# Self-Service Provisioning mode in AMS AWS Managed Services (AMS) Self-Service Provisioning (SSP) mode provides full access to native AWS service and API capabilities in AMS managed accounts. You access services through standardized, scoped down, AWS Identity and Access Management roles. AMS provides service requests and incident management. Alerting, monitoring, logging, patch, back up, and change management are your responsibility. In many cases, Self-Service Provisioning services (SSPS) are self-managed, or serverless, and don’t require management of certain operational tasks like patching. You benefit from using these services within the environment boundary defined by AMS guardrails and any IAM changes (including service linked roles, service roles, cross-account roles, or policy updates) need to be approved by AMS Operations to maintain the baseline security of the platform. You can leverage CloudFormation templates to automate deployment of these services, but this isn't supported for all SSP services. **Important** Use SSP mode in your AWS Managed Services (AMS) accounts to access and employ AWS services, with restrictions as noted. There are some AWS services that you can use without AMS management, in your AMS account. The Self-Service Provisioning mode services, or SSPS for short, how to add them into your AMS account and FAQs for each, are described in the section. Self-service provisioning services are offered as is, and you're responsible for managing them. AMS provides no alerts, monitoring, logging, or patching for the resources associated with those services. AMS provides IAM roles that enable you to use the service in your AMS account safely. AMS SLAs do not apply. For resources that you provision through self-service, AMS provides incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), security and access, and technical support through service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS change management system. # Getting started with SSP mode in AMS Self-service provisioning is one of the AMS modes for multi-account landing zone (MALZ) that you can employ. For more information, see [Modes overview](ams-modes-ug.md). To provide self-service provisioning capabilities, AMS has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. The roles don't prevent all changes and you must adhere to your internal controls and compliance policies, and validate that all AWS services being used meet the required certifications. This is the self-service provisioning mode. For details on AWS compliance requirements, see [AWS Compliance](https://aws.amazon.com/compliance/). To add a self-service provisioning service to your multi-account landing zone Application account, use the **Management \$1 AWS service \$1 Self-provisioned service \$1 Add** change type (CT), either the review-required CT or automated CT, as instructed for the service. **Note** To request that AMS provide an additional self-service provisioning service, file a service request. # Use AMS SSP to provision Amazon API Gateway in your AMS account Amazon API Gateway Use AMS Self-Service Provisioning (SSP) mode to access Amazon API Gateway capabilities directly in your AMS managed account. [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. Using the AWS Management Console you can create REST and WebSocket APIs that act as a front door for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud ([Amazon EC2](https://aws.amazon.com/ec2/)), code running on [AWS Lambda](https://aws.amazon.com/lambda/), any web application, or real-time communication applications. API Gateway handles all the tasks involved in accepting and processing up-to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. API Gateway has no minimum fees or startup costs. You pay only for the API calls you receive and the amount of data transferred out and, with the API Gateway tiered pricing model, you can reduce your cost as your API usage scales. To learn more, see [Amazon API Gateway](https://aws.amazon.com/api-gateway/). ## FAQ: API Gateway in AMS **Q: How do I request access to Amazon API Gateway in my AMS account?** Request access to API Gateway by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_apigateway_author_role` and `customer_apigateway_cloudwatch_role`. After provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using Amazon API Gateway in my AMS account?** + API Gateway configuration is limited to resources without `AMS-` or `MC-` prefixes to prevent any modifications to AMS infrastructure. + `CREATE` privileges for VPCLink are disabled in order to prevent unregulated creation of Elastic Load Balancers. If VPCLinks are required, see [Application Load Balancer \$1 Create](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-application-load-balancer-create.html). **Q: What are the prerequisites or dependencies to using Amazon API Gateway in my AMS account?** It depends on the type of API Gateway you want to deploy. It can be a standalone service, but it can also request access to existing services (for instance, network load balancer). # Use AMS SSP to provision Alexa for Business in your AMS account Alexa for Business Use AMS Self-Service Provisioning (SSP) mode to access Alexa for Business capabilities directly in your AMS managed account. Alexa for Business is a service that enables your organization and employees to use Alexa to get more work done. With Alexa for Business, you can use Alexa as your intelligent assistant to be more productive in meeting rooms, at your desk, and even with the Alexa devices you already use at home or on the go. IT and facilities managers can use Alexa for Business to measure and increase the utilization of the existing meeting rooms in their workplace. To learn more, see [Alexa for Business](https://aws.amazon.com/alexaforbusiness/). ## Alexa for Business in AWS Managed Services FAQ **Q: How do I request access to Alexa for Business in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_alexa_console_role`. A `customer_alexa_device_setup_user` is also created for the Device Setup Tool provided by Alexa for Business; this Device Setup Tool can then be used to set up your devices. Once provisioned in your account, you must onboard the roles in your federation solution. The Alexa for Business gateway enables you to connect Alexa for Business to your Cisco Webex and Poly Group Series endpoints to control meetings with your voice. The gateway software runs on your on-premises hardware and securely proxies conferencing directives from Alexa for Business to your Cisco endpoint. The gateway needs two pairs of AWS credentials to communicate with Alexa for Business. We provide two limited-access IAM users: `customer_alexa_gateway_installer_user` and `customer_alexa_gateway_execution_user` for your Alexa for Business gateways, one for installing the gateway and one for operating the gateway; these can be requested by submitting an RFC with the Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create entity or policy (managed automation) change type (ct-3dpd8mdd9jn1r). **Note** To generate usage reports and send them to Amazon S3, specify the Amazon S3 bucket name in the self-provisioned service RFC. **Q: What are the restrictions to using Alexa for Business in my AMS account?** There are no restrictions. Full functionality of Alexa for Business is available with the Alexa for Business self-provisioned service role. **Q: What are the prerequisites or dependencies to using Alexa for Business in my AMS account?** + If you intend to use WPA2 Enterprise Wi-Fi to set up your shared devices, then specify this network security type in the Device Setup Tool, for which an AWS Private Certificate Authority is required. + AMS only creates secret keys that start with the namespace "A4B". This is restrictive only to this namespace. **Q: What Alexa for Business functionality requires separate RFCs?** To register an Alexa Voice Service (AVS) device with Alexa for Business, provide access to the Alexa built-in device maker. To do this, an IAM role needs to be created in the Alexa for Business console that can be deployed using the Management \$1 Other \$1 Other change type. This allows the AVS device maker to register and manage devices with Alexa for Business on your behalf. # Use AMS SSP to provision Amazon WorkSpaces Applications in your AMS account Amazon WorkSpaces Applications Use AMS Self-Service Provisioning (SSP) mode to access Amazon WorkSpaces Applications (WorkSpaces Applications) capabilities directly in your AMS managed account. WorkSpaces Applications lets you move your desktop applications to AWS, without rewriting them. You can install your applications on WorkSpaces Applications, set launch configurations, and make your applications available to users. WorkSpaces Applications offers a wide selection of virtual machine options so that you can select the instance type that best matches your application requirements, and set the auto-scale parameters so that you can easily meet the needs of your end users. WorkSpaces Applications enables you to launch applications in your own network, which means your applications can interact with your existing AWS resources. Amazon WorkSpaces Applications enables you to quickly and easily install, test, and update your applications using the image builder. Any application that runs on Microsoft Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 is supported, and you don’t need to make any modifications. When your testing is complete, you can set application launch configurations, default user settings, and publish your image for users to access. To learn more, see [WorkSpaces Applications](https://aws.amazon.com/appstream2/). ## WorkSpaces Applications in AWS Managed Services FAQ **Q: How do I request access to WorkSpaces Applications in my AMS account?** Request access to WorkSpaces Applications by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_appstream_console_role`. A `customer_appstream_stream_role` is also deployed to stream applications that require users to be authenticated using their Active Directory login credentials. Once provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using WorkSpaces Applications in my AMS account?** + The following functionality must be configured by the AMS Support team, and requires specific RFCs. Instruction on requesting additional functionality can be found in section 4. + Creating and Streaming from Interface VPC Endpoints. + Support for Amazon S3 endpoints for home folders and application setting persistence on a private network. + Creating and choosing the IAM role that will be available on all fleet streaming instances. + Joining WorkSpaces Applications fleets and image builders Microsoft Active Directory domains. + Creating WorkSpaces Applications Custom Usage Reports. + Custom branding is currently not supported. **Q: What are the prerequisites or dependencies to using WorkSpaces Applications in my AMS account?** While submitting the RFC to onboard WorkSpaces Applications, include the Amazon S3 bucket name to be used for the WorkSpaces Applications usage report. The bucket name is added to the `customer-appstream-usagereports-policy` that is created when WorkSpaces Applications is onboarded. **Q: What WorkSpaces Applications functionality requires separate RFCs?** + In order to choose an interface VPC endpoint for WorkSpaces Applications, submit a Management \$1 Other \$1 Other \$1 Update change type RFC to create a VPC endpoint in your account. For steps to create custom endpoints for WorkSpaces Applications, see [ Creating and Streaming from Interface VPC Endpoints](https://docs.aws.amazon.com/appstream2/latest/developerguide/creating-streaming-from-interface-vpc-endpoints.html) in the WorkSpaces Applications user guide. + Support for Amazon S3 endpoints for home folders and application setting persistence on a private network can be configured by requesting Amazon S3 VPC endpoints with a Management \$1 Other \$1 Other \$1 Create change type RFC. The RFC must include the target Amazon S3 bucket hosting the home folder contents, or application settings Amazon S3 buckets, respectively. This RFC will provide WorkSpaces Applications the permissions it needs to access Amazon S3 VPC endpoints. For steps to create custom endpoints for streams, see [ Using Amazon S3 VPC Endpoints for Home Folders and Application Settings Persistence](https://docs.aws.amazon.com/appstream2/latest/developerguide/managing-network-vpce-iam-policy.html) in the WorkSpaces Applications user guide. + In order to create and choose an IAM role that will be available on all fleet streaming instances, submit a Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create entity or policy (managed automation) change type (ct-3dpd8mdd9jn1r) RFC requesting the IAM role with the required policy. The IAM role name should always start with prefix : "customer\$1appstream". + Amazon WorkSpaces Applications fleets and image builders can be joined to domains in Microsoft Active Directory by submitting a Management \$1 Other \$1 Other \$1 Update change type RFC for the Service Account creation in Active Directory (AD). Minimal permissions required to join Microsoft Active Directory are defined in the WorkSpaces Applications documentation at [ Granting Permissions to Create and Manage Active Directory Computer Objects](https://docs.aws.amazon.com/appstream2/latest/developerguide/active-directory-admin.html#active-directory-permissions). + In order to create custom WorkSpaces Applications Usage Reports, submit a Management \$1 Other \$1 Other \$1 Create change type RFC requesting following: + "AppStreamUsageReports" CFN stack creation + "customer\$1appstream\$1usagereports\$1role" be provisioned in the account + Also, provide the following details: + Provide CRON expression to schedule Crawler run. By default it is 23:00 UTC everyday. + Amazon S3 bucket ARN to be used for Athena query results. This bucket should have prefix: `aws-athena-query-results` + Amazon S3 bucket ARN for WorkSpaces Applications Usage Reports Logs. After the role is provisioned, onboard the role into your federation solution and login, then access AWS GlueAWS Glue and Athena for generating custom reports using the usage report role. For details about using WorkSpaces Applications Usage Reports see [ Create Custom Reports and Analyze WorkSpaces Applications Usage Data](https://docs.aws.amazon.com/appstream2/latest/developerguide/configure-custom-reports-analyze-usage-data.html), in the WorkSpaces Applications documentation. # Use AMS SSP to provision Amazon Athena in your AMS account Amazon Athena Use AMS Self-Service Provisioning (SSP) mode to access Amazon Athena (Athena) capabilities directly in your AMS managed account. Athena is an interactive query service that helps you to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run. You point to your data in Amazon S3, define the schema, and start querying using standard SQL. Most results are delivered within seconds. With Athena, there’s no need for complex extract-transform-load (ETL) jobs to prepare your data for analysis. This makes it straight-forward for anyone with SQL skills to quickly analyze large-scale datasets. To learn more, see [Amazon Athena](https://aws.amazon.com/athena/). ## FAQ: Athena in AMS **Q: How do I request access to Amazon Athena in my AMS account?** Request access to Athena by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_athena_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Athena in my AMS account?** There are no restrictions. Full functionality of Amazon Athena is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Athena in my AMS account?** Athena has a major dependency on the AWS Glue service, as it uses the data catalog/metastore created with AWS Glue. Therefore, AWS Glue permissions are included in the successful Athena RFC. The role `customer_athena_console_role` has a prerequisite for an Amazon S3 bucket. To create a new bucket, use the automated CT `ct-1a68ck03fn98r` (Deployment \$1 Advanced stack components \$1 S3 storage \$1 Create). When you use this automated CT to create an S3 bucket for Athena, the bucket name must begin with prefix `athena-query-results-*`. # Use AMS SSP to provision Amazon Bedrock in your AMS account Amazon Bedrock Use AMS Self-Service Provisioning (SSP) mode to access Amazon Bedrock capabilities directly in your AMS managed account. Amazon Bedrock is a fully managed service that makes high-performing foundation models (FMs) from leading AI startups and AWS available for your use through a unified API. You can choose from a wide range of foundation models to find the model that is best suited for your use case. Amazon Bedrock also offers a broad set of capabilities to build generative AI applications with security, privacy, and responsible AI. Using Amazon Bedrock, you can easily experiment with and evaluate top foundation models for your use cases, privately customize them with your data using techniques such as fine-tuning and Retrieval Augmented Generation (RAG), and build agents that execute tasks using your enterprise systems and data sources. With Amazon Bedrock's serverless experience, you can get started quickly, privately customize foundation models with your own data, and easily and securely integrate and deploy them into your applications using AWS tools without having to manage any infrastructure. For more information, see [Amazon Bedrock](https://aws.amazon.com/bedrock/). ## FAQ: Amazon Bedrock in AMS **Q: How do I request access to Amazon Bedrock in my AMS account?** To request access to Amazon Bedrock submit an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_bedrock_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Bedrock in my AMS account?** + Amazon Bedrock knowledge bases aren't supported by default as part of the SSPS role due to its dependency on Amazon OpenSearch Service Serverless which is not currently supported on AMS. + Bedrock Studio isn't supported due to its dependency on unsupported services such as Amazon DataZone. **Q: What are the prerequisites or dependencies to using Amazon Bedrock in my AMS account?** + Third-party model subscriptions that require AWS Marketplace permissions must be done by the default role (`AWSManagedServicesAdminRole` on MALZ and `Customer_ReadOnly_Role` on SALZ). This is because the default role includes AWS Marketplace permissions. + If data encryption is used, then you must provide the AWS KMS key ARN when you request creation of the console role. Also, the Amazon S3 bucket in use must have “bedrock” in its name. # Use AMS SSP to provision Amazon CloudSearch in your AMS account Amazon CloudSearch Use AMS Self-Service Provisioning (SSP) mode to access Amazon CloudSearch capabilities directly in your AMS managed account. Amazon CloudSearch is a managed service in the AWS Cloud that you use to cost-effective to set up, manage, and scale a search solution for your website or application. Amazon CloudSearch supports 34 languages and popular search features such as highlighting, autocomplete, and geospatial search. To learn more, see [Amazon CloudSearch](https://aws.amazon.com/cloudsearch/). **Note** AWS has closed new customer access to Amazon CloudSearch, effective July 25, 2024. Amazon CloudSearch existing customers can continue to use the service as normal. AWS continues to invest in security, availability, and performance improvements for Amazon CloudSearch, but we do not plan to introduce new features. To understand the differences between Amazon CloudSearch and Amazon OpenSearch Service, and how you can transition to OpenSearch Service, reach out to your cloud architect (CA) for guidance. For more information on transitioning to OpenSearch Service, see [Transition from Amazon CloudSearch to Amazon OpenSearch Service service](https://aws.amazon.com/blogs/big-data/transition-from-amazon-cloudsearch-to-amazon-opensearch-service/). ## Amazon CloudSearch in AWS Managed Services FAQ **Q: How do I request access to Amazon CloudSearch in my AMS account?