EDI Cloud Operations customer account access IAM roles

The ECO operators require the following roles to service your account.

Important

Don't modify or delete these roles.

IAM roles for AMS and ECO access to customer accounts
Role name	Description
ams-access-admin	This role has full administrative access to your account without restrictions. AMS services use this role with restrictive session policies that limit access to deploy AMS infrastructure and operate your account.
ams-access-admin-operations	This role grants AMS operators administrative permissions to operate your account. This role doesn't grant read, write, or delete permissions to customer content in AWS services that are commonly used as data stores, such as Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon Redshift, and Amazon ElastiCache. Only qualiﬁed AMS operators who have a strong understanding of access management can assume this role. These operators serve as an escalation point for access management issues and access your accounts to troubleshoot AMS operator access issues.
ams-access-management	AMS operators manually deploy this role during onboarding. The AMS Access system requires this role to manage ams- access-roles and ams-access-managed- policies stacks.
ams-access-operations	This role has permissions to perform administrative tasks in your accounts. This role doesn't have read, write, or delete permissions to customer content in AWS services that are commonly used as data stores, such as Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon Redshift, and ElastiCache. Permissions to perform AWS Identity and Access Management (IAM) write operations are also excluded from this role. AMS operators and cloud architects (CAs) can assume this role.
ams-access-read-only	This role has read-only access to your account. AMS operators and CAs can assume this role. Read permissions to customer content in AWS services that are commonly used as data stores, such as Amazon S3, Amazon RDS, DynamoDB, Amazon Redshift, and ElastiCache, are not granted this role.
ams-access-security-analyst	This AMS security role has permissions in your AMS account to perform dedicated security alert monitoring and security incident handling. Only a few AMS Security individuals can assume this role.
ams-access-security-analyst-read-only	This AMS security role is limited to read-only permissions in your AMS account to perform dedicated security alert monitoring and security incident handling.
eks-osdu-{{$region}}-cluster-management-role	This role has permissions to perform administrative tasks on the Amazon EKS cluster. AMS operators assume this role to access the cluster and perform any change activity.
ams_ssm_automation_role	Assumed by AWS Systems Manager to execute SSM Automation documents within your account.
ams-container-connector-lambda-role-{{$region}}	AMS operators assume this role to access the cluster for any read-only operations. This role is used to access the Amazon EKS cluster through the AWSManagedServices-RunKubernetesScript document.
EDIDeploymentFulfillmentRole EDIDeploymentFulfillmentIQRole	AMS operators use this role to deploy the EDI solution and IQ ingestion on the respective accounts.
osdu-, edi, ediiq*	Don't modify or delete roles or policies starting with or having the term “osdu”, “edi”, “ediiq” in their names. EDI services use these terms to connect between the AWS resources. These terms can be case sensitive.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access triggers

Security management