IAM is a global service so where does AWS store these details? Which region? What about concerns like GDPR or if customers have specific concerns on where their data is stored?
All of the IAM data is stored globally, presumably in every region so that API calls to each region can authenticated and authorized.
I’m not terribly familiar with the details of GPDR, but while I know that IAM is compliant with the CISPE Code of Conduct, I honestly can’t imagine what kind of "data" could – or more importantly, would – be stored in IAM that would be of concern under GPDR.