# Service description
<a name="acc-sd"></a>

AMS Accelerate is an operation plan of the AWS Managed Services service for managing operations of your AWS infrastructure.

## AWS Managed Services (AMS) AMS Accelerate operation plan features
<a name="features"></a>

AMS Accelerate offers the following features:
+ **Incident management**:

  Incident management is the process the AMS service uses to respond to your reported incidents.

  AMS Accelerate proactively detects and responds to incidents and assists your team in resolving issues. You can reach out to AMS Accelerate operations engineers 24x7 using AWS Support Center, with response time SLAs depending on the level of response you selected for your account.
+ **Monitoring**:

  Monitoring is the process the AMS service uses to track your resources.

  Accounts enrolled in AMS Accelerate are configured with a baseline deployment of Amazon CloudWatch events and alarms that have been optimized to reduce noise and to identify a possible upcoming incident. After receiving the alerts, the AMS team uses automated remediations, people, and processes, to bring the resources back to a healthy state and engage with your teams when appropriate to provide insights into learnings on the behavior and how to prevent it. If remediation fails, AMS starts the incident management process. You can change the baselines by updating the default configuration file.
+ **Security**:

  Security management is the process the AMS service uses to protect your resources. AWS Managed Services protects your information assets and helps keep your AWS infrastructure secure by using multiple controls, including AWS Config Rules and Amazon GuardDuty.

  AMS Accelerate maintains a library of AWS Config Rules and remediation actions to ensure that all your accounts comply with industry standards for security and operational integrity. AWS Config Rules continuously tracks the configuration change among your recorded resources. If a change violates any rule conditions, AMS reports its findings, and allows you to remediate violations automatically or by request, according to the severity of the violation. AWS Config Rules facilitate compliance with standards set by: the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) Data Security Standard (DSS).

  In addition, AMS Accelerate leverages Amazon GuardDuty to identify potentially unauthorized or malicious activity in your AWS environment. GuardDuty findings are monitored 24x7 by AMS. AMS collaborates with you to understand the impact of the findings and remediations based on best practice recommendations. AMS also supports Amazon Macie to protect your sensitive data such as personal health information (PHI), personally identifiable information (PII), and financial data. Finally, AMS monitors and triages all Amazon Route 53 Resolver **ALERT** and **BLOCK** events generated in managed accounts to further inspect network traffic and augment its detective capabilities.
+ **Patch management**:

  Patch management is the process the AMS service uses to update your resources.

  For an AWS account with the patch add-on, AWS Managed Services applies and installs vendor updates to Amazon EC2 instances for supported operating systems during your chosen maintenance windows. AMS creates a snapshot of the instance prior to patching, monitors the patch installation, and notifies you of the outcome. If the patch fails, then AMS investigates the failure and recommends a course of action for you to remediate the issue. Or, AMS restores the instance to rollback, if requested. AMS provides reports of patch compliance coverage and advises you of the recommended course of action for your business.
+ **Backup management**:

  AMS uses backup management to take snapshots of your resources.

  AWS Managed Services creates, monitors, and stores snapshots for AWS services supported by AWS Backup. You define the backup schedules, frequency, and retention period by creating AWS Backup plans while onboarding accounts and applications. You associate the plans to resources. AMS tracks all backup jobs, and, when a backup job fails, alerts our team to run a remediation. AMS leverages your snapshots to perform restoration actions during incidents, if needed. AMS provides you with a backup coverage report and a backup status report. 
+ **Problem management**:

  AMS performs trend analysis to identify and investigate problems and to identify the root cause. Problems are remediated either with a workaround or a permanent solution that prevents recurrence of similar future service impact. A post incident report (PIR) may be requested for any "High" incident, upon resolution. The PIR captures the root cause and preventative actions taken, including implementation of preventative measures.
+ **Designated experts**:

  AMS Accelerate also designates a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA) to partner with your organization and drive operational and security excellence. Your CSDM and CA provide you guidance during and after configuration and onboarding AMS Accelerate, deliver a monthly report of your operational metrics, and work with you to identify potential cost savings using tools such as AWS Cost Explorer, Cost and Usage Reports, and Trusted Advisor.
+ **Operations tools**:

