# Federate your Active Directory with the AMS AWS Identity and Access Management roles
<a name="federate-dir-with-sent-iam-roles"></a>

The purpose of federating your directory with the AMS IAM roles is to enable corporate users to use their corporate credentials to interact with the AWS Management Console and the AWS APIs, and therefore the AMS console and APIs.

# Federation process example
<a name="fed-process-ex"></a>

This example uses Active Directory Federation Services (AD FS); however, any technology that supports AWS Identity and Access Management Federation is supported. For more information on AWS supported IAM federation, see [IAM Partners](https://aws.amazon.com/iam/partners/) and [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). Your CSDM will help you through this process, which involves a joint effort with your AD team and AMS.

For detailed information on integrating SAML for API access, refer to this AWS blog, [ How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS](https://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI-Access-Using-SAML-2-0-and-AD-FS).

**Note**  
For an example that installs the AMS CLI and SAML, see [Appendix: ActiveDirectory Federation Services (ADFS) claim rule and SAML settings](apx-adfs-claim-rule-saml.md).

# Configuring federation to the AMS console (SALZ)
<a name="fed-with-console"></a>

The IAM roles and SAML identity provider (Trusted Entity) detailed in the following table have been provisioned as part of your account onboarding. These roles allow you to submit and monitor RFCs, service requests, and incident reports, as well as get information on your VPCs and stacks.


****  

| Role | Identity Provider | Permissions | 
| --- | --- | --- | 
| Customer\$1ReadOnly\$1Role | SAML | For standard AMS accounts. Allows you to submit RFCs to make changes to AMS-managed infrastructure, as well as create service requests and incidents.  | 
| customer\$1managed\$1ad\$1user\$1role | SAML | For AMS Managed Active Directory accounts. Allows you to login to the AMS Console to create service requests and incidents (no RFCs). | 

For the full list of the roles available under different accounts see [IAM user role in AMS](defaults-user-role.md).

A member of the onboarding team uploads the metadata file from your federation solution to the pre-configured identity provider. You use a SAML identity provider when you want to establish trust between a SAML-compatible IdP (identity provider) such as Shibboleth or Active Directory Federation Services, so that users in your organization can access AWS resources. SAML identity providers in IAM are used as principals in an IAM trust policy with the above roles.

While other federation solutions provide integration instructions for AWS, AMS has separate instructions. Using the following blog post, [ Enabling Federation to AWS Using Windows Active Directory, AD FS, and SAML 2.0](https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/), along with the amendments given below, will enable your corporate users to access multiple AWS accounts from a single browser.

After creating the relying party trust as per the blog post, configure the claims rules in the following way:
+ **NameId**: Follow the blog post.
+ **RoleSessionName**: Use the following values:
  + **Claim rule name**: RoleSessionName
  + **Attribute store**: Active Directory
  + **LDAP Attribute**: SAM-Account-Name
  + **Outgoing Claim Type**: https://aws.amazon.com/SAML/Attributes/RoleSessionName
+ Get AD Groups: Follow the blog post.
+ Role claim: Follow the blog post, but for the Custom rule, use this:

  ```
  c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-([^d]{12})-"]
   => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-([^d]{12})-", 
   "arn:aws:iam::$1:saml-provider/customer-readonly-saml,arn:aws:iam::$1:role/"));
  ```

When using AD FS, you must create Active Directory security groups for each role in the format shown in the following table (customer\$1managed\$1ad\$1user\$1role is for AMS Managed AD accounts only):


****  

| Group | Role | 
| --- | --- | 
| AWS-[AccountNo]-Customer\$1ReadOnly\$1Role | Customer\$1ReadOnly\$1Role | 
| AWS-[AccountNo]-customer\$1managed\$1ad\$1user\$1role | customer\$1managed\$1ad\$1user\$1role | 

For further information, see [ Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html).

**Tip**  
To help with troubleshooting, download the SAML tracer plugin for your browser.

# Submitting the federation request to AMS
<a name="fed-with-console-submit"></a>

If this is your first account, work with your CSDM(s) and/or Cloud Architect(s) to provide the metadata XML file for your identity provider.

If you are onboarding an additional account or Identity Provider and have access to either the management account or the desired application account, follow these steps.

1. Create a service request from the AMS console, provide the details necessary to add the identity provider:
   + AccountId of the account where the new identity provider will be created.
   + Desired identity provider name, if not provided, the default will be **customer-saml**; typically, this must match the settings configured in your federation provider.
   + For existing accounts, include whether the new identity provider should be propagated to all existing console roles or provide a list of roles that should trust the new identity provider.
   + Attach the metadata XML file exported from your federation agent to the service request as a file attachment.