** Request access to Amazon CloudSearch by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_csearch_admin_role` and `customer_csearch_dev_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon CloudSearch in my AMS account?** Full functionality of Amazon CloudSearch is available in your AMS account. All AMS-supported database solutions are currently supported on Amazon CloudSearch. Note that, currently, DynamoDB is the only managed AWS database solution that can’t be indexed. **Q: What are the prerequisites or dependencies to using Amazon CloudSearch in my AMS account?** Amazon CloudSearch depends on Amazon S3 working with Identity Providers to automatically analyze input data and determine the table fields. Access to Amazon S3 is not provided with this RFC, and must be requested separately in a service request. # Use AMS SSP to provision Amazon CloudWatch Synthetics in your AMS account Amazon CloudWatch Synthetics Use AMS Self-Service Provisioning (SSP) mode to access Amazon CloudWatch Synthetics capabilities directly in your AMS managed account. You can use Amazon CloudWatch Synthetics to create 'canaries' to monitor your endpoints and APIs. Canaries are configurable scripts, written in Node.js or Python, that run on a schedule. They create Lambda functions in your account that use Node.js or Python as a framework. Canaries work over both HTTP and HTTPS protocols. Canaries check the availability and latency of your endpoints and can store load time data and UI screenshots. They monitor your REST APIs, URLs, and website content, and they can check for unauthorized changes from phishing, code injection and cross-site scripting. Canaries follow the same routes and perform the same actions as a customer, making it possible for you to continually verify your customer experience even when you don't have any customer traffic on your applications. By using canaries, you can discover issues before your customers do. To learn more, see [ Amazon CloudWatch: Using synthetic monitoring](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html). ## Amazon CloudWatch Synthetics in AWS Managed Services FAQ **Q: How do I request access to Amazon CloudWatch Synthetics in my AMS account?** Request access to Amazon CloudWatch Synthetics by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: 'customer\$1cw\$1synthetics\$1console\$1role' and 'customer\$1cw\$1synthetics\$1canary\$1lambda\$1role'. Once provisioned in your account, you must onboard the 'customer\$1cw\$1synthetics\$1console\$1role' role in your federation solution. **Q: What are the restrictions to using Amazon CloudWatch Synthetics in my AMS account?** There are no restrictions for the use of Amazon CloudWatch Synthetics in your AMS account. Creating roles for canaries outside of the AMS-provided service role 'customer\$1cw\$1synthetics\$1canary\$1lambda\$1role' is prohibited. **Q: What are the prerequisites or dependencies to using Amazon CloudWatch Synthetics in my AMS account?** Canaries create and use a default Amazon CloudWatch Synthetics S3 bucket: "cw-syn-results-*\$1\$1accountnumber\$1*-*\$1\$1default-region\$1*" # Use AMS SSP to provision Amazon Cognito user pools in your AMS account Amazon Cognito Use AMS Self-Service Provisioning (SSP) mode to access Amazon Cognito user pools capabilities directly in your AMS managed account. Amazon Cognito user pools provide a secure user directory that scales to hundreds of millions of users. As a fully managed service, Amazon Cognito user pools can be set up without any worries about standing up server infrastructure. This service enables you to manage a pool of final users that you can use to integrate with your internal applications. This service provides you an alternative to a customized database or a directory of final users for web or mobile applications. At the same time, Amazon Cognito user pools provides the full set of functionalities of a directory service like passwords policies, multi factor authentication, password recovery and self-sign up into services. It also allows the application to federate the access in other popular public services like OpenID, Facebook, Amazon or Google. Amazon Cognito is divided into two main products. Amazon Cognito user pools and Amazon Cognito Identity Provider. This section focuses on Amazon Cognito user pools, which provide access to other AWS services like Amazon S3 or DynamoDB. The service allows you to use Amazon Cognito user pools, or a third party identity provider, to provide access to AWS services. It also provides access to AWS services using anonymous guest access. Because of the powerful nature of Amazon Cognito user pools, it would be managed manually on a case-by-case basis as an operation manual service, in order to avoid potential security breaks into the account. To learn more, see [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html). ## Amazon Cognito user pools in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Cognito user pools in my AMS account?** Implementation of Amazon Cognito user pools in AMS is a 2 step process: 1. Submit a Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76) change type and request the creation of the Amazon Cognito user pools in your AMS Account. Include the following information: + AWS Region. + Name for the Cognito User Pool. + If the you want to use the Amazon Simple Email Service (Amazon SES) to send messages and notifications instead of the default internal Cognito mail service, then the customer should provide an already validated email address for the Amazon SES Service in the account. This address will be used for the "From" and "REPLY-TO" fields of the message. They must also indicate the Region where Amazon SES was activated (us-east-1, eu-west-1 or us-west-2). + If the you want to use SMS messages for one-time passwords and verification, then the customer should indicate so. 1. Request user access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM roles to your account: `customer_cognito_admin_role` and `customer_cognito_importjob_role`. After it's provisioned in your account, you must onboard the role in your federation solution. These roles allow you to manage the Amazon Cognito user pools, manage your users and groups in the pool, create importjobs for users, modify the notification and subscription messages, associate applications to the user pool, self-manage adding federation services to the pool, and delete already created pools. **Q: What are the restrictions to using Amazon Cognito user pools in my AMS account?** You won't be able to create the Amazon Cognito user pools. That action requires the creation of IAM roles to leverage services used by Amazon Cognito, like Amazon SES and Amazon Simple Notification Service (Amazon SNS). **Q: What are the prerequisites or dependencies to using Amazon Cognito user pools in my AMS account?** If you want to use Amazon SES to send messages and notifications by email to your user pools, they should already activate the Amazon SES service in the account, and already validate the email address that should be used in the "FROM" and "REPLY-TO" fields of the sent emails. For more information about validating email address using Amazon SES, see [Verifying Email Addresses in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html). # Use AMS SSP to provision Amazon Comprehend in your AMS account Amazon Comprehend Use AMS Self-Service Provisioning (SSP) mode to access Amazon Comprehend capabilities directly in your AMS managed account. Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find insights and relationships in text, no machine learning experience is required. Amazon Comprehend uses machine learning to help you uncover the insights and relationships in your unstructured data. The service identifies the language of the text; extracts key phrases, places, people, brands, or events; understands how positive or negative the text is; analyzes text using tokenization and parts of speech; and automatically organizes a collection of text files by topic. You can also use AutoML capabilities in Amazon Comprehend to build a custom set of entities or text classification models that are tailored uniquely to your organization’s needs. To learn more, see [Amazon Comprehend](https://aws.amazon.com/comprehend/). ## Amazon Comprehend in AWS Managed Services FAQ **Q: How do I request access to Amazon Comprehend in my AMS account?** Amazon Comprehend console and data access roles can be requested through the submission of two AMS Service RFCs: Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_comprehend_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Comprehend in my AMS account?** Create New IAM Role functionality through the Amazon Comprehend console is restricted. Otherwise, full functionality of Amazon Comprehend is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Comprehend in my AMS account?** Amazon S3 and AWS Key Management Service (AWS KMS) are required in order to use Amazon Comprehend, if Amazon S3 buckets are encrypted with AWS KMS keys. # Use AMS SSP to provision Amazon Connect in your AMS account Amazon Connect **Note** After careful consideration, we decided to end support for Amazon Connect Voice ID, effective May 20, 2026. Amazon Connect Voice ID will no longer accept new customers beginning May 20, 2025. As an existing customer with an account signed up for the service before May 20, 2025, you can continue to use Amazon Connect Voice ID features. After May 20, 2026, you will no longer be able to use Amazon Connect Voice ID. Use AMS Self-Service Provisioning (SSP) mode to access Amazon Connect capabilities directly in your AMS managed account. Amazon Connect is an omnichannel cloud contact center that helps companies provide superior customer service at a lower cost. Amazon Connect provides a seamless experience across voice and chat for customers and agents. This includes one set of tools for skills-based routing, powerful real-time and historical analytics, and easy-to-use intuitive management tools – all with pay-as-you-go pricing. You can create one or more instances of the virtual contact center instances in either AMS multi-account landing zone or single-account landing zone accounts. You can use existing SAML 2.0 identity providers for agent access or use Amazon Connect native support for user life cycle management. Additionally, you can claim toll free/direct dial phone numbers for each Amazon Connect instance from the Amazon Connect console. You can create rich contact flows to achieve the desired customer experience and routing using an easy-to-use graphical user interface. The contact flows can leverage AWS Lambda functions to integrate with on-premises data stores and API’s. You can also enable data streaming using Kinesis Streams and Firehose. The call recordings, chat transcripts, and reports, are stored in an Amazon S3 bucket encrypted using an AWS KMS key. The contact flow logs can be saved to CloudWatch log groups. To learn more, see [Amazon Connect](https://aws.amazon.com/connect/). ## Amazon Connect in AWS Managed Services FAQ **Q: How do I request access to Amazon Connect in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM roles to your account: `customer_connect_console_role` and `customer_connect_user_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Connect in my AMS account?** There are no restrictions. Full functionality of Amazon Connect is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Connect in my AMS account?** + You must create an AWS KMS Key and an Amazon S3 bucket using standard AMS RFCs; the Amazon S3 bucket is required for storing call recordings and chat transcripts. + If you want to integrate with Active Directory (AD), an AD Connector is required for integration between AMS-hosted Amazon Connect instances and your on-premises directory services. AD Connector can be configured in your account by requesting a 'Management \$1 Other \$1 Other' RFC. + You can enable the following optional self-provisioned services based on your contact flow requirements. + **AWS Lambda**: You can use Lambda functions to extend the contact flows to leverage existing on-premises data stores or APIs. You can use the Lambda self-provisioned service to create the Lambda functions. + **Amazon Kinesis Data Streams**: You can create data streams to enable Data streaming to external applications. You can stream contact trace records or Agent Events. + **Amazon Kinesis Data Firehose**: You can create Data Firehose to stream high volume contact trace records to external applications. + **Amazon Lex**: You can leverage Amazon Lex Chatbots to create smart contact flows leveraging Amazon Alexa services for rich customer experience and automation. + **Q: How do I request to add list of countries for outbound or inbound calls?** To add a list of countries for outbound or inbound calls, submit a service request to AMS. # Use AMS SSP to provision Amazon Data Firehose in your AMS account Amazon Data Firehose Use AMS Self-Service Provisioning (SSP) mode to access Amazon Data Firehose capabilities directly in your AMS managed account. Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon OpenSearch Service, and [Splunk](https://aws.amazon.com/kinesis/data-firehose/splunk/), enabling near real-time analytics with existing business intelligence tools and dashboards you’re already using today. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, transform, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security. To learn more, see [What Is Amazon Data Firehose?](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html) ## Firehose in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Data Firehose in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_kinesis_firehose_user_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Firehose in my AMS account?** There are no restrictions. Full functionality of Amazon Data Firehose is available in your AMS account. **Q: What are the prerequisites or dependencies to using Firehose in my AMS account?** New service-linked IAM roles must be requested for each delivery stream. You can also re-use a single service-linked role for all streams by updating the role policy with the required resource permissions (including S3 buckets/ KMS Keys / Lambda Functions / Kinesis streams). After you have submitted the RFC to add Firehose, an AMS Operations engineer will reach out to you through a Service Request for the ARNs of resources that you would like to connect with Data Firehose (for example, AWS KMS, S3, Lambda, and Kinesis Streams). # Use AMS SSP to provision Amazon DevOps Guru in your AMS account Amazon DevOps Guru Use AMS Self-Service Provisioning (SSP) mode to access Amazon DevOps Guru capabilities directly in your AMS managed account. Amazon DevOps Guru is a fully managed operations service that makes it easy for developers and operators to improve the performance and availability of their applications. DevOps Guru lets you offload the administrative tasks associated with identifying operational issues so that you can quickly implement recommendations to improve your application. DevOps Guru creates reactive insights you can use to improve your application now. It also creates proactive insights to help you avoid operational issues that might affect your application in the future. DevOps Guru applies machine learning to analyze your operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. You are notified when DevOps Guru detects an operational issue or risk. For each issue, DevOps Guru presents intelligent recommendations to address current and predicted future operational issues. To learn more, see [What is Amazon DevOps Guru](https://docs.aws.amazon.com/devops-guru/latest/userguide/welcome.html). ## Amazon DevOps Guru in AWS Managed Services FAQ **Q: How do I request access to Amazon DevOps Guru in my AMS account?** To request access, submit a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_devopsguru_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon DevOps Guru in my AMS account?** There are no restrictions. Full functionality of Amazon DevOps Guru is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon DevOps Guru in my AMS account?** There are no prerequisites. DevOps Guru leverages the following AWS services: Amazon CloudWatch Logs, RDS Insights, AWS X-Ray, AWS Lambda, and AWS CloudTrail. # Use AMS SSP to provision Amazon DocumentDB (with MongoDB compatibility) in your AMS account Amazon DocumentDB (with MongoDB compatibility) Use AMS Self-Service Provisioning (SSP) mode to access Amazon DocumentDB (with MongoDB compatibility) capabilities directly in your AMS managed account. Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. Amazon DocumentDB gives you the performance, scalability, and availability you need when operating mission-critical MongoDB workloads at scale. Amazon DocumentDB implements the Apache 2.0 open source MongoDB 3.6 API by emulating the responses that a MongoDB client expects from a MongoDB server, allowing you to use your existing MongoDB drivers and tools with Amazon DocumentDB. In Amazon DocumentDB, the storage and compute are decoupled, allowing each to scale independently, and you can increase the read capacity to millions of requests per second by adding up to 15 low latency read replicas, regardless of the size of your data. Amazon DocumentDB is designed for 99.99% availability and replicates six copies of your data across three AWS Availability Zones (AZs). You can use AWS Database Migration Service (DMS) for free (for six months) to migrate your on-premises or Amazon Elastic Compute Cloud (Amazon EC2) MongoDB databases to Amazon DocumentDB with virtually no downtime. To learn more, see [Amazon DocumentDB (with MongoDB compatibility)](https://aws.amazon.com/documentdb/). ## Amazon DocumentDB in AWS Managed Services FAQ **Q: How do I request access to Amazon DocumentDB in my AMS account?** Amazon DocumentDB console and data access roles can be requested through the submission of two AMS RFCs, console access and data access: Request access to Amazon DocumentDB by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_documentdb_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon DocumentDB in my AMS account?** Amazon DocumentDB requires Amazon RDS-specific permissions. Because AMS fully manages Amazon RDS, the IAM role for Amazon DocumentDB includes some restrictions to actions on Amazon RDS. The following restrictions apply: + Access to the `DeleteDBInstance` and `DeleteDBCluster` APIs have been restricted. To use those deletion APIs, submit an RFC with the Management \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Update entity or policy (managed automation) change type (ct-27tuth19k52b4). + You can't add or remove tags from Amazon RDS instances. + You can't make your Amazon DocumentDB instance public. **Q: What are the prerequisites or dependencies to using Amazon DocumentDB in my AMS account?