  AMS Accelerate can provide ongoing operations for your workload's infrastructure in AWS. Our patch, backup, monitoring, and incident management services depend on having resources tagged, and the AWS Systems Manager (SSM) and CloudWatch agents installed and configured on your Amazon EC2 instances with an IAM instance profile that authorizes them to interact with the SSM and Amazon CloudWatch services. AMS Accelerate provides tools like Resource Tagger to help you tag your resources based on rules, and automated instance configuration to install the required agents in your Amazon EC2 instances. If you're following immutable infrastructure practices, you can complete the prerequisites directly in the console or infrastructure-as-code templates.
+ **Cost optimization**:

  AMS Resource Scheduler automates the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) instances and Amazon EC2 Auto Scaling groups. AMS Resource Scheduler helps you reduce operational costs by stopping the resources that are not in use and starting them back when their capacity is needed.
+ **Logging and Reporting**:

  AWS Managed Services aggregates and stores logs generated as a result of operations in CloudWatch, CloudTrail, and Amazon VPC Flow Logs. Logging from AMS helps in faster incident resolution and system audits. AMS Accelerate also provides you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS cloud service delivery manager (CSDM) designated to you.
+ **Service request management**:

  To request information about your managed environment, AMS, or AWS service offerings, submit service requests using the AMS Accelerate console. You can submit a service request for "How to" questions about AWS services and features or to request additional AMS services.

All AMS Accelerate customers start with incident management, monitoring, security monitoring, log recording, prerequisite tools, backup management, and reporting capabilities. You can add the AMS Patch management add-on at an additional price.

**Note**  
 For a list of features not supported in AWS GovCloud (US), see [How AMS Accelerate differs for AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ams-acc.html) 

## Supported configurations
<a name="supported-configs"></a>

AMS Accelerate supports the following configurations:
+ Language: English.
+ Regions: See the AWS Regions supported by AWS Managed Services in the [AWS Regional Services](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) webpage.
**Note**  
AWS Regions introduced before March 20, 2019 are considered "Original" Regions and are enabled by default. Regions introduced after this date are "Opt-in" Regions and are disabled by default. If your account uses multiple Regions and you onboard AMS Accelerate to an account with an enabled "Opt-in" Region as the default Region, the AMS Reporting feature is only available in that Region. If you do not set a default Region, the last Region you visited is your default Region.  
To enable a Region, see [Enabling a Region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable). To set a default Region, see [Choosing a Region](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/select-region.html). For a list of the Opt-in status for each Region, see [Available Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) in the *Amazon Elastic Compute Cloud User Guide*.
+ Operating system architecture (x86-64 or ARM64): any supported by both [Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-operating-systems.html) and [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html).
+ Supported operating systems: 
  + AlmaLinux 8.3-8.9, 9.x (AlmaLinux is only supported with x86 architecture)
  + Amazon Linux 2023
  + Amazon Linux 2 (**expected AMS support end date June 30, 2026**)
  + Oracle Linux 9.x, 8.x
  + Red Hat Enterprise Linux (RHEL) 9.x, 8.x
  + SUSE Linux Enterprise Server 15 SP6
  + SUSE Linux Enterprise Server for SAP 15 SP3 and later
  + Microsoft Windows Server 2025, 2022, 2019, 2016
  + Ubuntu 20.04, 22.04, 24.04
+ Supported End of Support (EOS) operating systems:
**Note**  
End of Support (EOS) operating systems are outside of the general support period of the operating system manufacturer and have increased security risk. EOS operating systems are considered supported configurations only if AMS-required agents support the operating system and the following are true:  
you have extended support with the operating system vendor that allows you to receive updates, or 
any instances using an EOS OS follow the [ security controls](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/key-terms.html#CritRec) as specified by AMS in the Accelerate User Guide, or
you comply with any other compensating security controls required by AMS.
In the event AMS is no longer able to support an EOS OS, AMS issues a [Critical Recommendation](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/key-terms.html#CritRec) to upgrade the operating system.  
AMS-required agents may include but are not limited to: AWS Systems Manager, Amazon CloudWatch, Endpoint Security (EPS) agent, and Active Directory (AD) Bridge (Linux only).
  + Ubuntu Linux 18.04
  + SUSE Linux Enterprise Server 15 SP3, SP4, and SP5
  + SUSE Linux Enterprise Server for SAP 15 SP2
  + SUSE Linux Enterprise Server 12 SP5
  + SUSE Linux Enterprise Service for SAP 12 SP5
  + Microsoft Windows Server 2012/2012 R2
  + Red Hat Enterprise Linux (RHEL):7.x
  + Oracle Linux 7.5-7.9
+ If you use AWS Control Tower to manage your multi-account environment, then make sure that you're running the latest version of AWS Control Tower for compatibility with Accelerate. Environments that use AWS Control Tower versions earlier than 2.7 (released in April 2021), aren't supported. For information on how to update AWS Control Tower, see [Update Your Landing Zone](https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html).

