# Step 2. Onboarding management resources in Accelerate
<a name="acc-get-mgmt-resource-onboard"></a>

This is an overview of the process of onboarding management resources.

**You accept terms**

Your cloud services delivery manager (CSDM) guides you through the acceptance process. You need to accept the Terms and Conditions, select AWS Regions, add-ons, and a Service Level Agreement (SLA).

**You grant permissions to AMS roles**

You need to grant access to AMS processes and to your Cloud Architect. You do this by creating a CloudFormation stack for each role. See [The template to create AMS roles](acc-onb-roles.md) and then [Create `aws_managedservices_onboarding_role` with CloudFormation for Accelerate](acc-onb-create-roles-with-cf.md). For more details see [Access management in AMS Accelerate](acc-access.md).

**AMS reviews your configuration**

Your Cloud Architect (CA) also looks for possible configuration issues in your account, like Service Control Policies (SCPs), and security findings that might prevent AMS from deploying the tools and resources required by AMS. Your CA works with you to help you remediate findings and remove any blockers to the deployment of AMS tools and resources. 

**AMS reviews your AWS CloudTrail trail configurations**

 Your Cloud Architect (CA) will review your CloudTrail trail configurations, and confirm if you want AMS to deploy a global CloudTrail trail, or integrate Accelerate with your CloudTrail account or Organization trail resources. If you choose to have Accelerate integrate with your CloudTrail trail, your CA will guide you through required updates to the configurations for your CloudTrail trail resources.

**AMS deploys management resources**

The AMS team deploys tools and AWS resources to provide the different services of AMS Accelerate. After it's completed, AMS has built the AWS Managed Services account and AMS notifies you that your account is active.

This concludes the *Onboarding management resources* stage. You can proceed directly to the next step of the onboarding process: [Step 3. Onboarding AMS features with default policies](acc-get-feature-config.md).

**Note**  
 Now that your account is active, you have the option to perform any of these tasks:   
Create incidents and service requests for AWS infrastructure using the Support Center Console. See [Incident reports, service requests, and billing questions in AMS Accelerate](acc-supp-ex.md).
See the conformance status in your account of the AWS Config Rules deployed by AMS, [Configuration compliance in Accelerate](acc-sec-compliance.md).
Locate and analyze GuardDuty and Macie (optional) findings. See [Monitor with GuardDuty](acc-sec-data-protect.md#acc-sec-data-protect-gd).
Access and audit CloudTrail logs
Track changes in your AMS Accelerate account. See [Tracking changes in your AMS Accelerate accounts](acc-change-record.md).
Use Resource Tagger to create tags. See [Accelerate Resource Tagger](acc-resource-tagger.md).
Request Patch, Backup, and AWS Config Reports. See [Reports and options](ams-reporting.md).

# Review and update your configurations to enable AMS Accelerate to use your CloudTrail trail
<a name="acc-onb-trail-choices"></a>

AMS Accelerate relies on AWS CloudTrail logging in order to manage audits and compliance for all resources in your account. During onboarding, you choose whether Accelerate deploys a CloudTrail trail in your primary AWS Region or uses events generated by your existing CloudTrail account or Organization trail. If your account does not have a trail configured, then Accelerate will deploy a managed CloudTrail trail during onboarding.

**Important**  
CloudTrail log management configuration is only required when you choose to integrate AMS Accelerate with your CloudTrail account or Organization trail.

## Review your CloudTrail trail configurations, Amazon S3 bucket policy, and AWS KMS key policy for your CloudTrail events delivery destination with your Cloud Architect (CA)
<a name="acc-onb-trail-configuration-process"></a>

Before Accelerate can use your CloudTrail trail, you must work with your Cloud Architect (CA) to review and update your configurations to meet Accelerate requirements. If you choose to integrate Accelerate with your CloudTrail Organization trail, then your CA works with you to update your CloudTrail events delivery destination Amazon S3 bucket and AWS KMS key policies to enable cross-account queries from your Accelerate account. Your Amazon S3 bucket can be in an account that's managed by Accelerate, or an account that you manage. During onboarding, Accelerate validates that queries can be made to your CloudTrail Organization trail events delivery destination, and pauses the onboarding if the queries fail. You work with your CA to correct these configurations so that onboarding can resume.