** Amazon S3 and AWS KMS are required in order to use Amazon DocumentDB, if Amazon S3 buckets are encrypted with AWS KMS keys. # Use AMS SSP to provision Amazon DynamoDB in your AMS account Amazon DynamoDB Use AMS Self-Service Provisioning (SSP) mode to access Amazon DynamoDB (DynamoDB) capabilities directly in your AMS managed account. Amazon DynamoDB is a key value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active database with built-in security, backup and restore, and in-memory caching for internet scale applications. To learn more, see [Amazon DynamoDB](https://aws.amazon.com/dynamodb/). Amazon DynamoDB Accelerator (DAX) is a write-through caching service that is designed to simplify the process of adding a cache to DynamoDB tables. DAX is intended for applications that require high-performance reads. ## DynamoDB in AWS Managed Services FAQ **Q: How do I request access to DynamoDB and DAX in my AMS account?** Request access to DynamoDB and DAX by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles and policies to your account: + DynamoDB role name: `customer_dynamodb_role` DAX service role name: `customer_dax_service_role` + DynamoDB policy name: `customer_dynamodb_policy` DAX service policy: `customer_dax_service_policy` Once provisioned in your account, you must onboard the `customer_dynamodb_role` in your federation solution. **Q: What are the restrictions to using DynamoDB in my AMS account?** All DynamoDB functionality are supported including DynamoDB Accelerator (DAX). When creating alarms for any given table, the alarm name must be prefixed with "customer\$1"; for example, `customer-employee-table-high-put-latency`. When creating an Amazon SNS topic for DynamoDB, it must be named: `dynamodb`. To delete the Amazon SNS topic created by DynamoDB, submit a Management \$1 Other \$1 Other \$1 Update change type RFC. **Q: What are the prerequisites or dependencies to using DynamoDB in my AMS account?** There are no prerequisites or dependencies to use DynamoDB in your AMS account. # Use AMS SSP to provision Amazon Elastic Container Registry in your AMS account Amazon Elastic Container Registry Use AMS Self-Service Provisioning (SSP) mode to access Amazon Elastic Container Registry (Amazon ECR) capabilities directly in your AMS managed account. Amazon Elastic Container Registry is a fully-managed [Docker](https://aws.amazon.com/docker/) container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/), simplifying your development to production workflow. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure. Amazon ECS hosts your images in a highly available and scalable architecture, allowing you to reliably deploy containers for your applications. Integration with AWS Identity and Access Management (IAM) provides resource-level control of each repository. With Amazon ECR, there are no upfront fees or commitments. You pay only for the amount of data you store in your repositories and data transferred to the Internet. To learn more, see [Amazon Elastic Container Registry](https://aws.amazon.com/ecr/). ## Amazon Elastic Container Registry in AWS Managed Services FAQ **Q: How do I request access to Amazon ECR in my AMS account?** Request access to Amazon ECR by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: ` customer_ecr_console_role`, and `customer_ecr_poweruser_instance_profile` with associated IAM policies, `customer_ecr_console_policy` and `customer_ecr_poweruser_instance_profile_policy`, respectively. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon ECR in my AMS account?** There are restrictions around AMS namespaces for the use of Amazon ECR in your AMS account. Container images may not be prefixed with "AMS-" or "Sentinel-". **Q: What are the prerequisites or dependencies to using Amazon ECR in my AMS account?** There are no prerequisites or dependencies to use Amazon ECR in your AMS account. # Use AMS SSP to provision EC2 Image Builder in your AMS account EC2 Image Builder Use AMS Self-Service Provisioning (SSP) mode to access EC2 Image Builder capabilities directly in your AMS managed account. EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date "golden" server images that are pre-installed and pre-configured with software and settings to meet specific IT standards. You can use the AWS Management Console, AWS CLI, or APIs to create custom images in your AWS account. When you use the AWS Management Console, the Amazon EC2 Image Builder wizard guides you through steps to: + Provide starting artifacts + Add and remove software + Customize settings and scripts + Run selected tests + Distribute images to AWS Regions The images you build are created in your account and can be configured for operating system patches on an ongoing basis. To learn more, see [EC2 Image Builder](https://aws.amazon.com/image-builder/). ## EC2 Image Builder in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to EC2 Image Builder in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. Through this RFC, the following IAM role will be provisioned in your account: ` customer_ec2_imagebuilder_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions for EC2 Image Builder?** AMS does not support the use of Service Defaults for infrastructure configuration. You can create a new infrastructure configuration or use an existing one. AMS does not currently support the creation of container recipes. **Q: What are the prerequisites or dependencies to enable EC2 Image Builder?** + EC2 Image Builder service-linked role: You don't need to manually create a service-linked role. When you create your first Image Builder resource in the AWS Management Console, the AWS CLI, or the AWS API, Image Builder creates the service-linked role for you. + Instances used to build images and run tests using Image Builder must have access to the Systems Manager service. The SSM Agent will be installed on the source image if it is not already present, and it will be removed before the image is created. + AWS IAM: The IAM role that you associate with your instance profile must have permissions to run the build and test components included in your image. The following IAM role policies must be attached to the IAM role that is associated with the instance profiles: `EC2InstanceProfileForImageBuilder` and `AmazonSSMManagedInstanceCore`. The IAM role name should contain the `*imagebuilder*` keyword. + If you configure logging, the instance profile specified in your infrastructure configuration must have `s3:PutObject` permissions for the target bucket (`arn:aws:s3:::{bucket-name}/*`). For example: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::{bucket-name}/*" } ] } ``` ------ + Create an SNS topic with name 'imagebuilder' to receive any alerts and notification from EC2 Image Builder. # Use AMS SSP to provision Amazon ECS on AWS Fargate in your AMS account Amazon ECS on AWS Fargate Use AMS Self-Service Provisioning (SSP) mode to access Amazon ECS on AWS Fargate capabilities directly in your AMS managed account. AWS Fargate is a technology that you can use with Amazon ECS to run containers (see [Containers on AWS](https://aws.amazon.com/what-are-containers)) without having to manage servers or clusters of Amazon EC2 instances. With AWS Fargate, you no longer have to provision, configure, or scale, clusters of virtual machines to run containers. This removes the need to choose server types, decide when to scale your clusters, or optimize cluster packing. To learn more, see [Amazon ECS on AWS Fargate](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html). ## Amazon ECS on Fargate in AWS Managed Services FAQ **Q: How do I request access to Amazon ECS on Fargate in my AMS account?** Request access to Amazon ECS on Fargate by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_ecs_fargate_console_role` (if no existing IAM role is provided to associate the ECS policy to), `customer_ecs_fargate_events_service_role`, `customer_ecs_task_execution_service_role`, `customer_ecs_codedeploy_service_role`, and `AWSServiceRoleForApplicationAutoScaling_ECSService`. Once provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using Amazon ECS on Fargate in my AMS account?** + Amazon ECS task monitoring and logging are considered your responsibility since container level activities occur above the hypervisor, and logging capabilities are limited by Amazon ECS on Fargate. As a user of Amazon ECS on Fargate, we recommend that you take the necessary steps to enable logging on your Amazon ECS tasks. For more information, see [ Enabling the awslogs Log Driver for Your Containers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#enable_awslogs). + Security and malware protection at the container level are also considered to be your responsibility. Amazon ECS on Fargate doesn't include Trend Micro or preconfigured network security components. + This service is available for both multi-account landing zone and single-account landing zone AMS accounts. + Amazon ECS [Service Discovery](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html) is restricted by default in the self-provisioned role since elevated permissions are required to create Route 53 private hosted zones. To enable Service Discovery on a service, submit a Management \$1 Other \$1 Other \$1 Update change type. To provide the information required to enable Service Discovery for your Amazon ECS Service, see the [Service Discovery manual](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html). + AMS does not currently manage or restrict images used to deploy to containers onto Amazon ECS Fargate. You will be able to deploy images from Amazon ECR, Docker Hub, or any other private image repository. Therefore, we advised that public or any unsecured images not be deployed, since they may result in malicious activity on the account. **Q: What are the prerequisites or dependencies to using Amazon ECS on Fargate in my AMS account?** + The following are dependencies of Amazon ECS on Fargate; however, no additional action is required to enable these services with your self-provisioned role: + CloudWatch logs + CloudWatch events + CloudWatch alarms + CodeDeploy + App Mesh + Cloud Map + Route 53 + Depending on your use case, the following are resources that Amazon ECS relies on, and may require prior to using Amazon ECS on Fargate in your account: + Security group to be used with the Amazon ECS service. You can use the Deployment \$1 Advanced stack components \$1 Security Group \$1 Create (auto) (ct-3pc215bnwb6p7), or, if your security group requires special rules, use Deployment \$1 Advanced stack components \$1 Security Group \$1 Create (managed automation) (ct-1oxx2g2d7hc90). Note: The security group your select with Amazon ECS has to be created specifically for Amazon ECS where the Amazon ECS service or cluster reside. You can learn more in the **Security Group** section at [Setting Up with Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html) and [Security in Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security.html). + Application load balancer (ALB), network load balancer (NLB), classic load balancer (ELB) for load balancing between tasks. + Target Groups for ALBs. + App mesh resources (for instance, Virtual Routers, Virtual Services, Virtual Nodes) to integrate with your Amazon ECS Cluster. + Currently, there is no way for AMS to automatically mitigate risk associated with supporting security groups' permissions when created outside of the standard AMS change types. We recommend that you request a specific security group for use with your Fargate cluster to limit the possibility of using a security group not designated for the use with Amazon ECS. # Use AMS SSP to provision Amazon EKS on AWS Fargate in your AMS account Amazon EKS on AWS Fargate Use AMS Self-Service Provisioning (SSP) mode to access Amazon EKS on AWS Fargate capabilities directly in your AMS managed account. AWS Fargate is a technology that provides on-demand, right-sized compute capacity for containers (to understand containers, see [What are Containers?](https://aws.amazon.com/what-are-containers)). With AWS Fargate, you no longer have to provision, configure, or scale groups of virtual machines to run containers. This removes the need to choose server types, decide when to scale your node groups, or optimize cluster packing. Amazon Elastic Kubernetes Service (Amazon EKS) integrates Kubernetes with AWS Fargate by using controllers that are built by AWS using the upstream, extensible model provided by Kubernetes. These controllers run as part of the Amazon EKS-managed Kubernetes control plane and are responsible for scheduling native Kubernetes pods onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default Kubernetes scheduler in addition to several mutating and validating admission controllers. When you start a pod that meets the criteria for running on Fargate, the Fargate controllers running in the cluster recognize, update, and schedule the pod onto Fargate. To learn more, see [Amazon EKS on AWS Fargate Now Generally Available](https://aws.amazon.com/blogs/aws/amazon-eks-on-aws-fargate-now-generally-available/) and [Amazon EKS Best Practices Guide for Security](https://aws.github.io/aws-eks-best-practices/security/docs/) (includes "Recommendations" such as "Review and revoke unnecessary anonymous access" and more). **Tip** AMS has a change type, Deployment \$1 Advanced stack components \$1 Identity and Access Managment (IAM) \$1 Create OpenID Connect provider (ct-30ecvfi3tq4k3), that you can use with Amazon EKS. For an example, see [ Identity and Access Management (IAM) \$1 Create OpenID Connect Provider](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-identity-and-access-management-iam-create-openid-connect-provider.html). ## Amazon EKS on AWS Fargate in AWS Managed Services FAQ **Q: How do I request access to Amazon EKS on Fargate in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account. + `customer_eks_fargate_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. + These service roles give Amazon EKS on Fargate permission to call other AWS services on your behalf: + `customer_eks_pod_execution_role` + `customer_eks_cluster_service_role` **Q: What are the restrictions to using Amazon EKS on Fargate in my AMS account?** + Creating [managed](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) or [self-managed](https://docs.aws.amazon.com/eks/latest/userguide/worker.html) EC2 nodegroups is not supported in AMS. If you have a requirement for using EC2 worker nodes, reach out to your AMS Cloud Service Delivery Manager(CSDM) or Cloud Architect(CA). + AMS does not include Trend Micro or preconfigured network security components for container images. You are expected to manage your own image scanning services to detect malicious container images prior to deployment. + EKSCTL is not supported due to CloudFormation interdependencies. + During cluster creation, you have permissions to disable cluster control plane logging. For more information, see [Amazon EKS control plane logging](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). We advise that you enable all important API, Authentication, and Audit logging on cluster creation. + During cluster creation, cluster endpoint access for Amazon EKS clusters are defaulted to public; for more information, see [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html). We recommend that Amazon EKS endpoints be set to private. If endpoints are required for public access, then it's a best practice to set them to public only for specific CIDR ranges. + AMS doesn't have a method to force and restrict images used to deploy to containers on Amazon EKS Fargate. You can deploy images from Amazon ECR, Docker Hub, or any other private image repository. Therefore, there is a risk of deploying a public image that might perform malicious activity on the account. + Deploying EKS clusters through the cloud development kit (CDK) or CloudFormation Ingest isn't supported in AMS. + You must create the required security group using [ct-3pc215bnwb6p7 Deployment \$1 Advanced stack components \$1 Security group \$1 Create](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-security-group-create.html) and reference in the manifest file for ingress creation. This is because the role `customer-eks-alb-ingress-controller-role` isn't authorized to create security groups. **Q: What are the prerequisites or dependencies to using Amazon EKS on Fargate in my AMS account?** In order to use the service, the following dependencies must be configured: + For authenticating against the service, both KUBECTL and aws-iam-authenticator must be installed; for more information, see [Managing cluster authentication](https://docs.aws.amazon.com/eks/latest/userguide/managing-auth.html). + Kubernetes rely on a concept called "service accounts." In order to utilize the service accounts functionality inside of a kubernetes cluster on EKS, a Management \$1 Other \$1 Other \$1 Update RFC is required with the following inputs: + [Required] Amazon EKS Cluster name + [Required] Amazon EKS Cluster namespace where service account (SA) will be deployed. + [Required] Amazon EKS Cluster SA name. + [Required] IAM Policy name and permissions/document to be associated. + [Required] IAM Role name being requested. + [Optional] OpenID Connect provider URL. For more information, see + [ Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) + [ Introducing fine-grained IAM roles for service accounts](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) + We recommend that Config rules be configured and monitored for + Public cluster endpoints + Disabled API logging It is your responsibility to monitor and remediate these Config rules. If you want to deploy an [ALB Ingress controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html), submit a Management \$1 Other \$1 Other Update RFC to provision the necessary IAM role to be used with the ALB Ingress Controller pod. The following inputs are required for creating IAM resources to be associated with ALB Ingress Controller (include these with your RFC): + [Required] Amazon EKS Cluster name + [Optional] OpenID Connect provider URL + [Optional] Amazon EKS Cluster namespace where the application load balancer (ALB) ingress controller service will be deployed. [default: kube-system] + [Optional] Amazon EKS Cluster service account (SA) name. [default: aws-load-balancer-controller] If you want to enable envelope secrets encryption in your cluster (which we recommend), provide the KMS key IDs you intend to use, in the description field of the RFC to add the service (Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct). To learn more about envelope encryption, see [ Amazon EKS adds envelope encryption for secrets with AWS KMS](https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/). # Use AMS SSP to provision Amazon EMR in your AMS account Amazon EMR Use AMS Self-Service Provisioning (SSP) mode to access Amazon EMR capabilities directly in your AMS managed account. Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. With Amazon EMR you can run Petabyte-scale analysis at less than half of the cost of traditional on-premises solutions and over 3x faster than standard Apache Spark. For short-running jobs, you can spin up and spin down clusters and pay per second for the instances used. For long-running workloads, you can create highly available clusters that automatically scale to meet demand. You can create one or more instances of the Amazon EMR clusters in either AMS multi-account landing zone or single-account landing zone accounts to support both transient and persistent Amazon EMR clusters. You can also enable Kerberos authentication to enable authenticate users from on-premises Active Directory domain. You can leverage multiple data stores with the Amazon EMR clusters to support use-case specific Hadoop tools and libraries. The Amazon EMR clusters can be created using OnDemand or Spot instances and configure autoscaling to manage capacity and reduce the cost. The cluster log files can be archived to an Amazon S3 bucket for logging and debugging. You can also access the web interfaces hosted in the Amazon EMR cluster to support hadoop administration requirements or note book experiences for customers. To learn more, see [Amazon EMR](https://aws.amazon.com/emr/). ## Amazon EMR in AWS Managed Services FAQ **Q: How do I request access to Amazon EMR in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM roles to your account: + `customer_emr_cluster_instance_profile` + `customer_emr_cluster_autoscaling_role` + `customer_emr_console_role` + `customer_emr_cluster_service_role` After it's provisioned in your account, you must onboard the customer\$1emr\$1console\$1role in your federation solution. **Q: What are the restrictions to using Amazon EMR in my AMS account?** While creating Amazon EMR on an EC2 cluster from the AWS console, we advise you to use the **Create Cluster – Advanced** option. Amazon EMR clusters must be created by adding the tag with the Key **"for-use-with-amazon-emr-managed-policies"** with Value **"true"**. Select the following configurations in the **Security** options: + Select custom roles for your cluster: + EMR Role : customer\$1emr\$1cluster\$1service\$1role + EC2 Instance Profile : customer\$1emr\$1cluster\$1instance\$1profile + Auto Scaling Role : customer\$1emr\$1cluster\$1autoscaling\$1role + EC2 Security groups: + Master : ams-emr-master-security-group + Core & Task : ams-emr-worker-security-group + Service Access : ams-emr-serviceaccess-security-group **Q: What are the prerequisites or dependencies to using Amazon EMR in my AMS account?** AMS creates default security groups for the Amazon EMR master, worker, and services nodes. The launch templates and security groups to be used with Amazon EMR clusters must have the tag key **"for-use-with-amazon-emr-managed-policies"** with value **"true"**. The default Amazon EMR cluster instance profile enables access to the resources such as s3 buckets and dynamodb tables with their names containing "emr". You can request additional IAM policies to use any additional resources to be used with Amazon EMR. The following resource ARN's can be used with Amazon EMR jobs using the **customer\$1emr\$1cluster\$1instance\$1profile**: + arn:aws:dynamodb:\$1:\$1:table/\$1emr\$1 + arn:aws:kinesis:\$1:\$1:stream/\$1emr\$1 + arn:aws:sns:\$1:\$1:\$1emr\$1arn:aws:sqs:\$1:\$1:\$1emr\$1 + arn:aws:sqs:\$1:\$1:\$1emr\$1 + arn:aws:sqs:\$1:\$1:AWS-ElasticMapReduce-\$1 + arn:aws:sdb:\$1:\$1:domain:\$1emr\$1 + arn:aws:s3:::\$1emr\$1 If kerberos authentication is required for the Amazon EMR cluster: + Provide the realm name to be used for each kerberized Amazon EMR cluster and the on-premise Active Directory IP addresses. + Infrastructure requirements: **Multi-Account Landing Zone (MALZ)**: Submit an RFC to create a new Managed application account or a new VPC in an existing application account. **Single-Account Landing Zone (SALZ)**: Submit an RFC to create a new subnet in your VPC. + Configure the incoming trust for the cluster’s realm on the on-premise Active Directory. + Submit an RFC to configure DNS zones for the realm in the Managed AD. + Realm configuration: **MALZ**: Submit a Management \$1 Other \$1 Other \$1 Update (ct-0xdawir96cy7k) RFC to update the VPC DHCP option set to use the realm name for domain name suffix. **SALZ**: Submit a Management \$1 Other \$1 Other \$1 Update (ct-0xdawir96cy7k) RFC to generate a new Amazon EMR AMI to use the specific realm for domain name suffix. To deploy Amazon EMR studio, the role `customer_emr_cluster_service_role` has a prerequisite for an Amazon Simple Storage Service bucket. To create the bucket, use the automated CT `ct-1a68ck03fn98r` (Deployment \$1 Advanced stack components \$1 S3 storage \$1 Create). When you use this automated CT to create an Amazon S3 bucket for Amazon EMR, the bucket name must begin with the prefix `customer-emr-*`. And, you must create the bucket in the same AWS Region as the Amazon EMR cluster. # Use AMS SSP to provision Amazon EventBridge in your AMS account Amazon EventBridge Use AMS Self-Service Provisioning (SSP) mode to access Amazon EventBridge capabilities directly in your AMS managed account. Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as AWS Lambda. You can set up routing rules to determine where to send your data to build application architectures that react in real time to all of your data sources. EventBridge allows you to build event driven architectures, which are loosely coupled and distributed. To learn more, see [Amazon EventBridge](https://aws.amazon.com/eventbridge/). ## EventBridge in AWS Managed Services FAQ **Q: How do I request access to EventBridge in my AMS account?** Request access to EventBridge by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_eventbridge_role` and `customer_eventbridge_scheduler_execution_role`. After it's provisioned in your account, you must onboard the role in your federation solution. The execution role, `customer_eventbridge_scheduler_execution_role` is an IAM role that EventBridge Scheduler assumes to interact with other AWS services on your behalf. The permission policies attached to this role grant EventBridge Scheduler access to invoke targets. **Note** By default, EventBridge Scheduler uses AWS owned keys for EventBridge to encrypt the data. To use a customer managed key for EventBridge to encrypt the data, submit the RFC using the Management \$1 AWS service \$1 Self-provisioned service \$1 [Add (managed automation)](https://docs.aws.amazon.com/managedservices/latest/ctref/management-aws-self-provisioned-service-add-review-required.html) change type (ct-3qe6io8t6jtny) for service provisioning. **Q: What are the restrictions to using EventBridge in my AMS account?** You must submit AMS RFCs and create the following resources: Service roles to trigger the batch job, SQS queue, CodeBuild, CodePipeline, and SSM commands. **Q: What are the prerequisites or dependencies to using EventBridge in my AMS account?** You must request an EventBridge service role with an RFC using the Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create entity or policy (managed automation) change type (ct-3dpd8mdd9jn1r) prior to using EventBridge to trigger other AWS resources, such as AWS Batch, Lambda, Amazon SNS, Amazon SQS, or Amazon CloudWatch Logs resources. Specify the services to invoke when requesting your service role. To learn about permissions required to invoke targets, see [ Using Resource-Based Policies for EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html). EventBridge is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in EventBridge. CloudTrail must be enabled and allowed to store the log files to S3 buckets. Note: All AMS accounts have CloudTrail enabled, so no action is needed. **Q: The role customer\$1eventbridge\$1scheduler\$1execution\$1role has a prerequisite for an AWS Key Management Service Key (optional, if used for encryption). How do I adopt AWS KMS CMKs in data encryption at rest/transit? ** By default, EventBridge Scheduler encrypts event metadata and message data that it stores under an AWS owned key (encryption at rest). EventBridge Scheduler also encrypts data that passes between EventBridge Scheduler and other services using Transport Layer Security (TLS) (encryption in transit). If your specific use case requires that you control and audit the encryption keys that protect your data on EventBridge Scheduler, you can use a customer managed key. You must request an RFC using the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) change type prior to using Amazon EventBridge to onboard the AWS KMS permission. # Use AMS SSP to provision Amazon Forecast in your AMS account Amazon Forecast Use AMS Self-Service Provisioning (SSP) mode to access Amazon Forecast (Forecast) capabilities directly in your AMS managed account. Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate forecasts. **Note** AWS has closed new customer access to Amazon Forecast, effective July 29, 2024. Amazon Forecast existing customers can continue to use the service as normal. AWS continues to invest in security, availability, and performance improvements for Amazon Forecast, but AWS does not plan to introduce new features. If you want to use Amazon Forecast, reach out to your CSDM so that they can guide you further regarding how to [Transition your Amazon Forecast usage to Amazon SageMaker Canvas](https://aws.amazon.com/blogs/machine-learning/transition-your-amazon-forecast-usage-to-amazon-sagemaker-canvas/). Based on the same technology used at Amazon.com, Forecast uses machine learning to combine time series data with additional variables to build forecasts. Forecast requires no machine learning experience to get started. You only need to provide historical data, plus any additional data that you believe may impact your forecasts. For example, the demand for a particular color of a shirt may change with the seasons and store location. This complex relationship is hard to determine on its own, but machine learning is ideally suited to recognize it. Once you provide your data, Forecast will automatically examine it, identify what is meaningful, and produce a forecasting model capable of making predictions that are up to 50% more accurate than looking at time series data alone. To learn more, see [Amazon Forecast](https://aws.amazon.com/forecast/). ## Amazon Forecast in AWS Managed Services FAQ **Q: How do I request access to Forecast in my AMS account?** Request access to AWS Firewall Manager by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_forecast_admin_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Forecast in my AMS account?** The default S3 bucket access only allows you to access buckets with the naming pattern 'customer-forecast-\$1'. If you have your own naming convention for data buckets, discuss bucket naming and related access setup with your Cloud Architect (CA). For example: + You could define your specific Amazon Forecast service role with naming like 'AmazonForecast-ExecutionRole-\$1' and associated proper S3 bucket access. See the Service role - AmazonForecast-ExecutionRole-Admin and IAM policy - customer\$1forecast\$1default\$1s3\$1access\$1policy, in the IAM console. + You may need to associate related S3 buckets access to IAM federation role. See the IAM policy - customer\$1forecast\$1default\$1s3\$1access\$1policy, in the IAM console. **Q: What are the prerequisites or dependencies to using Forecast in my AMS account?** + Proper Amazon S3 bucket(s) must be created before using Forecast. Especially, the default S3 buckets access is with naming pattern ‘customer-forecast-\$1’ + If you want to use naming patterns on S3 buckets other than 'customer-forecast-\$1', you must create a new service role with S3 access permissions on the buckets: 1. A new service role to be created with naming 'AmazonForecast-ExecutionRole-\$1suffix\$1'. 1. A new IAM policy to be created which is similar to customer\$1forecast\$1default\$1s3\$1access\$1policy and to be associated with the new service role and related federation admin role (e.g. 'customer\$1forecast\$1admin\$1role') **Q: How can I enhance data security while using Amazon Forecast?** + For data encryption at rest, you can use AWS KMS to provision a customer-managed CMK to protect data storage on Amazon S3 service: + Enable default encryption on the bucket with the provision key and set up bucket policy to accept AWS KMS data encryption while putting data. + Enable the Amazon Forecast service role 'AmazonForecast-ExecutionRole-\$1' and federation admin role (e.g. 'customer\$1forecast\$1admin\$1role') as the AWS KMS key user. + For data encryption in transit, you can set up the HTTPS protocol, which is required while transferring objects on Amazon S3 bucket policy. + Further restrictions on access control, enable a bucket policy for approved access for the Amazon Forecast service role 'AmazonForecast-ExecutionRole-\$1' and admin role (e.g. 'customer\$1forecast\$1admin\$1role'). **Q: What are the best practices while using Amazon Forecast?** + You should have a good understanding of your data classification practices and map out the related data security needs while using S3 buckets with Amazon Forecast. + For Amazon S3 bucket configuration, we strongly advise you to enable HTTPS enforcement in your S3 bucket policy. + You must be aware of the admin role 'customer\$1forecast\$1admin\$1role' support permissive access (Get/Delete/Put S3 objects) on Amazon S3 buckets with naming of 'customer-forecast-\$1'. NOTE: If you require fine-grained access control for multiple teams, follow these practices: + Define your team-based access IAM identity (role/user) with least-privilege access to related Amazon S3 buckets. + Create team/project based AWS KMS CMKs grant proper access to corresponding IAM identities. (user access and 'AmazonForecast-ExecutionRole-\$1team/project\$1'. + Setup S3 bucket default encryption with the created AWS KMS CMKs. + Enforce S3 API traffics with HTTPS protocol on S3 bucket policy. + Enforce S3 bucket configuration for approved access for related IAM identities (user access and 'AmazonForecast-ExecutionRole-\$1team/project\$1' to the buckets. + If you want to use the 'customer\$1forecast\$1admin\$1role' for general purpose, consider points listed previously to protect S3 buckets. **Q: Where is compliance information about Amazon Forecast?** See the [AWS services Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). # Use AMS SSP to provision Amazon FSx in your AMS account Amazon FSx Use AMS Self-Service Provisioning (SSP) mode to access Amazon FSx capabilities directly in your AMS managed account. Amazon FSx provides fully managed third-party file systems. Amazon FSx provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA). Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even more useful for a broader set of workloads. Amazon FSx provides you with two file systems to choose from: Amazon FSx for Windows File Server for Windows-based applications and Amazon FSx for Lustre for compute-intensive workloads. To learn more, see [Amazon FSx](https://aws.amazon.com/fsx/). ## Amazon FSx in AWS Managed Services FAQ **Q: How do I request access to Amazon FSx in my AMS account?** Request access to Amazon FSx by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_fsx_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon FSx in my AMS account?** There are no restrictions. Full functionality of the service is available. **Q: What are the prerequisites or dependencies to using Amazon FSx in my AMS account?** There are no prerequisites. However, for advance configurations like Multi-AZ, you must install and manage the DFS Replication and DFS Namespaces services. For more information, see [Deploying Multi-AZ File Systems](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/multi-az-deployments.html). **Q: How do I integrate my Amazon FSx file system with my multi-account landing zone Managed AD?** When creating an Amazon FSx file system, you can specify your MALZ Managed AD as the 'AWS Managed Microsoft Active Directory' for Windows Authentication. For more information see, [Using Amazon FSx with AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/fsx-aws-managed-ad.html) You must also share the Managed AD to the application account first. Do this by submitting an RFC with the Management \$1 Directory Service \$1 Directory \$1 Share directory change type (ct-369odosk0pd9w). **Q: Which users belong in the **AWS Delegated FSx Administrators** group?** Only IT file server administrators. This group has **Full Access** privileges across all file shares. **Q: Should I use the default file share, **share**, which is created when the FSx system is provisioned?** No, we don't recommend using the the default file share, **share**, as provisioned. It grants **Full Access** to **Everyone**, which which violates the principle of least privilege. Instead, create smaller, custom file shares that match your business needs. **Q: How can I create custom file shares for specific organizations in my business?** See [File Shares](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/managing-file-shares.html) for instructions on creating custom file shares. Restrict access on each file share using the principle of least privilege. # Use AMS SSP to provision Amazon FSx for OpenZFS in your AMS account Amazon FSx for OpenZFS Use AMS Self-Service Provisioning (SSP) mode to access Amazon FSx for OpenZFS capabilities directly in your AMS managed account. FSx for OpenZFS is a fully managed file storage service that makes it easy to move data residing in on-premises ZFS or other Linux-based file servers to AWS without changing your application code or how you manage data. It offers highly reliable, scalable, performant, and feature-rich file storage built on the open-source OpenZFS file system, providing the familiar features and capabilities of OpenZFS file systems with the agility, scalability, and simplicity of a fully managed AWS service. For developers building cloud-native applications, it offers simple, high-performance storage with rich capabilities for working with data. FSx for OpenZFS file systems are broadly accessible from Linux, Windows, and macOS compute instances and containers using the industry-standard NFS protocol (v3, v4.0, v4.1, v4.2). Powered by AWS Graviton processors and the latest AWS disk and networking technologies (including AWS Scalable Reliable Datagram networking and the AWS Nitro system), FSx for OpenZFS delivers up to 1 million IOPS with latencies of hundreds of microseconds. With complete support for OpenZFS features like instant point-in-time snapshots and data cloning, FSx for OpenZFS makes it easy for you to replace your on-premises file servers with AWS storage that provides familiar file system capabilities and eliminates the need to perform lengthy qualifications and change or re-architect existing applications or tools. And, by combining the power of OpenZFS data management capabilities with the high performance and cost efficiency of the latest AWS technologies, FSx for OpenZFS enables you to build and run high-performance, data-intensive applications. As a fully managed service, FSx for OpenZFS makes it easy to launch, run, and scale fully managed file systems on AWS that replace the file servers you run on premises while helping to provide better agility and lower costs. With FSx for OpenZFS, you no longer have to worry about setting up and provisioning file servers and storage volumes, replicating data, installing and patching file server software, detecting and addressing hardware failures, and manually performing backups. It also provides rich integration with other AWS services, such as AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), Amazon CloudWatch, and AWS CloudTrail. Amazon FSx provides you with two file systems to choose from: Amazon FSx for Windows File Server for Windows-based applications and Amazon FSx for Lustre for compute-intensive workloads. To learn more, see [Amazon FSx](https://aws.amazon.com/fsx/). ## Amazon FSx for OpenZFS in AWS Managed Services FAQ **Q: How do I request access to use FSx for OpenZFS in my AMS account?