# Customer Managed application accounts You can create accounts that AMS doesn't manage in the standard way. Those accounts are called Customer Managed accounts and they give you full control to self-operate the infrastructure within the accounts while enjoying the benefits of the centralized architecture managed by AMS. Customer Managed accounts do not have access to the AMS console or any of the services we provide (patch, backup, and so on). Customer Managed accounts can only be provisioned from your AMS multi-account landing zone management account. Different AMS modes work with Application accounts differently; to learn more about the modes, see [AWS Managed Services modes](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/ams-modes.html). To create your Customer Managed application account, see [ Management account \$1 Create Customer-Managed Application Account](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-managed-management-account-create-customer-managed-application-account.html). To delete a Customer Managed application account, use [ Management account \$1 Offboard Application Account](https://docs.aws.amazon.com/managedservices/latest/ctref/management-managed-management-account-offboard-application-account.html). (The [ Confirm Offboarding](https://docs.aws.amazon.com/managedservices/latest/ctref/management-managed-application-account-confirm-offboarding.html) CT does not apply to Customer Managed application accounts.) # Accessing your Customer Managed account After you provision a Customer Managed account (CMA) in multi-account landing zone, (MALZ) an Admin role, `CustomerDefaultAdminRole`, is in the account for you to assume, through SAML federation, to configure the account. To access the CMA: 1. Log into the IAM console for the management account with the **CustomerDefaultAssumeRole** role. 1. In the IAM console, on the navigation bar, choose your username. 1. Choose **Switch Role**. If this is the first time choosing this option, a page appears with more information. After reading it, choose **Switch Role**. If you clear your browser cookies, this page can appear again. 1. On the **Switch Role** page, type the Customer Managed account ID and the name of the role to assume: **CustomerDefaultAdminRole**. Now that you have access, you can create new IAM Roles to continue to access your environment. If you would like to leverage SAML Federation for your CMA Account, see [ Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html). # Connecting your CMA with Transit Gateway AMS does not manage the network setup of Customer Managed accounts (CMAs). You have the option of managing your own network using AWS APIs (see [Networking Solutions](https://aws.amazon.com/solutionspace/networking/)) or connecting to the multi-account landing zone network managed by AMS, using the existing Transit Gateway (TGW) deployed in AMS MALZ. **Note** You can only have a VPC attached to the TGW if the CMA is in the same AWS Region. For more information see [ Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html). To add your CMA to Transit Gateway, request a new route with the [ Networking account \$1 Add static route (ct-3r2ckznmt0a59)](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-managed-networking-account-add-static-route.html) change type and include this information: + **Blackhole**: True to indicate that the route's target isn't available. Do this when the traffic for the static route is to be dropped by the Transit Gateway. False to route the traffic to the specified TGW attachment ID. Default value is false. + **DestinationCidrBlock**: The IPV4 CIDR range used for destination matches. Routing decisions are based on the most specific match. Example: `10.0.2.0/24`. + **TransitGatewayAttachmentId**: The TGW Attachment ID that will serve as route table target. If **Blackhole** is false, this parameter is required, otherwise leave this parameter blank. Example: `tgw-attach-04eb40d1e14ec7272`. + **TransitGatewayRouteTableId**: The ID of the TGW route table. Example: `tgw-rtb-06ddc751c0c0c881c`. **Connecting a new customer-managed VPC to the AMS Multi-Account Landing Zone network (creating a TGW VPC attachment)**: 1. In your multi-account landing zone Networking account, open the [Amazon VPC console](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Transit Gateways**. Record the TGW ID of the transit gateway you see. 1. In your Customer Managed account, open the [Amazon VPC console](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Transit Gateway Attachments** > **Create Transit Gateway Attachment**. Make these choices: 1. For the **Transit Gateway ID**, choose the transit gateway ID you recorded in Step 2. 1. For **Attachment type**, choose **VPC**. 1. Under **VPC Attachment**, optionally type a name for **Attachment name tag**. 1. Choose whether to enable **DNS Support** and **IPv6 Support**. 1. For **VPC ID**, choose the VPC to attach to the transit gateway. This VPC must have at least one subnet associated with it. 1. For **Subnet IDs**, select one subnet for each Availability Zone to be used by the transit gateway to route traffic. You must select at least one subnet. You can select only one subnet per Availability Zone. 1. Choose **Create attachment**. Record the ID of the newly created TGW Attachment.   **Associating the TGW attachment to a route table**: Decide which TGW route table you want to associate the VPC with. We recommend creating a new application route table for Customer Managed VPCs by submitting a Deployment \$1 Managed landing zone \$1 Networking account \$1 Create transit gateway route table (ct-3dscwaeyi6cup) RFC. To associate the VPC or TGW attachment to the route table you select, submit a Deployment \$1 Managed landing zone \$1 Networking account \$1 Associate TGW attachment (ct-3nmhh0qr338q6) RFC on the Networking account.   **Create routes in the TGW route tables to connect to this VPC**: 1. By default, this VPC will not be able to communicate with any of the other VPCs in your Multi-Account Landing Zone network. 1. Decide with your solutions architect what VPCs you want this customer-managed VPC to communicate with. Submit a Deployment \$1 Managed landing zone \$1 Networking account \$1 Add static route (ct-3r2ckznmt0a59) RFC against the networking account to create the TGW routes you need. **Note** This CT (ct-3r2ckznmt0a59) does not allow adding static routes to core route table EgressRouteDomain; if your CMA needs to allow egress traffic, submit a Management \$1 Other \$1 Other (MOO) RFC with ct-0xdawir96cy7k.   **Configuring your VPC Route tables to point at the AMS Multi-Account Landing Zone transit gateway**: Decide with your solutions architect what traffic you want to send to the AMS Multi-Account Landing Zone transit gateway. Update your VPC route tables to send traffic to TGW attachment created earlier # Getting operational help with your Customer Managed accounts AMS can help you operate the workloads you deployed in your Customer Managed accounts by on-boarding the account into AMS Accelerate. With AMS Accelerate you can benefit from operational services such as monitoring and alerting, incident management, security management, and backup management, without going through a new migration, experiencing downtime, or changing how you use AWS. AMS Accelerate also offers an optional patch add-on for EC2-based workloads that require regular patching. With AMS Accelerate you continue using, configuring, and deploying all AWS services natively, or with your preferred tools; as you do with AMS Advanced Customer Managed accounts. You use your preferred access and change mechanisms while AMS applies proven practices that help scale your team, optimize costs, increase security and efficiency, and improve resiliency. To learn more see the [Accelerate service description](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html). To onboard your Customer Managed account into Accelerate, contact your CSDM and follow the steps from [Getting Started with AMS Accelerate](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html). **Note** AMS Accelerate accounts in AMS Advanced do not have AMS change management (requests for change or RFCs) or the AMS Advanced console. Instead, they have the AMS Accelerate console and functionality.