### Review and update your CloudTrail account or Organization trail configurations
<a name="acc-onb-trail-choices-trail-requirements"></a>

The following configurations are required to integrate Accelerate CloudTrail log management your CloudTrail account or Organization trail resources:
+ Your CloudTrail trail is configured to log events from all AWS Regions.
+  Your CloudTrail trail has [ global service events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events) enabled. 
+  Your CloudTrail account or Organization trail logs all [ management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events), including [read and write events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#read-write-events-mgmt), and AWS KMS and Amazon RDS Data API event logging is enabled.
+  Your CloudTrail trail has [log file integrity validation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html) enabled.
+  The Amazon S3 bucket your CloudTrail trail delivers events to encrypts events using either [SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) or [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) encryption.
+ The Amazon S3 bucket your CloudTrail trail delivers event to has [ server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) enabled.
+ The Amazon S3 bucket your CloudTrail trail delivers event to has a [ lifecycle configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html) that retains your CloudTrail trail data for at least 18 months.
+ The Amazon S3 bucket your CloudTrail trail delivers event to has [ Object Ownership](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) set to Bucket owner enforced. 
+ The Amazon S3 bucket your CloudTrail trail delivers event to is accessible by Accelerate.

#### Review and update the Amazon S3 bucket policy for your CloudTrail events delivery destination
<a name="acc-onb-trail-choices-bucket-policy"></a>

During onboarding, you work with your Cloud Architect (CA) to add Amazon S3 bucket policy statements to your CloudTrail events delivery destination. To enable your users to query changes in your CloudTrail events delivery destination Amazon S3 bucket from your Accelerate account, you can deploy a uniformly named IAM role in each account in your Organization that Accelerate manages, and add it to the `aws:PrincipalArn` list in all Amazon S3 bucket policy statements. With this configuration, your users can query and analyze your account's CloudTrail Organization trail events in Accelerate using Athena. For more information about how to update an Amazon S3 bucket policy, see [ Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*.

**Important**  
Updating your Amazon S3 bucket policy is required only when Accelerate integrates with a CloudTrail trail that delivers events to a centralized S3 bucket. Accelerate doesn't support integrating with a CloudTrail trail that delivers to a centralized bucket but doesn't have the accounts under an AWS Organization.

**Note**  
Before updating your Amazon S3 bucket policy, replace *red* fields with applicable values:  
*amzn-s3-demo-bucket* with the name of the Amazon S3 bucket that contains the trail events from your accounts.
*your-organization-id* with the ID of the AWS Organization that your accounts are a member of.
*your-optional-s3-log-delievery-prefix* with your CloudTrail trail's Amazon S3 bucket delivery prefix. For example, `my-bucket-prefix`, that you might have set when [you created your CloudTrail trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html).  
If you haven't configured a Amazon S3 bucket delivery prefix for your trail, then remove "*your-optional-s3-log-delievery-prefix*" and the proceeding forward slash (`/`) from the following Amazon S3 bucket policy statements.