** Request access to Amazon FSx OpenZFS by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_fsx_ontap_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using FSx for OpenZFS in my AMS account?** Replacing the security group on the Amazon FSx elastic network interfaces (ENIs) requires you to submit Management \$1 Other \$1 Other \$1 Update RFCs since security groups are a critical perimeter for the AMS environment. That is the only restriction. **Q: What are the prerequisites or dependencies to using FSx for OpenZFS in my AMS account?** There are no prerequisites. However, you must have [Use AMS SSP to provision Amazon FSx in your AMS account](amz-fsx.md) installed. # Use AMS SSP to provision Amazon FSx for NetApp ONTAP in your AMS account Amazon FSx for NetApp ONTAP Use AMS Self-Service Provisioning (SSP) mode to access Amazon FSx for NetApp ONTAP capabilities directly in your AMS managed account. Amazon FSx for NetApp ONTAP is a fully managed service that provides highly reliable, scalable, performant, and feature-rich file storage built on NetApp's popular ONTAP file system. It provides the familiar features, performance, capabilities, and APIs of NetApp file systems with the agility, scalability, and simplicity of a fully managed AWS service. Amazon FSx for NetApp ONTAP provides feature-rich, fast, and flexible shared file storage that’s broadly accessible from Linux, Windows, and macOS compute instances running in AWS or on premises. FSx for ONTAP offers high-performance SSD storage with sub-millisecond latencies, and makes it quick and easy to manage your data by enabling you to snapshot, clone, and replicate your files with the click of a button. It also automatically tiers your data to lower-cost, elastic storage, eliminating the need to provision or manage capacity and allowing you to achieve SSD levels of performance for your workload while only paying for SSD storage for a small fraction of your data. It provides highly available and durable storage with fully managed backups and support for cross-region disaster recovery, and supports popular data security and anti-virus applications that make it even easier to protect and secure your data. For customers who use NetApp ONTAP on-premises, FSx for ONTAP is an ideal solution to migrate, back up, or burst your file-based applications from on-premises to AWS without the need to change your application code or how you manage your data. As a fully managed service, Amazon FSx for NetApp ONTAP makes it simple to launch and scale reliable, performant, and secure shared file storage in the cloud. With Amazon FSx for NetApp ONTAP, you no longer have to worry about setting up and provisioning file servers and storage volumes, replicating data, installing and patching file server software, detecting and addressing hardware failures, managing failover and failback, and manually performing backups. It also provides rich integration with other AWS services, such as AWS Identity and Access Management, Amazon WorkSpaces, AWS Key Management Service, and AWS CloudTrail. Amazon FSx provides you with two file systems to choose from: Amazon FSx for Windows File Server for Windows-based applications and Amazon FSx for Lustre for compute-intensive workloads. To learn more, see [Amazon FSx](https://aws.amazon.com/fsx/). ## Amazon FSx for NetApp ONTAP in AWS Managed Services FAQ **Q: How do I request access to Amazon FSx for NetApp ONTAP in my AMS account?** Request access to Amazon FSx for NetApp ONTAP by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_fsx_ontap_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon FSx for NetApp ONTAP in my AMS account?** Replacing the security group on the Amazon FSx for NetApp ONTAP elastic network interfaces (ENIs) requires you to submit Management \$1 Other \$1 Other \$1 Update RFCs since security groups are a critical perimeter for the AMS environment. That is the only restriction. **Q: What are the prerequisites or dependencies to using Amazon FSx for NetApp ONTAP in my AMS account?** There are no prerequisites. However, you must have [Use AMS SSP to provision Amazon FSx in your AMS account](amz-fsx.md) installed. # Use AMS SSP to provision Amazon Inspector Classic in your AMS account Amazon Inspector Classic **Note** End of support notice: On May 20, 2026, AWS will end support for Amazon Inspector Classic. After May 20, 2026, you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. Amazon Inspector Classic will no longer be available to new accounts, and accounts that have not completed an assessment in the last six months. For all other accounts, access will remain valid until May 20, 2026, after which you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. For more information, see [Amazon Inspector Classic end of support](https://docs.aws.amazon.com/inspector/v1/userguide/inspector-migration.html). Use AMS Self-Service Provisioning (SSP) mode to access Amazon Inspector Classic capabilities directly in your AMS managed account. Amazon Inspector Classic is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector Classic automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector Classic produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports, which are available via the Amazon Inspector Classic console or API. To learn more, see [Amazon Inspector Classic](https://docs.aws.amazon.com/inspector/v1/userguide/inspector_introduction.html). ## Amazon Inspector in AWS Managed Services FAQ **Q: How do I request access to Amazon Inspector Classic in my AMS account?** Request access to Amazon Inspector Classic by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the `customer_inspector_admin_role` IAM role to your account. The role includes the AWS-managed AmazonInspectorFullAccess policy. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Inspector Classic in my AMS account?** There are no restrictions. Full functionality of Amazon Inspector Classic is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Inspector Classic in my AMS account?** There are no prerequisites or dependencies to use Amazon Inspector Classic in your AMS account. ## Use the new Amazon Inspector in AMS You can now use the new Amazon Inspector in your AMS account. For Amazon Inspector Classic, the `customer-inspector-admin-role-ssm-inspector-agent-policy` and `AmazonInspectorFullAccess` were required. However, there has been an update to the SSPS role `customer-inspector-admin-role`, which now includes an additional `policyAmazonInspector2FullAccess`. This new policy allows API permissions for the new version of Amazon Inspector. # Use AMS SSP to provision Amazon Kendra in your AMS account Amazon Kendra Use AMS Self-Service Provisioning (SSP) mode to access Amazon Kendra capabilities directly in your AMS managed account. Amazon Kendra is an intelligent search service that uses natural language processing and advanced machine learning algorithms to return specific answers to search questions from your data. Unlike traditional keyword-based search, Amazon Kendra uses its semantic and contextual understanding capabilities to determine if a document is relevant to a search query. Amazon Kendra returns specific answers to questions, so your experience is close to interacting with a human expert. Amazon Kendra is highly scalable, capable of meeting performance demands, is tightly integrated with other AWS services such as Amazon S3 and Amazon Lex, and offers enterprise-grade security. To learn more, see [Amazon Kendra;](https://docs.aws.amazon.com/kendra/latest/dg/what-is-kendra.html). ## Amazon Kendra in AWS Managed Services FAQ **Q: How do I request access to Amazon Kendra in my AMS account?** To request access to Amazon Inspector Classic, submit an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-3qe6io8t6jtny) change type. This RFC provisions the `customer_kendra_console_role` IAM role to your account. After provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Kendra in my AMS account?** There are no restrictions. Full functionality of Amazon Kendra is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Kendra in my AMS account?** There are no prerequisites or dependencies to get started with Amazon Kendra. However, depending on your specific use case, you might require access to other AWS services. # Use AMS SSP to provision Amazon Kinesis Data Streams in your AMS account Amazon Kinesis Data Streams Use AMS Self-Service Provisioning (SSP) mode to access Amazon Kinesis Data Streams (KDS) capabilities directly in your AMS managed account. Amazon Kinesis Data Streams is a highly scalable, and durable, real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events. The data collected is available in milliseconds to enable real-time analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing, and more. To learn more, see [Amazon Kinesis Data Streams](https://aws.amazon.com/kinesis/data-streams/). ## Kinesis Data Streams in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Kinesis Data Streams in my AMS account?** Request access to Amazon Kinesis Data Streams by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_kinesis_data_streaming_user_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Kinesis Data Streams in my AMS account?** There are no restrictions. Full functionality of Amazon Kinesis Data Streams is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Kinesis Data Streams in my AMS account?** There are no prerequisites or dependencies to use Amazon Kinesis Data Streams in your AMS account. # Use AMS SSP to provision Amazon Kinesis Video Streams in your AMS account Amazon Kinesis Video Streams Use AMS Self-Service Provisioning (SSP) mode to access Amazon Kinesis Video Streams (KVS) capabilities directly in your AMS managed account. Amazon Kinesis Video Streams helps you to securely stream video from connected devices to AWS for analytics, machine learning (ML), playback, and other processing. Kinesis Video Streams automatically provisions, and elastically scales, all the infrastructure needed to ingest streaming video data from millions of devices. It also durably stores, encrypts, and indexes video data in your streams, and allows you to access your data through easy-to-use APIs. Kinesis Video Streams enables you to playback video for live and on-demand viewing, and quickly build applications that take advantage of computer vision and video analytics through integration with Amazon Rekognition Video, and libraries for ML frameworks such as Apache MxNet, TensorFlow, and OpenCV. To learn more, see [Amazon Kinesis Video Streams](https://aws.amazon.com/kinesis/video-streams/). ## Amazon Kinesis Video Streams in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Kinesis Video Streams in my AMS account?** Request access to Amazon Kinesis Video Streams by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_kinesis_video_streaming_user_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Kinesis Video Streams in my AMS account?** There are no restrictions. Full functionality of Amazon Kinesis Video Streams is available in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Kinesis Video Streams in my AMS account?** There are no prerequisites or dependencies to use Amazon Kinesis Video Streams in your AMS account. # Use AMS SSP to provision Amazon Lex in your AMS account Amazon Lex Use AMS Self-Service Provisioning (SSP) mode to access Amazon Lex capabilities directly in your AMS managed account. Amazon Lex is a service for building conversational interfaces into any application using voice and text. Amazon Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions. With Amazon Lex, the same deep learning technologies that power Amazon Alexa are now available to any developer, enabling you to quickly and easily build sophisticated, natural language, conversational bots or chatbots. To learn more, see [Amazon Lex](https://aws.amazon.com/lex/). ## Amazon Lex in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Lex in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_lex_author_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Lex in my AMS account?** Amazon Lex integration with Lambda is limited to Lambda functions without an "AMS-" prefix, in order to prevent any modifications to AMS infrastructure. **Q: What are the prerequisites or dependencies to using Amazon Lex in my AMS account?** There are no prerequisites or dependencies to use Amazon Lex in your AMS account. # Use AMS SSP to provision Amazon MQ in your AMS account Amazon MQ Use AMS Self-Service Provisioning (SSP) mode to access Amazon MQ capabilities directly in your AMS managed account. Amazon MQ is a managed message broker service for Apache ActiveMQ that helps you to set up and operate message brokers in the cloud. Message brokers allow different software systems, often using different programming languages and on different platforms, to communicate and exchange information. Amazon MQ reduces your operational load by managing the provisioning, setup, and maintenance of ActiveMQ, a popular open-source message broker. Connecting your current applications to Amazon MQ uses industry standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket. Using standards means that, in most cases, there’s no need to rewrite any messaging code when you migrate to AWS. To learn more, see [What Is Amazon MQ?](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/welcome.html) ## Amazon MQ in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon MQ in my AMS account?** Utilization of Amazon MQ in your AMS account is a two-step process: 1. Provision the Amazon MQ Broker. To do this, submit a CFN Template, with the Amazon MQ Broker included, through an RFC with the Deployment \$1 Ingestion \$1 Stack from CloudFormation Template \$1 Create change type (ct-36cn2avfrrj9v), or submit an RFC with the Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76) change type requesting that Amazon MQ Broker be provisioned in your account. 1. Access the Amazon MQ console. After the Amazon MQ Broker is provisioned, obtain access to the Amazon MQ console by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_mq_console_role`. After the role is provisioned in your account, you must onboard it in your federation solution. **Q: What are the restrictions to using Amazon MQ in my AMS account?** Full functionality of Amazon MQ is available in your AMS account; however, provisioning Amazon MQ Broker is not available through the policy due to the elevated permission required. See above for details on how to provision Amazon MQ broker in your accounts. **Q: What are the prerequisites or dependencies to using Amazon MQ in my AMS account?** There are no prerequisites or dependencies to use Amazon MQ in your AMS account. # Use AMS SSP to provision Amazon Managed Service for Apache Flink in your AMS account Amazon Managed Service for Apache Flink Use AMS Self-Service Provisioning (SSP) mode to access Amazon Managed Service for Apache Flink capabilities directly in your AMS managed account. Managed Service for Apache Flink is the easiest way to analyze streaming data, gain actionable insights, and respond to your business and customer needs in real time. Amazon Managed Service for Apache Flink reduces the complexity of building, managing, and integrating streaming applications with other AWS services. SQL users can easily query streaming data or build entire streaming applications using templates and an interactive SQL editor. Java developers can quickly build sophisticated streaming applications using open source Java libraries and AWS integrations to transform and analyze data in real time. Amazon Managed Service for Apache Flink takes care of everything required to run your real-time applications continuously and scales automatically to match the volume and throughput of your incoming data. With Amazon Managed Service for Apache Flink, you only pay for the resources your streaming applications consume. There is no minimum fee or setup cost. To learn more, see [Amazon Managed Service for Apache Flink](https://aws.amazon.com/kinesis/data-analytics/). ## Managed Service for Apache Flink in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Managed Service for Apache Flink in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_kinesis_analytics_application_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Managed Service for Apache Flink in my AMS account?** + Configurations are limited to resources without ‘AMS-‘ or ’MC-’ prefixes to prevent any modifications to AMS infrastructure. + Permission to delete or create new Kinesis Data Streams or Firehose has been removed from the policy. We have another policy that allows that. **Q: What are the prerequisites or dependencies to using Amazon Kinesis Data Streams in my AMS account?** There are a few dependencies: + Amazon Managed Service for Apache Flink requires that Kinesis Data Streams or Firehose must be created prior to configuring an application with Managed Service for Apache Flink. + The resource-based policy permissions should indicate a particular input data source. # Use AMS SSP to provision Amazon Managed Streaming for Apache Kafka in your AMS account Amazon Managed Streaming for Apache Kafka Use AMS Self-Service Provisioning (SSP) mode to access Amazon Managed Streaming for Apache Kafka (Amazon MSK) capabilities directly in your AMS managed account. Amazon Managed Streaming for Apache Kafka is a fully managed AWS streaming data service makes it easy for you to build and run applications that use Apache Kafka to process streaming data without needing to become an expert in operating Apache Kafka clusters. Amazon MSK manages the provisioning, configuration, and maintenance of Apache Kafka clusters and Apache ZooKeeper nodes for you. Amazon MSK also shows key Apache Kafka performance metrics in the AWS Console. Amazon MSK provides multiple levels of security for your Apache Kafka clusters, including VPC network isolation, AWS IAM for control-plane API authorization, encryption at rest, TLS encryption in-transit, TLS based certificate authentication, SASL/SCRAM authentication secured by AWS Secrets Manager. To learn more, see [Amazon MSK](https://aws.amazon.com/msk/). ## Amazon MSK in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon MSK in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM policies and role to your account: + `customer-msk-admin-policy.json` + `AmazonMSKFullAccess` + `customer-msk-admin-role.json` Once provisioned in your account you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon MSK?