# Why and when AMS accesses your account Why and when we access your account AWS Managed Services (AMS) manages your AWS infrastructure and sometimes, for specific reasons, AMS operators and administrators access your account. These access events are documented in your AWS CloudTrail (CloudTrail) logs. Why, when, and how AMS accesses your account is explained in the following topics. ## AMS customer account access triggers Access Triggers AMS customer account access activity is driven by triggers. The triggers today are the AWS tickets created in our issues management system in response to Amazon CloudWatch (CloudWatch) alarms and events, and incident reports or service requests that you submit. Multiple service calls and host-level activities might be performed for each access. Access justification, the triggers, and the initiator of the trigger are listed in the following table. **Access Triggers** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/access-justification.html) ## AMS customer account access IAM roles Access IAM roles When triggered, AMS accesses customer accounts using AWS Identity and Access Management (IAM) roles. Like all activity in your account, the roles and their usage are logged in CloudTrail. **Important** Do not modify or delete these roles. **IAM roles for AMS access to customer accounts** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/access-justification.html) ## Requesting instance access To access a resource, you must first submit a request for change (RFC) for that access. There are two types of access that you can request: admin (read/write permissions) and read-only (standard user access). Access lasts for eight hours, by default. This information is required: + Stack ID, or set of stack IDs, for the instance or instances you want to access. + The fully qualified domain name of your AMS-trusted domain. + The Active Directory username of the person who wants access. + The ID of the VPC where the stacks are that you want access to. Once you've been granted access, you can update the request as needed. For examples of how to request access, see [Stack Admin Access \$1 Grant](https://docs.aws.amazon.com/managedservices/latest/ctref/management-access-stack-admin-access-grant.html) or [Stack Read-only Access \$1 Grant](https://docs.aws.amazon.com/managedservices/latest/ctref/management-access-stack-read-only-access-grant.html).