The following three Amazon S3 bucket policy statements grant Accelerate access to retrieve the configurations of and run AWS Athena queries to [analyze the CloudTrail events](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-change-record.html) in your events delivery destination Amazon S3 bucket from your Accelerate account.

```
{
    "Sid": "DONOTDELETE-AMS-ALLOWBUCKETCONFIGAUDIT",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": [
        "s3:GetBucketLogging",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetEncryptionConfiguration"
    ],
    "Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
    "Condition": {
        "StringEquals": {
            "aws:PrincipalOrgID": "your-organization-id"
        },
        "ArnLike": {
            "aws:PrincipalArn": [
                "arn:aws:iam::*:role/ams-access-*"
            ]
        }
    }
},
{
    "Sid": "DONOTDELETE-AMS-ALLOWLISTBUCKET",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:CalledVia": "athena.amazonaws.com"
        },
        "StringLike": {
            "s3:prefix": "your-optional-s3-log-delievery-prefix/AWSLogs/*"
        },
        "StringEquals": {
            "aws:PrincipalOrgID": "your-organization-id"
        },
        "ArnLike": {
            "aws:PrincipalArn": [
                "arn:aws:iam::*:role/ams-access-*"
            ]
        }
    }
},
{
    "Sid": "DONOTDELETE-AMS-ALLOWGETOBJECT",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/your-optional-s3-log-delievery-prefix/AWSLogs/*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:CalledVia": "athena.amazonaws.com"
        },
        "StringEquals": {
            "aws:PrincipalOrgID": "your-organization-id"
        },
        "ArnLike": {
            "aws:PrincipalArn": [
                "arn:aws:iam::*:role/ams-access-*"
            ]
        }
    }
}
```

#### Review and update the AWS KMS key policy for your CloudTrail events delivery destination
<a name="acc-onb-trail-choices-kms-key-policy"></a>

During onboarding, you work with your Cloud Architect (CA) to update the AWS KMS key policy used to encrypt the CloudTrail trail events delivered to your Amazon S3 bucket. Make sure that you append the reference AWS KMS key policy statements to your existing AWS KMS key. This configures Accelerate to integrate with your existing CloudTrail trail event delivery destination Amazon S3 bucket and decrypt events. To enable your users to query changes in your CloudTrail events delivery destination Amazon S3 bucket from your Accelerate account, you can deploy a uniformly named IAM Role in each account in your Organization that Accelerate is managing, and add it to the "aws:PrincipalArn" list. With this configuration, your users can query events.

There are different AWS KMS key policy update scenarios to consider. You might only have a AWS KMS key configured to your CloudTrail trail to encrypt all events, and not have a AWS KMS key that encrypts objects in your Amazon S3 bucket. Or, you might have one AWS KMS key that encrypts events delivered by CloudTrail, and another AWS KMS key that encrypts all objects stored in your Amazon S3 bucket. When you have two AWS KMS keys, you update the AWS KMS key policy for each key to grant Accelerate access to your CloudTrail events. Make sure that you amend the reference AWS KMS key policy statement to your existing AWS KMS key policy before you update the policy. For more information about how to update a AWS KMS key policy, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the *AWS Key Management Service User Guide*.

**Important**  
You're required to update your AWS KMS key policy only when Accelerate integrates with a CloudTrail trail with log file SSE-KMS encryption enabled.

**Note**  
Before you apply this AWS KMS key policy statement to the AWS KMS key used to encrypt your AWS CloudTrail events delivered to your Amazon S3 bucket, replace the following *red* fields with applicable values:  
*YOUR-ORGANIZATION-ID* with the ID of the AWS Organization your accounts are a member of.

This AWS KMS key policy statement grants Accelerate access to decrypt and query trail events delivered to Amazon S3 bucket from each account in your Organization with access restricted to Athena, used by Accelerate to [query and analyze CloudTrail events.](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-change-record.html).

```
{
    "Sid": "DONOTDELETE-AMS-ALLOWTRAILOBJECTDECRYPTION",
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:CalledVia": "athena.amazonaws.com"
        },
        "StringEquals": {
            "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID"
        },
        "ArnLike": {
            "aws:PrincipalArn": [
                "arn:aws:iam::*:role/ams-access-*"
            ]
        }
    }
}
```

# The template to create AMS roles
<a name="acc-onb-roles"></a>

The following AMS role grants permissions to your AMS cloud architect (CA). The following zip file contains Terraform code and CloudFormation template that simplifies creating the IAM role, permissions policy, and trust policy. For more information, consult with your CA.


| Role Name | Required by | Sample Templates | 
| --- |--- |--- |
| `aws_managedservices_onboarding_role` | AMS personnel during onboarding only | [onboarding\$1role\$1minimal.zip](samples/onboarding_role_minimal.zip) | 

**Note**  
After you select and download a sample template (one per role), you will upload these as definitions of CloudFormation stacks in [Create `aws_managedservices_onboarding_role` with CloudFormation for Accelerate](acc-onb-create-roles-with-cf.md).