** For Amazon MSK to deliver broker logs to the destinations that you configure, ensure that the `AmazonMSKFullAccess` policy is attached to your IAM role. So full access permissions are already in place. **Q: What are the prerequisites or dependencies to using Amazon MSK?** Before creating your MSK cluster, you must have a VPC and subnets within that VPC. By default, AMS has this covered as part of default [AMS VPC creation](https://docs.aws.amazon.com/msk/latest/developerguide/msk-create-cluster.html). To learn about the limitation of Amazon MSK, refer to [Amazon MSK Limits](https://docs.aws.amazon.com/msk/latest/developerguide/limits.html). # Use AMS SSP to provision Amazon Managed Service for Prometheus in your AMS account Amazon Managed Service for Prometheus Use AMS Self-Service Provisioning (SSP) mode to access Amazon Managed Service for Prometheus (AMP) capabilities directly in your AMS managed account. Amazon Managed Service for Prometheus is a serverless, Prometheus-compatible monitoring service for container metrics that makes it easier to securely monitor container environments at scale. With Amazon Managed Service for Prometheus, you can use the same open-source Prometheus data model and query language that you use today to monitor the performance of your containerized workloads, and also enjoy improved scalability, availability, and security without having to manage the underlying infrastructure. Amazon Managed Service for Prometheusautomatically scales the ingestion, storage, and querying of operational metrics as workloads scale up and down. It integrates with AWS security services to enable fast and secure access to data. For more information, see [What is Amazon Managed Service for Prometheus?](https://docs.aws.amazon.com/prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html) ## Amazon Managed Service for Prometheus in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Managed Service for Prometheus in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer-prometheus-console-role`. After it's provisioned in your account, you must onboard the `customer-prometheus-console-role` role in your federation solution. **Q: What are the restrictions to using Amazon Managed Service for Prometheus in my AMS account?** All features are supported. **Q: What are the prerequisites or dependencies to using Amazon Managed Service for Prometheus in my AMS account?** There are no prerequisites or dependencies to get started with Amazon Managed Service for Prometheus. However, depending on your specific use case, you might require access to other AWS services. # Use AMS SSP to provision Amazon Personalize in your AMS account Amazon Personalize Use AMS Self-Service Provisioning (SSP) mode to access Amazon Personalize capabilities directly in your AMS managed account. Amazon Personalize is a machine learning service that makes it easy for developers to create individualized recommendations for customers using their applications. Machine learning is being increasingly used to improve customer engagement by powering personalized product and content recommendations, tailored search results, and targeted marketing promotions. However, developing the machine-learning capabilities necessary to produce these sophisticated recommendation systems has been beyond the reach of most organizations today due to the complexity. Amazon Personalize allows developers with no prior machine learning experience to easily build sophisticated personalization capabilities into their applications, using machine learning technology perfected from years of use on Amazon.com. With Amazon Personalize, you provide an activity stream from your application – clicks, page views, signups, purchases, and so forth – as well as an inventory of the items you want to recommend, such as articles, products, videos, or music. You can also choose to provide Amazon Personalize with additional demographic information from your users such as age, or geographic location. Amazon Personalize will process and examine the data, identify what is meaningful, select the right algorithms, and train and optimize a personalization model that is customized for your data. All data analyzed by Amazon Personalize is kept private and secure, and only used for your customized recommendations. You can start serving personalized recommendations via a simple API call. You pay only for what you use, and there are no minimum fees and no upfront commitments. To learn more, see [Amazon Personalize](https://aws.amazon.com/personalize/). ## Amazon Personalize in AWS Managed Services FAQ **Q: How do I request access to Amazon Personalize in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type, and you need to specify which S3 bucket contains the data to be used by AWS personalize to generate the recommendations. This RFC provisions the following IAM roles to your account: `customer_personalize_console_role` and `customer_personalize_service_role`. + Once the `customer_personalize_console_role` is provisioned in your account, you must onboard the role in your federation solution. You can also attach the `customer_personalize_console_policy` to another existing role other than `Customer_ReadOnly_Role`. + After the `customer_personalize_service_role` is provided to your account, then you can refer its ARN when creating a new dataset group. At this time, AMS Operations will also deploy this service role in your account: `aws_code_pipeline_service_role_policy`. **Q: What are the restrictions to using Amazon Personalize in my AMS account?** Amazon Personalize configuration is limited to resources without 'ams-' or 'mc-' prefixes, to prevent any modifications to AMS infrastructure. **Q: What are the prerequisites or dependencies to using Amazon Personalize in my AMS account?** + If the S3 bucket where data is stored is encrypted, the KMS key ID must be provided, so we can allow the role used by Amazon Personalize to decrypt the bucket. Amazon Personalize does not support the default KMS S3 key. If required to use KMS, create a custom key and add the following policy to it by opening an RFC with change type KMS Key \$1 Create (Managed automation): ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": "kms:*", "Resource": "*" } ] } ``` ------ + An S3 bucket must be created with the following bucket policy. Do this by submitting an RFC with change type S3 Storage \$1 Create Policy. This policy allows Amazon Personalize to access data; that bucket will contain the data to be used by Amazon Personalize. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] } ``` ------ # Use AMS SSP to provision Amazon Quick in your AMS account Amazon Quick Use AMS Self-Service Provisioning (SSP) mode to access Quick capabilities directly in your AMS managed account. Quick is a fast, cloud-powered business intelligence service that delivers insights to everyone in your organization. As a fully managed service, Quick lets you easily create and publish interactive dashboards that include machine learning (ML) insights. To learn more, see [Amazon Quick](https://aws.amazon.com/quicksight/). ## Quick in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Quick in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_quicksight_console_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Quick in my AMS account?** + AWS resource settings on Quick won’t be accessible to you because of the IAM policy dependency. However, the AMS team enables each resource for you in response to your request to enable the service. + Resource access for individual users and groups are not supported in this model because this feature enables users to alter IAM permissions that could compromise AMS infrastructure. + The ability to invite IAM identities from within QuickSight is not supported due to the risk involved altering IAM objects. + Quick service offers two editions: Enterprise and Standard. Both provide a single sign-on (SSO) option that is supported on AMS. However, the Enterprise Edition has an option to integrate Quick with Active Directory (AD). Quick on AMS does not support integration with AD due to incompatibilities between AMS account structure and the Quick trust requirements. **Q: What are the prerequisites or dependencies to using Quick in my AMS account?** + When AMS receives this RFC to add Quick, you are sent a service request for additional information; provide them the following: + Quick account name (for example, `CustomerName-quicksight` + Quick Edition (Standard versus Enterprise) + The AWS Region in which to enable the Quick service (defaults to your AMS AWS Region). + A notification email address for Quick account. + (Optional) The S3 bucket where data files to be analyzed are located. + The VPC and subnet IDs that connect to Quick support a feature to add a VPC connection, which enables private connectivity between Quick and resources inside the account. An AMS operator performs the sign up process on your behalf and configures two QuickSight functionalities: + [Auto discovery](https://docs.aws.amazon.com/quicksight/latest/user/autodiscover-aws-data-sources.html) to data sources. + [VPC connections](https://docs.aws.amazon.com/quicksight/latest/user/working-with-aws-vpc.html). **Note** These actions need to be performed by an AMS operator because elevated IAM and VPC permissions are required during the sign-in process. # Use AMS SSP to provision Amazon Rekognition in your AMS account Amazon Rekognition Use AMS Self-Service Provisioning (SSP) mode to access Amazon Rekognition capabilities directly in your AMS managed account. Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use. With Amazon Rekognition, you can identify objects, people, text, scenes, and activities in images and videos, as well as detect any inappropriate content. Amazon Rekognition also provides highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases. With Amazon Rekognition Custom Labels, you can identify objects and scenes in images that are specific to your business needs. For example, you can build a model to classify specific machine parts on your assembly line or to detect unhealthy plants. Amazon Rekognition Custom Labels takes care of the model development heavy lifting for you, so no machine learning experience is required. You simply need to supply images of objects or scenes you want to identify, and the service handles the rest. To learn more, see [Amazon Rekognition](https://aws.amazon.com/rekognition/). ## Amazon Rekognition in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon Rekognition in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_rekognition_console_role & customer_rekognition_service_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Rekognition in my AMS account?** Full functionality of Amazon Rekognition is available with the Amazon Rekognition self-provisioned service role. **Q: What are the prerequisites or dependencies to using Amazon Rekognition in my AMS account?** If you use Kinesis Video Streams that provide the source streaming video for an Amazon Rekognition Video stream processor or a data stream as a destination to write data to Kinesis Data Streams, kindly provide AMS with a `kinesisStreamName` when creating the RFC. # Use AMS SSP to provision Amazon SageMaker AI in your AMS account Amazon SageMaker AI Use AMS Self-Service Provisioning (SSP) mode to access Amazon SageMaker AI capabilities directly in your AMS managed account. SageMaker AI provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly. Amazon SageMaker AI is a fully-managed service that covers the entire machine learning workflow to label and prepare your data, choose an algorithm, train the model, tune and optimize it for deployment, make predictions, and take action. Your models get to production faster with much less effort and lower cost. To learn more, see [Amazon SageMaker AI](https://aws.amazon.com/sagemaker/). ## SageMaker AI in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to SageMaker AI in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_sagemaker_admin_role` and service role `AmazonSageMaker-ExecutionRole-Admin`. After SageMaker AI is provisioned in your account, you must onboard the `customer_sagemaker_admin_role` role in your federation solution. The service role cannot be accessed by you directly; the SageMaker AI service uses it while doing various actions as described here: [Passing Roles](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-pass-role). **Q: What are the restrictions to using SageMaker AI in my AMS account?** + The following use cases are not supported by the AMS Amazon SageMaker AI IAM role: + SageMaker AI Studio is not supported at this time. + SageMaker AI Ground Truth to manage private workforces is not supported since this feature requires overly permissive access to Amazon Cognito resources. If managing a private workforce is required, you can request a custom IAM role with combined SageMaker AI and Amazon Cognito permissions. Otherwise, we recommend using public workforce (backed by Amazon Mechanical Turk), or AWS Marketplace service providers, for data labeling. + Creating VPC Endpoints to support API calls to SageMaker AI services (aws.sagemaker.\$1region\$1.notebook, com.amazonaws.\$1region\$1.sagemaker.api & com.amazonaws.\$1region\$1.sagemaker.runtime) is not supported as permissions can’t be scoped down to SageMaker AI related services only. To support this use case, submit a Management \$1 Other \$1 Other RFC to create related VPC endpoints. + SageMaker AI endpoint auto scaling is not supported as SageMaker AI requires `DeleteAlarm` permissions on any ("\$1") resource. To support endpoint auto scaling, submit a Management \$1 Other \$1 Other RFC to setup auto scaling for a SageMaker AI endpoint. **Q: What are the prerequisites or dependencies to using SageMaker AI in my AMS account?** + The following use cases require special configuration prior to use: + If an S3 bucket will be used to store model artifacts and data, then you must request an S3 bucket named with the required keywords ("SageMaker", "Sagemaker", "sagemaker" or "aws-glue") with a Deployment \$1 Advanced stack components \$1 S3 storage \$1 Create RFC. + If Elastic File Store (EFS) will be used, then EFS storage must be configured in the same subnet, and allowed by security groups. + If other resources require direct access to SageMaker AI services (notebooks, API, runtime, and so on), then configuration must be requested by: + Submitting an RFC to create a security group for the endpoint (Deployment \$1 Advanced stack components \$1 Security group \$1 Create (auto)). + Submitting a Management \$1 Other \$1 Other \$1 Create RFC to set up related VPC endpoints. **Q: What are the supported naming conventions for resources that the `customer_sagemaker_admin_role` can access directly?** (The following are for update and delete permissions; if you require additional supported naming conventions for your resources, reach out to an AMS Cloud Architect for consultation.) + Resource: Passing `AmazonSageMaker-ExecutionRole-*` role + Permissions: The SageMaker AI self-provisioned service role supports your use of the SageMaker AI service role (`AmazonSageMaker-ExecutionRole-*`) with AWS Glue, AWS RoboMaker, and AWS Step Functions. + Resource: Secrets on AWS Secrets Manager + Permissions: Describe, Create, Get, Update secrets with a `AmazonSageMaker-*` prefix. + Permissions: Describe, Get secrets when the `SageMaker` resource tag is set to `true`. + Resource: Repositories on AWS CodeCommit + Permissions: Create/ delete repositories with a `AmazonSageMaker-*` prefix. + Permissions: Git Pull/Push on repositories with following prefixes, `*sagemaker*`, `*SageMaker*`, and `*Sagemaker*`. + Resource: Amazon ECR (Amazon Elastic Container Registry) Repositories + Permissions: Permissions: Set, delete repository policies, and upload container images, when the following resource naming convention is used, `*sagemaker*`. + Resource: Amazon S3 buckets + Permissions: Get, Put, Delete object, abort multipart upload S3 objects when resources have the following prefixes: `*SageMaker*`, `*Sagemaker*`, `*sagemaker*` and `aws-glue`. + Permissions: Get S3 objects when the `SageMaker` tag is set to `true`. + Resource: Amazon CloudWatch Log Group + Permissions: Create Log Group or Stream, Put Log Event, List, Update, Create , Delete log delivery with following prefix: `/aws/sagemaker/*`. + Resource: Amazon CloudWatch Metric + Permissions: Put metric data when the following prefixes are used: `AWS/SageMaker`, `AWS/SageMaker/`, `aws/SageMaker`, `aws/SageMaker/`, `aws/sagemaker`, `aws/sagemaker/`, and `/aws/sagemaker/.`. + Resource: Amazon CloudWatch Dashboard + Permissions: Create/Delete dashboards when the following prefixes are used: `customer_*`. + Resource: Amazon SNS (Simple Notification Service) topic + Permissions: Subscribe/Create topic when following prefixes are used: `*sagemaker*`, `*SageMaker*`, and `*Sagemaker*`. **Q: What’s the difference between `AmazonSageMakerFullAccess` and `customer_sagemaker_admin_role`?** The `customer_sagemaker_admin_role` with the `customer_sagemaker_admin_policy` provides almost the same permissions as AmazonSageMakerFullAccess except: + Permission to connect with AWS RoboMaker, Amazon Cognito, and AWS Glue resources. + SageMaker AI endpoint autoscaling. You must submit a RFC with Management \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Update entity or policy (managed automation) change type (ct-27tuth19k52b4) to elevate autoscaling permissions temporarily, or permanently, as autoscaling requires permissive access on CloudWatch service. **Q: How do I adopt AWS KMS customer managed key in data encryption at rest?** You must ensure that the key policy has been set up properly on the customer managed keys so that related IAM users or roles can use the keys. For more information, see the [AWS KMS Key Policy document](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users). # Use AMS SSP to provision Amazon Simple Email Service in your AMS account Amazon Simple Email Service Use AMS Self-Service Provisioning (SSP) mode to access Amazon Simple Email Service (Amazon SES) capabilities directly in your AMS managed account. Amazon Simple Email Service is a cloud-based email sending service designed to help digital marketers and application developers, send marketing, notification, and transactional emails. You can use the SMTP interface or one of the AWS SDKs to integrate Amazon SES directly into your existing applications. You can also integrate the email sending capabilities of Amazon SES into the software you already use, such as ticketing systems and email clients. To learn more, see [Amazon Simple Email Service](https://aws.amazon.com/ses/). ## Amazon SES in AWS Managed Services FAQ **Q: How do I request access to Amazon SES in my AMS account?** Request access to Amazon SES by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_ses_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the prerequisites or dependencies to using Amazon SES in my AMS account?