# Automated instance configuration changes
<a name="inst-auto-config-changes-made"></a>

The AMS Accelerate instance configuration automation makes the following changes in your account:

1. IAM permissions

   Adds the IAM-managed Policies required to grant the instance permission to use the agents installed by AMS Accelerate.

1. Agents

   1. The Amazon CloudWatch Agent is responsible for emitting OS logs and metrics. The instance configuration automation ensures that the CloudWatch agent is installed and running the AMS Accelerate minimum version.

   1. The AWS Systems Manager SSM Agent is responsible for running remote commands on the instance. The instance configuration automation ensures that the SSM Agent is running the AMS Accelerate minimum version.

1. CloudWatch Configuration

   1. To ensure that the required metrics and logs are emitted, AMS Accelerate customizes the CloudWatch configuration. For more information, see the following section, [CloudWatch configuration change details](inst-auto-config-details-cw.md).

Automated instance configuration makes changes or additions to your IAM instance profiles and CloudWatch configuration.

# IAM permissions change details
<a name="inst-auto-config-details-iam"></a>

Each managed instance must have an AWS Identity and Access Management role that includes the following managed policies:
+ arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
+ arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
+ arn:aws:iam::aws:policy/AMSInstanceProfileBasePolicy

 The first two are AWS-managed policies. The AMS-managed policy is:

**AMSInstanceProfileBasePolicy**

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:/ams/byoa/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
```

------

 If your instance already has an attached IAM role, but is missing any of these policies, then AMS adds the missing policies to your IAM role. If your instance doesn't have an IAM role, then AMS attaches the **AMSOSConfigurationCustomerInstanceProfile** IAM role. The **AMSOSConfigurationCustomerInstanceProfile** IAM role has all policies that are required by AMS Accelerate.

**Note**  
If the default instance profile limit of 10 is reached, then AMS increases the limit to 20, so that the required instance profiles can be attached.

# CloudWatch configuration change details
<a name="inst-auto-config-details-cw"></a>

Additional detail on the CloudWatch configuration.
+ CloudWatch configuration file location on the instance:
  + Windows: %ProgramData%\$1Amazon\$1AmazonCloudWatchAgent\$1amazon-cloudwatch-agent.json
  + Linux: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/ams-accelerate-config.json
+ CloudWatch configuration file location in Amazon S3:
  + Windows: https://ams-configuration-artifacts-*REGION\$1NAME*.s3.*REGION\$1NAME*.amazonaws.com/configurations/cloudwatch/latest/windows-cloudwatch-config.json
  + Linux: https://ams-configuration-artifacts-*REGION\$1NAME*.s3.*REGION\$1NAME*.amazonaws.com/configurations/cloudwatch/latest/linux-cloudwatch-config.json
+ Metrics collected:
  + Windows:
    + AWS Systems Manager SSM Agent (CPU\$1Usage)
    + CloudWatch Agent (CPU\$1Usage)
    + Disk space utilization for all disks (% free space)
    + Memory (% committed bytes in use)
  + Linux:
    + AWS Systems Manager SSM Agent (CPU\$1Usage)
    + CloudWatch Agent (CPU\$1Usage)
    + CPU (cpu\$1usage\$1idle, cpu\$1usage\$1iowait, cpu\$1usage\$1user, cpu\$1usage\$1system)
    + Disk (used\$1percent, inodes\$1used, inodes\$1total)
    + Diskio (io\$1time, write\$1bytes, read\$1bytes, writes, reads)
    + Mem (mem\$1used\$1percent)
    + Swap (swap\$1used\$1percent)
+ Logs collected:
  + Windows:
    + AmazonSSMAgentLog
    + AmazonCloudWatchAgentLog
    + AmazonSSMErrorLog
    + AmazonCloudFormationLog
    + ApplicationEventLog
    + EC2ConfigServiceEventLog
    + MicrosoftWindowsAppLockerEXEAndDLLEventLog
    + MicrosoftWindowsAppLockerMSIAndScriptEventLog
    + MicrosoftWindowsGroupPolicyOperationalEventLog
    + SecurityEventLog
    + SystemEventLog
  + Linux:
    + /var/log/amazon/ssm/amazon-ssm-agent.log
    + /var/log/amazon/ssm/errors.log
    + /var/log/audit/audit.log
    + /var/log/cloud-init-output.log
    + /var/log/cloud-init.log
    + /var/log/cron
    + /var/log/dpkg.log
    + /var/log/maillog
    + /var/log/messages
    + /var/log/secure
    + /var/log/spooler
    + /var/log/syslog
    + /var/log/yum.log
    + /var/log/zypper.log