# Create `aws_managedservices_onboarding_role` with CloudFormation for Accelerate
<a name="acc-onb-create-roles-with-cf"></a>

You can create the AWS Identity and Access Management role, `aws_managedservices_onboarding_role`, with CloudFormation from the AWS Management Console. Or, you can use commands from AWS CloudShell to deploy the role. 

## Use the AWS Management Console
<a name="create-role-cf-console"></a>

**Note**  
Before starting, have a JSON or YAML file for each role ready to upload. For more information, see [The template to create AMS roles](acc-onb-roles.md).

To create the role from the AWS Management Console, complete the following steps:

1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

    ![\[CloudFormation Stacks interface showing no stacks and options to create or view guide.\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/images/image1.png)

1. Choose **Create Stack > With new resources (standard)**. You see the following page. 

   ![\[Create stack interface with options to specify template and upload template file.\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/images/image2.png)

1. Choose **Upload a template file**, upload the JSON or YAML file of the IAM role, and then choose **Next**. You see the following page.

   ![\[Form for specifying stack details, including stack name and parameters fields.\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/images/image3.png)

1. Enter the stack name "**ams-onboarding-role**" in the **Stack Name** field. Enter a **DateOfExpiry** using the format "YYYY-MM-DDT00:00:00Z" (30 days from the current date is recommended). Continue scrolling down and selecting next until you reach this page: 

   ![\[Capabilities section with AWSIAM role requirement and checkbox for custom names.\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/images/image4.png)

1. Make sure the check box is selected and then select **Create Stack**.

1. Make sure the stack was created successfully.

## Use commands from AWS CloudShell
<a name="create-role-cf-cli"></a>

To deploy the `aws_managedservices_onboarding_role` IAM role, run the following command in [AWS CloudShell](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html):

------
#### [ AWS CLI ]

```
curl -s "https://docs.aws.amazon.com/en_us/managedservices/latest/accelerate-guide/samples/onboarding_role_minimal.zip" -o "onboarding_role_minimal.zip"
unzip -q -o onboarding_role_minimal.zip
aws cloudformation create-stack \
    --stack-name "aws-managedservices-onboarding-role" \
    --capabilities CAPABILITY_NAMED_IAM \
    --template-body file://onboarding_role_minimal.json \
    --parameters ParameterKey=DateOfExpiry,ParameterValue="`date -d '+30 days' -u '+%Y-%m-%dT%H:%M:%SZ'`"
```

------
#### [ AWS Tools for PowerShell ]

```
Invoke-WebRequest -Uri 'https://docs.aws.amazon.com/en_us/managedservices/latest/accelerate-guide/samples/onboarding_role_minimal.zip' -OutFile 'onboarding_role_minimal.zip'
Expand-Archive -Path 'onboarding_role_minimal.zip' -DestinationPath . -Force
New-CFNStack `
    -StackName 'aws-managedservices-onboarding-role' `
    -Capability CAPABILITY_NAMED_IAM `
    -TemplateBody (Get-Content 'onboarding_role_minimal.json' -Raw) `
    -Parameter @{ParameterKey = "DateOfExpiry"; ParameterValue = (Get-Date).AddDays(30).ToString('yyyy-MM-ddTHH:mm:ssZ')}
```

------

After you create the role, work with your Cloud Architect (CA) to complete the [Step 2. Onboarding management resources in Accelerate](acc-get-mgmt-resource-onboard.md) process. After AMS informs you that your account is active, you're ready to onboard your instances.