1. From the same account where you created the service request, create a new RFC using CT-ID ct-1e1xtak34nx76 (Management \$1 Other \$1 Other \$1 Create) with the following information.
   + Title: "Onboard SAML IDP <Name> for Account <AccountId>".
   + AccountId of the account where the identity provider will be created.
   + Identity provider name.
   + For Existing Accounts: Whether the identity provider should be propagated to all existing console roles, or the list of roles which should trust the new identity provider.
   + Case ID of service request created in Step 1, where the metadata XML file is attached.

# Verify console access
<a name="verify-console-access"></a>

Once you are set up with ADFS, and have the AMS URL to use for authentication, follow these steps.

With an Active Directory Federated Service (ADFS) configuration, you can follow these steps:

1. Open a browser window and go to the sign in page provided to you for your account. The ADFS **IdpInitiatedSignOn** page for your account opens. 

1. Select the radio button next to **Sign in to one of the following sites**. The **Sign in** site picklist becomes active. 

1. Choose the **signin.aws.amazon.com** site and click **Sign in**. Options for entering your credentials open.

1. Enter your CORP credentials and click **Sign in**. The AWS Management Console opens.

1. Paste into the location bar the URL of the AMS console and press **Enter**. The AMS console opens.

# Verify API access
<a name="verify-api-access"></a>

AMS uses the AWS API, with some AMS-specific operations that you can read about in the [AMS API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/index.html).

AWS provides several SDKs that you can access at [Tools for Amazon Web Services](https://aws.amazon.com/tools/). If you don’t want to use an SDK, you can make direct API calls. For information on authentication, see [Signing AWS API Requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html). If you are not using an SDK, or making direct HTTP API requests, you can use the AMS CLIs for Change Management (CM) and SKMS. 

# Install the AMS CLIs
<a name="install-cli"></a>

For an example of installing the AWS Managed Services (AMS) CLI to use with SAML, see [Appendix: ActiveDirectory Federation Services (ADFS) claim rule and SAML settings](apx-adfs-claim-rule-saml.md).

If you need temporary access, in order to get and install the AWS Managed Services (AMS) SDKs, see [Temporary AMS console access](https://docs.aws.amazon.com/managedservices/latest/userguide/access-console-temp.html). 
**Note**  
You must have administrator credentials for this procedure.

The AWS CLI is a prerequisite for using the AWS Managed Services (AMS) CLIs (Change Management and SKMS).

1. To install the AWS CLI, see [Installing the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/installing.html), and follow the appropriate instructions. Note that at the bottom of that page there are instructions for using different installers, [Linux](https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html), [MS Windows](https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-windows.html), [macOS](https://docs.aws.amazon.com/cli/latest/userguide/cli-install-macos.html), [Virtual Environment](https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-virtualenv.html), [Bundled Installer (Linux, macOS, or Unix)](https://docs.aws.amazon.com/cli/latest/userguide/awscli-install-bundle.html).

   After the installation, run `aws help` to verify the installation.

1. Once the AWS CLI is installed, to install or upgrade the AMS CLI, download either the AMS **AMS CLI** or **AMS SDK** distributables zip file and unzip. You can access the AMS CLI distributables through the [https://console.aws.amazon.com/managedservices/developerResources](https://console.aws.amazon.com/managedservices/developerResources) link in the left nav of the AMS console.

1. The README file provides instructions for any install.

   Open either:
   + CLI zip: Provides the AMS CLI only.
   + SDK zip: Provides all of the AMS APIs and the AMS CLI.

   For **Windows**, run the appropriate installer (only 32 or 64 bits systems):
   + 32 Bits: **ManagedCloudAPI\$1x86.msi**
   + 64 Bits: **ManagedCloudAPI\$1x64.msi**

   For **Mac/Linux**, run the file named: **AWSManagedServices\$1InstallCLI.sh** by running this command: `sh AWSManagedServices_InstallCLI.sh`. Note that the **amscm** and **amsskms** directories and their contents must be in the same directory as the **AWSManagedServices\$1InstallCLI.sh** file.

1. If your corporate credentials are used through federation with AWS (the AMS default configuration) you must install a credential management tool that can access your federation service. For example, you can use this AWS Security Blog [ How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS](https://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI-Access-Using-SAML-2-0-and-AD-FS) for help configuring your credential management tooling.

1. After the installation, run `aws amscm help` and `aws amsskms help` to see commands and options.
**Note**  
The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`.

# Scheduling AMS backups at the VPC level
<a name="schedule-backups"></a>

AWS Managed Services (AMS) backup scheduling in the VPC, where the target instances are allocated, is created during account onboarding with a default tag in the VPC creation schema. The backup system schedules the execution of the snapshots depending on that VPC Tag. Modification of the schedule can be made by creating a service request. For more information, see [VPC Tag and Defaults](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/vpc-tag-and-defaults.html).

For backup defaults, see [Understanding AMS Defaults](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/backup-defaults.html)