# Security and compliance
<a name="dcm-security-n-compliance"></a>

Security and compliance is a shared responsibility between AMS Advanced and you, as our customer. AMS Advanced Direct Change mode does not change this shared responsibility.

## Security in Direct Change mode
<a name="dcm-security"></a>

AMS Advanced offers additional value with a prescriptive landing zone, a change management system, and access management. When using Direct Change mode, this responsibility model does not change. However, you should be aware of additional risks.

The Direct Change Mode "Update" role (see [Direct Change mode IAM roles and policies](dcm-get-started.md#dcm-gs-iam-roles-and-policies)) provides elevated permissions allowing the entity with access to it, to make changes to infrastructure resources of AMS-supported services within your account. With elevated permissions, varied risks exist depending on the resource, service, and actions, especially in situations where an incorrect change is made due to oversight, mistake, or lack of adherence to your internal process and control framework.

As per AMS Technical Standards, the following risks have been identified and recommendations are made as follows. Detailed information about AMS Technical Standards is available through AWS Artifact. To access AWS Artifact, contact your CSDM for instructions or go to [Getting Started with AWS Artifact](http://aws.amazon.com/artifact/getting-started).

**AMS-STD-001: Tagging**

<a name="AMS-STD-001"></a>[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/dcm-security-n-compliance.html)

**AMS-STD-002: Identity and Access Management (IAM)**


| Standards | Does it break | Risks | Recommendations | 
| --- | --- | --- | --- | 
| 4.7 Actions, which bypass the change management process (RFC), must not be permitted such as starting or stopping of an instance, creation of S3 buckets or RDS instances, and so forth. Developer mode accounts and Self-Service Provisioned mode services (SSPS) are exempted as long as actions are performed within the boundaries of the assigned role. | Yes. The purpose of self service actions allow you to perform actions bypassing the AMS RFC system. | The secure access model is a core technical facet of AMS and an IAM user for console or programmatic access circumvents this access control. The IAM users access is not monitored by AMS change management. Access is logged in CloudTrail only. | The IAM user should be time-bounded and granted permissions based on least-privilege and need-to-know. | 

**AMS-STD-003: Network Security**

<a name="AMS-STD-003"></a>[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/dcm-security-n-compliance.html)

**AMS-STD-007: Logging**

<a name="AMS-STD-007"></a>[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/dcm-security-n-compliance.html)

Work with your internal authorization and authentication team to control the permissions to the Direct Change mode roles accordingly.

## Compliance in Direct Change mode
<a name="dcm-compliance"></a>

Direct Change mode is compatible with both production and non-production workloads. It's your responsibility to ensure adherence to any compliance standards (for example, PHI, HIPAA, PCI), and to ensure that the use of Direct Change mode complies with your internal control frameworks and standards.