbai) | sts.ap-south-1.amazonaws.com | ||
| Asia Pacific (Osaka) | sts.ap-northeast-3.amazonaws.com | ||
| Asia Pacific (Seoul) | sts.ap-northeast-2.amazonaws.com | ||
| Asia Pacific (Singapore) | sts.ap-southeast-1.amazonaws.com | ||
| Asia Pacific (Sydney) | sts.ap-southeast-2.amazonaws.com | ||
| Asia Pacific (Thailand) | sts.ap-southeast-7.amazonaws.com | ||
| Asia Pacific (Tokyo) | sts.ap-northeast-1.amazonaws.com | ||
| Canada (Central) | sts.ca-central-1.amazonaws.com | ||
| Canada West (Calgary) | sts.ca-west-1.amazonaws.com | ||
| China (Beijing) | sts---cn-north-1.amazonaws.com.rproxy.goskope.com.cn | ||
| China (Ningxia) | sts---cn-northwest-1.amazonaws.com.rproxy.goskope.com.cn | ||
| Europe (Frankfurt) | sts.eu-central-1.amazonaws.com | ||
| Europe (Ireland) | sts.eu-west-1.amazonaws.com | ||
| Europe (London) | sts.eu-west-2.amazonaws.com | ||
| Europe (Milan) | sts.eu-south-1.amazonaws.com | ||
| Europe (Paris) | sts.eu-west-3.amazonaws.com | ||
| Europe (Spain) | sts.eu-south-2.amazonaws.com | ||
| Europe (Stockholm) | sts.eu-north-1.amazonaws.com | ||
| Europe (Zurich) | sts.eu-central-2.amazonaws.com | ||
| Israel (Tel Aviv) | sts.il-central-1.amazonaws.com | ||
| Mexico (Central) | sts.mx-central-1.amazonaws.com | ||
| Middle East (Bahrain) | sts.me-south-1.amazonaws.com | ||
| Middle East (UAE) | sts.me-central-1.amazonaws.com | ||
| South America (São Paulo) | sts.sa-east-1.amazonaws.com |
¹You must enable the Region to use it. This automatically activates AWS STS. You cannot manually activate or deactivate AWS STS in these Regions.
²To use AWS in China, you need an account and credentials specific to AWS in China.
AWS STS global endpoint changes
AWS is making changes to the AWS Security Token Service (AWS STS) global endpoint
(https://sts.amazonaws.com) in Regions enabled by default
to enhance its resiliency and performance. Previously, all requests to the AWS STS global
endpoint were served by a single AWS Region, US East (N. Virginia). Starting in early
2025, requests to the AWS STS global endpoint will automatically be served in the same
Region where the request originates, rather than the US East (N. Virginia) Region. These changes will
be gradually deployed to all Regions that are enabled by default by mid-2025, starting
with the Europe (Stockholm) Region. These changes will not be deployed to opt-in Regions. For more
information about which Regions these changes have been deployed to, see AWS STS global endpoint
changes deployed Regions.
With these changes, AWS STS will process your request based on the originating Region and DNS resolver used. Requests to the AWS STS global endpoint will be served in the same Region as your AWS deployed workload if the DNS request for the AWS STS global endpoint is handled by the Amazon DNS server in Regions that are enabled by default. However, requests to the AWS STS global endpoint will continue to be served in US East (N. Virginia) Region if your request originated from opt-in Regions or if your request was resolved using a DNS resolver other than the Amazon DNS server. For more information about Amazon DNS, see Amazon DNS server in the Amazon Virtual Private Cloud User Guide.
The following table shows how requests to the AWS STS global endpoint will be routed based on your DNS provider.
| DNS Resolver | Requests to the AWS STS global endpoint routed to the local AWS Region? |
|---|---|
|
Amazon DNS resolver in a Amazon VPC in an Region enabled by default |
Yes |
|
Amazon DNS resolver in a Amazon VPC in an opt-in Region |
No, the request will be routed to the US East (N. Virginia) Region |
|
DNS resolver provided by your ISP, a public DNS provider, or any other DNS provider |
No, the request will be routed to the US East (N. Virginia) Region |
To ensure minimal disruption to your existing processes, AWS has implemented the following measures:
-
AWS CloudTrail logs for requests made to the AWS STS global endpoint will be sent to the US East (N. Virginia) Region. CloudTrail logs for requests served by AWS STS Regional endpoints will continue to be logged to their respective Region in CloudTrail.
-
CloudTrail logs for operations performed by the AWS STS global endpoint and Regional endpoints will have additional fields
endpointTypeandawsServingRegionto indicate which endpoint and Region served the request. For CloudTrail log examples, see Example AWS STS API event using the global endpoint in CloudTrail log file. -
Requests made to the AWS STS global endpoint will have a value of
us-east-1for theaws:RequestedRegioncondition key, regardless of which Region served the request. -
Requests handled by the AWS STS global endpoint will not share a requests per second quota with Regional AWS STS endpoints.
If you have workloads in an opt-in Region and are still using the AWS STS global endpoint, we recommend migrating to AWS STS regional endpoints for improved resiliency and performance. For more information about configuring regional AWS STS endpoints, see AWS STS Regional endpoints in the AWS SDKs and Tools Reference Guide.
AWS STS global endpoint changes deployed Regions
The AWS STS global endpoint changes described in the prior section will gradually be rolled out only to Regions enabled by default by mid-2025. These changes have been deployed to the following Regions enabled by default:
-
US East (Ohio) —
us-east-2 -
US West (Oregon) —
us-west-2 -
Asia Pacific (Mumbai) —
ap-south-1 -
Asia Pacific (Osaka) —
ap-northeast-3 -
Asia Pacific (Seoul) —
ap-northeast-2 -
Asia Pacific (Tokyo) —
ap-northeast-1 -
Europe (Frankfurt) —
eu-central-1 -
Europe (Ireland) —
eu-west-1 -
Europe (London) —
eu-west-2 -
Europe (Stockholm) —
eu-north-1
AWS CloudTrail and Regional endpoints
Calls to regional and global endpoints are logged in the tlsDetails field
in AWS CloudTrail. Calls to regional endpoints, such as
us-east-2.amazonaws.com, are logged in CloudTrail to
their appropriate region. Calls to the global endpoint, sts.amazonaws.com,
are logged as calls to a global service. Events for global AWS STS endpoints are logged to
us-east-1.
Note
tlsDetails can only be viewed for services that support this field. See
Services that support TLS details in CloudTrail in the AWS CloudTrail
User Guide
For more information, see Logging IAM and AWS STS API calls with AWS CloudTrail.