## Supported services
<a name="acc-supported-services"></a>

AWS Managed Services provides operational management support services for the following AWS services. Each AWS service is distinct and as a result, AMS's level of operational management support varies depending on the nature and characteristics of the underlying AWS service. If you request that AWS Managed Services provide services for any software or service that is not expressly identified as supported in the following list, any AWS Managed Services provided for such customer-requested configurations will be treated as a "Beta Service" under the Service Terms. 
+ Incidents: All AWS services
+ Service request: All AWS services
+ Patching: Amazon EC2
+ Backups and Restoration: All AWS services supported by AWS Backup. For a list of services supported by AWS Backup, see [AWS Backup supported resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#supported-resources).
+ Resource Scheduler: Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) and Amazon EC2 Auto Scaling groups
+ Services monitored for operational events: [Supported checks](tr-supported-checks.md) and Trusted Advisor, Application Load Balancer, Aurora, Amazon EC2, Elastic Load Balancing, Amazon FSx for NetApp ONTAP, Amazon FSx for Windows File Server, NAT gateway (a Network Address Translation (NAT) service), OpenSearch, Health Dashboard, Amazon Redshift, Amazon Relational Database Service (Amazon RDS), Site-to-Site VPN. To learn more about what AMS Accelerate is monitoring as part of a service, see [Alerts from baseline monitoring in AMS ](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/monitoring-default-metrics.html).
+ Services monitored by security Config Rules: AWS Account, GuardDuty, Macie, Amazon API Gateway, AWS Certificate Manager, AWS Config, CloudTrail, CloudWatch, AWS CodeBuild, AWS Database Migration Service, Amazon DynamoDB, Amazon EC2, Amazon ElastiCache, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), Amazon Elastic Kubernetes Service (Amazon EKS), Elastic Load Balancing, Amazon OpenSearch Service, Amazon EMR, AWS Identity and Access Management (IAM), AWS Key Management Service, AWS Lambda, Amazon Redshift, Amazon Relational Database Service, Amazon S3, Amazon SageMaker AI, AWS Secrets Manager , Amazon Simple Notification Service, AWS Systems Manager, Amazon VPC (Security group, volume, Elastic IP address, VPN connection, Internet gateways), Amazon VPC Flow Logs. For more details, see [Configuration compliance in Accelerate](acc-sec-compliance.md) and [Data protection in Accelerate](acc-sec-data-protect.md). You can find additional AMS security information in our private Security Guide that can be accessed through AWS Artifact, on the **Reports** tab, for AWS Managed Services. 

**Note**  
AMS Accelerate for the Asia Pacific (Malaysia) Region doesn't support monitoring with Amazon Macie, monitoring and incident management for Amazon EKS, or monitoring of Amazon EFS FileSystem, Amazon EC2 NatGateway, and Amazon EKS Cluster resources. It also doesn't support SSM Agent automatic installation.

**Note**  
AMS Accelerate for the Middle East (UAE) Region supports a set of in-scope features as described in the following table. Access to the AMS account console and instances in this Region is driven exclusively by inbound service request triggers. For more information about the availability of Accelerate in the Middle East (UAE) Region, consult your account manager or AWS Cloud Service Delivery Manager (CSDM).