** + You must configure an S3 bucket policy to allow Amazon SES to publish events to the bucket. + You must use a default (AWS SES), or configure, a CMK key to allow Amazon SES to encrypt emails and push events to other service resources such as Amazon S3, Amazon SNS, Lambda, and Firehose, belonging to the account. **Q: What are the restrictions to using Amazon SES in my AMS account?** You must raise RFCs to create the following resources: + An SMTP user and IAM service role with PutEvents permission, to a Kinesis Firehose stream. + You must create new AWS resources such as S3 bucket, Firehose stream, SNS topic by using AMS change types in order for your Amazon SES rules and configuration sets' destinations to work with those resources. + SMTP credentials. To request new SMTP credentials, use the Change Type (Management \$1 Other \$1 Other \$1 Create). AMS creates the credentials and adds them to Secrets Manager for you. # Use AMS SSP to provision Amazon Simple Workflow Service in your AMS account Amazon Simple Workflow Service Use AMS Self-Service Provisioning (SSP) mode to access Amazon Simple Workflow Service (Amazon SWF) capabilities directly in your AMS managed account. Amazon Simple Workflow Service helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud. If your application's steps take more than 500 milliseconds to complete, you need to track the state of processing, or you need to recover or retry if a task fails, Amazon SWF can help you. To learn more, see [Amazon Simple Workflow Service](https://aws.amazon.com/swf/). ## Amazon SWF in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Amazon SWF in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_swf_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon SWF in my AMS account?** The Lambda `InvokeFunction` permissions have been included in this service however, the AMS `customer_deny_policy` that is added to all AMS customer roles explicitly denies access to AMS Lambda functions and AMS-owned resources. In order to tag or untag resources within Amazon SWF, submit a Management \$1 Other \$1 Other Change Type. **Q: What are the prerequisites or dependencies to using Amazon SWF in my AMS account?** Amazon SWF is dependent on the AWS Lambda service, therefore, permissions to invoke Lambda have been provided as a part of this role and no additional permissions are required to invoke Lambda from Amazon SWF. Otherwise, there are no prerequisites to using Amazon SWF. # Use AMS SSP to provision Amazon Textract in your AMS account Amazon Textract Use AMS Self-Service Provisioning (SSP) mode to access Amazon Textract capabilities directly in your AMS managed account. Amazon Textract is a fully managed machine learning service that automatically extracts printed text, handwriting, and other data from scanned documents that goes beyond simple optical character recognition (OCR) to identify, understand, and extract data from forms and tables. To learn more, see [Amazon Textract](https://aws.amazon.com/textract/). ## Amazon Textract in AWS Managed Services FAQ Common questions and answers: **Q: How do I request Amazon Textract to be set up in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM roles to your account: `customer_textract_console_role`, `customer_textract_human_review_execution_role`, and `customer_ec2_textract_instance_profile`. Once provisioned in your account, you must onboard the role `customer_textract_console_role` in your federation solution. **Q: What are the restrictions to using Amazon Textract in my AMS account?** There are no restrictions for the use of Amazon Textract in your AMS account. **Q: What are the prerequisites or dependencies to using Amazon Textract in my AMS account?** You must request the creation of an S3 bucket by submitting an RFC Deployment \$1 Advanced stack components \$1S3 storage \$1 Create (ct-1a68ck03fn98r). # Use AMS SSP to provision Amazon Transcribe in your AMS account Amazon Transcribe Use AMS Self-Service Provisioning (SSP) mode to access Amazon Transcribe capabilities directly in your AMS managed account. Amazon Transcribe is a fully managed and continuously trained automatic speech recognition service that automatically generates time-stamped text transcripts from audio files. Amazon Transcribe makes it easy for developers to add speech-to-text capabilities to their applications. Audio data is virtually impossible for computers to search and analyze. Therefore, recorded speech needs to be converted to text before it can be used in applications. Historically, customers had to work with transcription providers that required them to sign expensive contracts and were hard to integrate into their technology stacks to accomplish this task. Many of these providers use outdated technology that does not adapt well to different scenarios, like low-fidelity phone audio common in contact centers, which results in poor accuracy. Amazon Transcribe uses a deep learning process called automatic speech recognition (ASR) to convert speech into text, quickly and accurately. Amazon Transcribe can be used to transcribe customer service calls, automate closed captioning and subtitling, and generate metadata for media assets to create a fully searchable archive. You can use Amazon Transcribe Medical to add medical speech-to-text capabilities to clinical documentation applications. To learn more, see [Amazon Transcribe](https://aws.amazon.com/transcribe/). ## Amazon Transcribe in AWS Managed Services FAQ Common questions and answers: **Q: How do I request Amazon Transcribe to be set up in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_transcribe_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Amazon Transcribe in my AMS account?** You must use 'customer-transcribe\$1' as the prefix for your buckets when working with transcribe, unless RA and specified otherwise. You are not able to create an IAM role within Amazon transcribe. You cannot use a service-managed S3 bucket for output data in default SSPS (if this is needed, please reach out to your account CA). You must submit Risk Acceptance if you want to use customer-managed KMS Keys that do not fall under the AMS namespace. **Q: What are the prerequisites or dependencies to using Amazon Transcribe in my AMS account?** S3 must have access to the buckets with the name 'customer-transcribe\$1'. KMS is required in order to use Amazon Transcribe if your S3 buckets are encrypted with KMS keys. If a bucket doesn’t need to be encrypted "KMStranscribeAllow" can be removed. # Use AMS SSP to provision Amazon WorkSpaces in your AMS account Amazon WorkSpaces Use AMS Self-Service Provisioning (SSP) mode to access WorkSpaces capabilities directly in your AMS managed account. WorkSpaces enables you to provision virtual, cloud-based Microsoft Windows or Amazon Linux desktops for your users, known as WorkSpaces. WorkSpaces eliminates the need to procure and deploy hardware or install complex software. You can quickly add or remove users as your needs change. Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their existing on-premises Active Directory (AD) credentials. To learn more, see [Amazon WorkSpaces](https://aws.amazon.com/workspaces/). ## WorkSpaces in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to WorkSpaces in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_workspaces_console_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using WorkSpaces in my AMS account?** Full functionality of Workspaces is available with the Amazon WorkSpaces self-provisioned service role. **Q: What are the prerequisites or dependencies to using WorkSpaces in my AMS account?** + WorkSpaces are limited by AWS Region; therefore, the AD Connector must be configured in the same AWS Region where the WorkSpaces instances are hosted. Customers can connect WorkSpaces to customer AD using one of the following two methods: 1. Using AD connector to proxy authentication to on-premises Active Directory service (preferred): Configure Active Directory (AD) Connector in your AMS account prior to integrating your WorkSpaces instance with your on-premises directory service. The AD Connector acts as a proxy for your existing AD users (from your domain) to connect to WorkSpaces using existing on-premises AD credentials. This is preferred because WorkSpaces are directly joined to the customer's on-prem domain, which acts as both Resource and User forest, leading to more control on the customer side. For more information, see [ Best Practices for Deploying Amazon WorkSpaces (Scenario 1)](https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/scenario-1-using-ad-connector-to-proxy-authentication-to-on-premises-active-directory-service.html). 1. Using AD Connector with AWS Microsoft AD, Shared Services VPC, and a one-way trust to on-premises: You can also authenticate users with your on-premises directory by first establishing a one-way outgoing trust from AMS-managed AD to your on-premises AD. WorkSpaces will join AMS-managed AD using an AD Connector. WorkSpaces access permissions will then be delegated to the WorkSpaces instances through the AMS-managed AD, without the need to establish a two-way trust with your on-premises environment. In this scenario, the User forest will be in the customer AD and the Resource forest will be in the AMS-managed AD (changes to AMS-managed AD can be requested via RFC). Note that the connectivity between WorkSpaces VPC and the MALZ Shared Services VPC running AMS-managed AD is established via Transit Gateway. For more information, see [ Best Practices for Deploying Amazon WorkSpaces (Scenario 6)](https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/scenario-6-aws-microsoft-ad-shared-services-vpc-and-a-one-way-trust-to-on-premises.html). **Note** The AD Connector can be configured by submitting a Management \$1 Other \$1 Other \$1 Create change type RFC with the prerequisite AD configuration details; for more information, see [Create an AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_ad_connector.html). If method 2 is used to create a Resource forest in AMS-managed AD, submit another Management \$1 Other \$1 Other \$1 Create change type RFC in AMS shared-services account by running the AMS-managed AD. # Use AMS SSP to provision AMS Code services in your AMS account AMS Code services Use AMS Self-Service Provisioning (SSP) mode to access AMS Code services capabilities directly in your AMS managed account. AMS Code services is a proprietary bundling of AWS code management services as detailed next. You can choose to deploy all of the services in AMS with AMS Code services, or you can deploy them in AMS individually. AMS Code services includes the following services: + AWS CodeCommit: A fully managed [source control](https://aws.amazon.com/devops/source-control) service that hosts secure Git-based repositories. It makes it so teams can collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools. To learn more, see [AWS CodeCommit](https://aws.amazon.com/codecommit/) To deploy this in your AMS account independently of AMS Code services, see [Use AMS SSP to provision AWS CodeCommit in your AMS account](codecommit.md). + AWS CodeBuild: A fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. You can get started quickly by using prepackaged build environments, or you can create custom build environments that use your own build tools. With CodeBuild, you are charged by the minute for the compute resources you use. To learn more, see [AWS CodeBuild](https://aws.amazon.com/codebuild/) To deploy this in your AMS account independently of AMS Code services, see [Use AMS SSP to provision AWS CodeBuild in your AMS account](code-build.md). + AWS CodeDeploy: A fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2 and your on-premises servers. AWS CodeDeploy helps you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations. The service scales to match your deployment needs. To learn more, see [AWS CodeDeploy](https://aws.amazon.com/codedeploy/) To deploy this in your AMS account independently of AMS Code services, see [Use AMS SSP to provision AWS CodeDeploy in your AMS account](code-deploy.md). + AWS CodePipeline: A fully managed [continuous delivery](https://aws.amazon.com/devops/continuous-delivery/) service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define. This enables you to rapidly and reliably deliver features and updates. You can easily integrate AWS CodePipeline with third-party services such as GitHub or with your own custom plugin. With AWS CodePipeline, you only pay for what you use. There are no upfront fees or long-term commitments. To learn more, see [AWS CodePipeline](https://aws.amazon.com/codepipeline/) To deploy this in your AMS account independently of AMS Code services, see [Use AMS SSP to provision AWS CodePipeline in your AMS account](code-pipeline.md). ## AMS Code services in AWS Managed Services FAQ **Q: How do I request access to AMS Code services in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_code_suite_console_role`. After provisioned in your account, you must onboard the role in your federation solution. At this time AMS Operations will also deploy the `customer_codebuild_service_role`, `customer_codedeploy_service_role`, `aws_code_pipeline_service_role` service roles in your account for CodeBuild, CodeDeploy and CodePipeline services. If additional IAM permissions for the are required for the `customer_codebuild_service_role` are needed, submit an AMS service request. **Note** You can also add these services separately; for information, see [Use AMS SSP to provision AWS CodeBuild in your AMS account](code-build.md), [Use AMS SSP to provision AWS CodeDeploy in your AMS account](code-deploy.md), and [Use AMS SSP to provision AWS CodePipeline in your AMS account](code-pipeline.md), respectively. **Q: What are the restrictions to using AMS Code services in my AMS account?** + AWS CodeCommit: The triggers feature on CodeCommit is disabled given the associated rights to create SNS topics. Directly authenticating against CodeCommit is restricted; users should authenticate with Credential Helper. Some KMS commands are also restricted: kms:Encrypt, kms:Decrypt, kms:ReEncrypt, kms:GenereteDataKey, kms:GenerateDataKeyWithoutPlaintext, and kms:DescribeKey. + CodeBuild: For AWS CodeBuild console admin access, permissions are limited at the resource level; for example, CloudWatch actions are limited on specific resources and the `iam:PassRole` permission is controlled. + CodeDeploy: Currently CodeDeploy supports deployments on Amazon EC2/On-premises only. Deployments on ECS and Lambda through CodeDeploy is not supported. + CodePipeline: CodePipeline features, stages, and providers are limited to the following: + Deploy Stage: Amazon S3 and AWS CodeDeploy + Source Stage: Amazon S3, AWS CodeCommit, Bit Bucket, and GitHub + Build Stage: AWS CodeBuild and Jenkins + Approval Stage: Amazon SNS + Test Stage: AWS CodeBuild, Jenkins, BlazeMeter, Ghost Inspector UI Testing, Micro Focus StormRunner Load, Runscope API Monitoring + Invoke Stage: Step Functions and Lambda **Note** AMS Operations deploys the `customer_code_pipeline_lambda_policy` in your account; it must be attached with the Lambda execution role for Lambda invoke stage. Provide the Lambda service/execution role name that you want this policy added with. If there is no custom Lambda service/execution role, then AMS creates a new role named `customer_code_pipeline_lambda_execution_role`, that is a copy of ` customer_lambda_basic_execution_role` along with `customer_code_pipeline_lambda_policy`. **Q: What are the prerequisites or dependencies to using AMS Code services in my AMS account?** + CodeCommit: If S3 buckets are encrypted with AWS KMS keys, S3 and AWS KMS are required to use AWS CodeCommit. + CodeBuild: If additional IAM permissions are required for the defined AWS CodeBuild service role, request them through an AMS service request. + CodeDeploy: None. + CodePipeline: None. AWS supported services—AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy—must be launched prior to, or along with, the launch of CodePipeline. However this is done by an AMS engineer. # Use AMS SSP to provision AWS Amplify in your AMS account AWS Amplify Use AMS Self-Service Provisioning (SSP) mode to access AWS Amplify capabilities directly in your AMS managed account. The AWS Amplify is a complete solution that allows frontend web and mobile developers to easily build, connect, and host fullstack applications. Amplify provides flexibility to leverage the breadth of AWS services as your use cases evolve. Amplify provides products to build fullstack iOS, Android, Flutter, Web, and React Native apps. To learn more, see [AWS Amplify](https://docs.amplify.aws/console). ## AWS Amplify in AWS Managed Services FAQ Common questions and answers: **Q: How do I request AWS Amplify to be set up in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_amplify_console_role`. After provisioned to your account, you must onboard the role in your federation solution. Additionally, you must provide a Risk Acceptance because AWS Amplify has infrastructure-mutating permissions. To do this, work with your Cloud Service Delivery Manager (CSDM). **Q: What are the restrictions to using AWS Amplify in my AMS account?** You must use `'amplify*'` as the prefix for your buckets when working with Amplify, unless RA and specified otherwise. **Q: What are the prerequisites or dependencies to using AWS Amplify in my AMS account?** There are no prerequisites for the use of AWS Amplify in your AMS account. **Malz environments only**: The default onboarded role for Amplify is "customer\$1amplify\$1console\$1role". To use a custom role, first deploy the IAM entities. Then, create an additional RFC to add your custom role to the Service Control Policy for Application Accounts allow list. # Use AMS SSP to provision AWS AppSync AWS AppSync Use AMS Self-Service Provisioning (SSP) mode to access AWS AppSync capabilities directly in your AMS managed account. AWS AppSync simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. AWS AppSync is a managed service that uses GraphQL to make it easy for applications to get exactly the data they need. With AWS AppSync, you can build scalable applications, including those requiring real-time updates, on a range of data sources such as NoSQL data stores, relational databases, HTTP APIs, and your custom data sources with AWS Lambda. For mobile and web apps, AWS AppSync additionally provides local data access when devices go offline, and data synchronization with customizable conflict resolution, when they are back online. To learn more, see [AWS AppSync](https://aws.amazon.com/appsync/). ## AWS AppSync in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access AWS AppSync in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM roles to your account: `customer_appsync_service_role` and `customer_appsync_author_role`. Once provisioned in your account, you must onboard the `customer_appsync_author_role` in your federation solution. **Q: What are the restrictions to using the AWS AppSync?** + When creating a Data Source on AppSync the customer need to specify the previously created service role, creation of a new role is not allowed and therefore will return an access denied + AppSync roles are configured to restrict permissions to resources containing 'AMS-' or 'MC-' prefixes to prevent any modifications to AMS infrastructure. **Q: What are the prerequisites or dependencies to using AWS AppSync?