| AMS Accelerate in-scope features for Middle East (UAE) Region | Feature description | 
| --- | --- | 
| Incident Management | AMS provides incident response and assistance to help your team resolve issues. For AMS to assist you with incident management, you need to submit a service request. AMS doesn't proactively detect or respond to incidents in this Region. | 
| Monitoring | After recieving a service request from you, AMS can assist with resource remediation. AMS uses automated remediation, people, and process to bring your resources back to a healthy state. AMS doesn't configure baseline CloudWatch events and alarms in this Region. If you have existing monitoring tools, proactive tracking of your resources might be available based on Cloud Architect (CA) and CSDM assessment. | 
| Security | After recieving a service request from you, AMS can assist with security issue remediation. AMS doesn't deploy security controls such as AWS Config Rules and GuardDuty or monitor security findings in this Region. If you have existing security tools, proactive security monitoring might be available based on CA and CSDM assessment. | 
| Patch Management | AMS can apply vendor updates to Amazon EC2 instances for supported operating systems during chosen maintenance windows, and create pre-patching snapshots. For AMS to assist you with patch management, you need to submit a service request. AMS patch notifications and reports aren't available in this Region. | 
| Backup Management | AMS can create and store snapshots for AWS services supported by AWS Backup, and assist with backup remediation. For AMS to assist you with backup management, you need to submit a service request. AMS doesn't track backup jobs in this Region. | 
| Designated Experts | AMS designates a Cloud Architect (CA) and a Cloud Service Delivery Manager (CSDM) to partner with customer organizations and drive operational and security excellence. | 
| Service Request Management | To request information about your managed environment, AMS, or AWS service offerings, submit service requests through the AMS Accelerate console. You can submit a service request for "How to" questions about AWS services and features, or to request AMS services that are available in this Region, as described in this table. | 

## Roles and responsibilities
<a name="acc-sd-responsibilities"></a>

The AMS Accelerate responsible, accountable, consulted, and informed, or RACI, matrix assigns primary responsibility either to the customer or AMS for a variety of activities. The table describes your (the "Customer") responsibilities versus our ("AMS Accelerate") responsibilities.

The [Scope of changes performed by AMS Accelerate](#acc-scope-changes) section lists the specific circumstances when AMS is authorized to make changes to your account; and some types of changes that AMS never makes.

### AMS Accelerate RACI Matrix
<a name="acc-raci"></a>

AMS Accelerate manages your AWS infrastructure. The following table provides an overview of the roles and responsibilities for you and AMS Accelerate for activities in the lifecycle of an application running within the managed environment.
+ **R** stands for Responsible party that does the work to achieve the task.
+ **C** stands for Consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
+ **I** stands for Informed; a party who is informed on progress, often only on completion of the task.

**Note**  
Some sections contain 'R' for both AMS and Customers. This is because, in the AWS Shared Responsibility model, both AMS and the customers take joint ownership to respond to infrastructure and application issues.

[See the AWS documentation website for more details](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html)

## Scope of changes performed by AMS Accelerate
<a name="acc-scope-changes"></a>

AMS Accelerate only makes changes for the specific purposes and situations described next. AMS makes changes only at the infrastructure level, using the console or APIs. AMS never changes your application, control, or domain layers. You can see any changes made by AMS (or other users) using our set of pre-built queries; to do this, see [Tracking changes in your AMS Accelerate accounts](acc-change-record.md).

**AWS resources**

AMS Accelerate deploys or updates AWS resources only in the following situations:
+ To deploy and update tools and resources required by AMS.
+ As part of AMS monitoring, in response to events and alarms.
+ To remediate security issues as part of [Responses to violations in Accelerate](acc-sec-compliance.md#acc-sec-compliance-responses) (making noncompliant resources conform to security best practices).
+ During remediation and restoration as part of an incident response.
+ When responding to customer requests to configure AMS features, such as the following:
  + Alarm manager
  + Resource tagger
  + Patch baselines and maintenance windows
  + Resource scheduler
  + Backup plans

 AMS Accelerate does not deploy or update resources outside of these situations. If you need help from AMS to make changes in other situations, consider using [Operations on Demand](https://aws.amazon.com/managed-services/features/operations-on-demand/). 

**Operating system software**

AMS Accelerate can make changes to your operating system software during unavailability situations via incident resolution as defined in our [Service Level Agreement](samples/acc_sla.zip). AMS can also make changes to your operating systems as part of [Automated instance configuration in AMS Accelerate](acc-inst-auto-config.md). 

**Application code and configuration**

AMS Accelerate never modifies your code (for example, AWS CloudFormation templates, other infrastructure-as-code templates, or Lambda functions), but can guide your teams on which changes are required to follow best operational and security practices. AMS Accelerate provides troubleshooting assistance for infrastructure issues that impact applications, but AMS Accelerate doesn't access or validate your application configurations.