** The service allows multiple other services to be used as a data source, The basic permissions to use them as such is included in the service role (`customer_appsync_service_role`), but you must manually select the service role when using the service. # Use AMS SSP to provision AWS App Mesh in your AMS account AWS App Mesh Use AMS Self-Service Provisioning (SSP) mode to access AWS App Mesh capabilities directly in your AMS managed account. AWS App Mesh provides application level networking to make it easy for your services to communicate with each other across multiple types of compute infrastructure. App Mesh standardizes how your services communicate, giving you end-to-end visibility and ensuring high-availability for your applications. AWS App Mesh makes it easy to run services by providing consistent visibility and network traffic controls for services built across multiple types of compute infrastructure. App Mesh removes the need to update application code to change how monitoring data is collected or traffic is routed between services. App Mesh configures each service to export monitoring data and implements consistent communications control logic across your application. This makes it easy to quickly pinpoint the exact location of errors and automatically re-route network traffic when there are failures or when code changes need to be deployed. To learn more, see [AWS App Mesh](https://aws.amazon.com/app-mesh/). ## AWS App Mesh in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access AWS App Mesh in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_app_mesh_console_role`. After it is provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using the AWS App Mesh?** Full functionality of AWS App Mesh is available in your AMS account. **Q: What are the prerequisites or dependencies to using AWS App Mesh?** There are no prerequisites or dependencies to use AWS App Mesh in your AMS account. # Use AMS SSP to provision AWS Audit Manager in your AMS account AWS Audit Manager Use AMS Self-Service Provisioning (SSP) mode to access Audit Manager capabilities directly in your AMS managed account. Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to make it easier to assess if your policies, procedures, and activities are operating effectively. When it is time for an audit, Audit Manager helps you manage stakeholder reviews of your controls and helps you build audit-ready reports with significantly less manual effort. To learn more, see [Audit Manager](https://aws.amazon.com/audit-manager/). ## AWS Audit Manager in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Audit Manager in my AMS account?** You can request access through the submission of the AWS Services RFC Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny). This RFC provisions the following IAM role in your account: `customer-audit-manager-admin-Role`. After provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Audit Manager?** There are no restrictions for the use of AWS Audit Manager in your AMS account. Full functionality for AWS Audit Manager is provided. **Q: What are the prerequisites or dependencies to using AWS Audit Manager?** 1. You need to provide AMS with the s3 bucket where you want reports/assessments to reside. 1. If you want to have encryption with the service, you need to provide AMS with the KMS CMK ARN to use. 1. If you want to send an SNS notifications to a Topic, you must provide the name of the topic or arn. 1. **(Optional)** There is an additional prerequisite if you want to enable Organizations as part of your multi-account landing zone in Audit Manager and you want a delegated administrator account: In the description field for RFC (Management \$1 AWS service \$1 Compatible Service\$1 Add), mention that you want to use the delegated administrator account as part of Audit Manager Setup and provide the below details: + KMS CMK ARN (used to set up Audit Manager, initially) + Delegated administrator account ID for Audit Manager to use as part of this multi-account landing zone (can be a MALZ application account) # Use AMS SSP to provision AWS Batch in your AMS account AWS Batch Use AMS Self-Service Provisioning (SSP) mode to access AWS Batch capabilities directly in your AMS managed account. AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources (such as CPU or memory optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. With AWS Batch, there is no need to install and manage batch computing software or server clusters that you use to run your jobs, allowing you to focus on analyzing results and solving problems. To learn more, see [AWS Batch](https://aws.amazon.com/batch/). ## AWS Batch in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Batch in my AMS account?** 1. To request access to AWS Batch, submit the RFC Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct). This RFC provisions the following IAM roles and policies in your account: IAM roles: + `customer_batch_console_role` + `customer_batch_ecs_instance_role` + `customer_batch_events_service_role` + `customer_batch_service_role` + `customer_batch_ecs_task_role` Policies: + `customer_batch_console_role_policy` + `customer_batch_service_role_policy` + `customer_batch_events_service_role_policy` 2. After provisioned in your account, you must onboard the role `customer_batch_console_role` in your federation solution. **Q: What are the restrictions to using AWS Batch?** When creating the Compute Environment, you should tag EC2 instances as "customer\$1batch" or "customer-batch". If the instances are not tagged, instances will not be terminated by batch when the job completes. **Q: What are the prerequisites or dependencies to using AWS Batch?** There are no prerequisites or dependencies to use AWS Batch in your AMS account. # Use AMS SSP to provision AWS Certificate Manager in your AMS account AWS Certificate Manager Use AMS Self-Service Provisioning (SSP) mode to access AWS Certificate Manager (ACM) capabilities directly in your AMS managed account. AWS Certificate Manager is a service that lets you provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With AWS Certificate Manager, you can request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through AWS Certificate Manager for use with ACM-integrated services are free. You pay only for the AWS resources you create to run your application. With [AWS Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/), you pay monthly for the operation of the AWS Private CA and for the private certificates you issue. To learn more, see [AWS Certificate Manager - AWS Documentation](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html). ## ACM in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Certificate Manager in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_acm_create_role`. You can use this role to create and manage ACM certificates. After it's provisioned in your account, you must onboard the role in your federation solution. ACM certificates can be created using the following change types, even if you haven't added the `customer_acm_create_role` IAM role: + [ ACM \$1 Create Public Certificate](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-acm-create-public-certificate.html) + [ ACM \$1 Create Private Certificate](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-acm-create-private-certificate.html) + [ ACM Certificate with additional SANs \$1 Create](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-acm-certificate-with-additional-sans-create.html) **Q: What are the restrictions to using the AWS Certificate Manager?** You must submit a Request for Change (RFC) to AMS to delete or modify existing certificates, as those actions require full admin access (use the Management \$1 Advanced stack components \$1 ACM \$1 Delete certificate change type (ct-1q8q56cmwqj9m)). Note that the IAM policy can't exclude rights based on tag names (mc\$1, ams\$1, etc). Certificates do not incur a cost, so deleting unused certificates is not time sensitive. **Q: What are the prerequisites or dependencies to using Certificate Manager?** Existing public DNS name, and access to create DNS CNAME records, but those do not need to be hosted in the managed account. # Use AMS SSP to provision AWS Private Certificate Authority in your AMS account AWS Private Certificate Authority Use AMS Self-Service Provisioning (SSP) mode to access AWS Private Certificate Authority capabilities directly in your AMS managed account. Private certificates are used for identifying and securing communication between connected resources on private networks, such as servers, mobile, and IoT devices and applications. AWS Private CA is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates. AWS Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. AWS Private CA extends ACM’s certificate management capabilities to private certificates, enabling you to create and manage public and private certificates centrally. You can easily create and deploy private certificates for your AWS resources using the AWS Management Console or the ACM API. For EC2 instances, containers, IoT devices, and on-premises resources, you can easily create and track private certificates and use your own client-side automation code to deploy them. You also have the flexibility to create private certificates and manage them yourself for applications that require custom certificate lifetimes, key algorithms, or resource names To learn more, see [AWS Private CA](https://aws.amazon.com/certificate-manager/private-certificate-authority/). ## AWS Private CA in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access AWS Private CA in my AMS account?** Request access through the submission of the AWS Services RFC (Management \$1 AWS service \$1 Compatible Service). Through this RFC the following IAM role will be provisioned in your account: `customer_acm_pca_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using the AWS Private CA?** Currently, AWS Resource Access Manager (AWS RAM) cannot be used to share your AWS Private CA cross-account. **Q: What are the prerequisites or dependencies to using AWS Private CA?** 1. If you plan to create a CRL, you need an S3 bucket to store it in. AWS Private CA automatically deposits the CRL in the Amazon S3 bucket you designate and updates it periodically. It is a pre requisite that the S3 bucket has the below bucket policy before you can set-up a CRL. In order to proceed with this request; create a RFC with ct-0fpjlxa808sh2 (Management \$1 Advanced stack components \$1 S3 storage \$1 Update policy) as follows: + Provide the S3 bucket name or ARN. + Copy the below policy onto RFC and replace `bucket-name` with your desired S3 bucket name. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"acm-pca.amazonaws.com" }, "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::bucket-name/*", "arn:aws:s3:::bucket-name" ] } ] } ``` ------ 2. If the above S3 bucket is encrypted, then the Service Principal acm-pca.amazonaws.com requires permissions to decrypt. In order to proceed with this request; create a RFC with ct-3ovo7px2vsa6n (Management \$1 Advanced stack components \$1 KMS key \$1 Update) as follows: + Provide the KMS Key ARN on which the policy must be updated. + Copy the below policy onto RFC and replace `bucket-name` with your desired S3 bucket name. ``` { "Sid":"Allow ACM-PCA use of the key", "Effect":"Allow", "Principal":{ "Service":"acm-pca.amazonaws.com" }, "Action":[ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource":"*", "Condition":{ "StringLike":{ "kms:EncryptionContext:aws:s3:arn":[ "arn:aws:s3:::bucket_name/acm-pca-permission-test-key", "arn:aws:s3:::bucket_name/acm-pca-permission-test-key-private", "arn:aws:s3:::bucket_name/audit-report/*", "arn:aws:s3:::bucket_name/crl/*" ] } } } ``` 3. AWS Private CA CRLs don't support the S3 setting "Block public access to buckets and objects granted through new access control lists (ACLs)". You must disable this setting with the S3 account and bucket in order to allow the AWS Private CA to write CRLs as mentioned in [ How to securely create and store your CRL for ACM Private CA](https://aws.amazon.com/blogs/security/how-to-securely-create-and-store-your-crl-for-acm-private-ca/) If you would like to disable, create a new RFC with ct-0xdawir96cy7k (Management \$1 Other \$1 Other \$1 Update) and attach a Risk Acceptance. If you have any questions on risk acceptance, reach out to your Cloud Architect. # Use AMS SSP to provision AWS CloudEndure in your AMS account AWS CloudEndure **Note** Following the successful launch of AWS Application Migration Service, the CloudEndure Migration service is now end of life in all AWS Regions. We recommend customers use AWS Application Migration Service for lift and shift migrations to GovCloud Regions and to the Commercial Regions. For information, see [What Is AWS Application Migration Service?](https://docs.aws.amazon.com/mgn/latest/ug/what-is-application-migration-service.html). If you want to use the AWS Application Migration Service, reach out to your CA so they can guide you. Use AMS Self-Service Provisioning (SSP) mode to access AWS CloudEndure capabilities directly in your AMS managed account. AWS CloudEndure migration simplifies, expedites, and automates large-scale migrations from physical, virtual, and cloud-based infrastructure to AWS. CloudEndure Disaster Recovery (DR) protects against downtime and data loss from any threat, including ransomware and server corruption. ## AWS CloudEndure in AWS Managed Services FAQ **Q: How do I request access to CloudEndure in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM User to your account: `customer_cloud_endure_user`. After it's provisioned in your account, the access key and secret key for the user is shared in AWS Secrets Manager. These policies are provisioned to the account as well: `customer_cloud_endure_policy` and `customer_cloud_endure_deny_policy`. Additionally, you must provide a Risk Acceptance as the CloudEndure DR solution for application integration has infrastructure-mutating permissions. To do this, work with your cloud service delivery manager (CSDM). **Q: What are the restrictions to using CloudEndure in my AMS account?** The cloud endure replication and conversion instances can be launched only in the subnet you indicate. **Q: What are the prerequisites or dependencies to using CloudEndure in my AMS account?** Share the following via RFC bidirectional correspondence: + VPC Subnet details for Replication and Conversion instances to be launched. + The KMS Key Amazon Resource Name (ARN) if the EBS volumes are encrypted. # Use AMS SSP to provision AWS CloudHSM in your AMS account AWS CloudHSM Use AMS Self-Service Provisioning (SSP) mode to access AWS CloudHSM capabilities directly in your AMS managed account. AWS CloudHSM helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS, and AWS Marketplace partners, offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. AWS CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. AWS CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible only by you. To learn more, see [AWS CloudHSM](https://aws.amazon.com/cloudhsm/). ## AWS CloudHSM in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS CloudHSM in my AMS account?** Utilization of in your AMS account is a two-step process: 1. Request an AWS CloudHSM cluster. Do this by submitting an RFC with the Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76) change type. Include the following details: + AWS Region. + VPC ID/ARN. Provide a VPC ID/VPC ARN that is in the same account as the RFC that you submit. + Specify at least two Availability Zones for the cluster. + Amazon EC2 instance ID that will connect to the HSM cluster. 1. Access the AWS CloudHSM console. Do this by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_cloudhsm_console_role`. After the role is provisioned in your account, you must onboard it in your federation solution. **Q: What are the restrictions to using AWS CloudHSM in my AMS account?** Access to the AWS CloudHSM console doesn't provide you with the ability to create, terminate or restore your cluster. To do those things, submit a Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76) change type. **Q: What are the prerequisites or dependencies to using AWS CloudHSM in my AMS account?** You must allow TCP traffic using port 2225 through a client Amazon EC2 instance within a VPC, or use Direct Connect VPN for on-premise servers that want access to the HSM cluster. AWS CloudHSM is dependent on Amazon EC2 for security groups and network interfaces. For log monitoring or auditing, HSM relies on CloudTrail (AWS API operations) and CloudWatch Logs for all local HSM device activity. **Q: Who will apply updates to the AWS CloudHSM client and related software libraries?** You are responsible for applying the library and client updates. You'll want to monitor the [CloudHSM version history](https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-history.html) page for releases, and then apply updates using the [CloudHSM client upgrade](https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-upgrade.html). **Note** Software patches for the HSM appliance are always automatically applied by the AWS CloudHSM service. # Use AMS SSP to provision AWS CodeBuild in your AMS account AWS CodeBuild Use AMS Self-Service Provisioning (SSP) mode to access AWS CodeBuild capabilities directly in your AMS managed account. AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. You can get started quickly by using prepackaged build environments, or you can create custom build environments that use your own build tools. With CodeBuild, you are charged by the minute for the compute resources you use. To learn more, see [AWS CodeBuild](https://aws.amazon.com/codebuild/). **Note** To onboard CodeCommit, CodeBuild, CodeDeploy, and CodePipeline with a single RFC, submit the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type and request the three services: CodeBuild, CodeDeploy and CodePipeline. Then, all three roles, `customer_codebuild_service_role`, `customer_codedeploy_service_role`, and `aws_code_pipeline_service_role` are provisioned in your account. After provisioning in your account, you must onboard the role in your federation solution. ## CodeBuild in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS CodeBuild in my AMS account?** Utilization of AWS CodeBuild in your AMS account is a two-step process: 1. Provision the `CodeBuild Service Role` for build process to coordinate with AWS S3 buckets, Amazon CloudWatch and Log groups 1. Request access to the CodeBuild console You can request that both be set up in your AMS account by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS CodeBuild in my AMS account?** For AWS CodeBuild console administrator access, permissions are limited at resource level; for example, CloudWatch actions are limited on specific resources and the `iam:PassRole` permission is controlled. **Q: What are the prerequisites or dependencies to using CodeBuild in my AMS account?** If additional IAM permissions are required for the defined AWS CodeBuild service role, request them through an AMS service request. # Use AMS SSP to provision AWS CodeCommit in your AMS account AWS CodeCommit **Note** AWS has closed new customer access to AWS CodeCommit, effective July 25, 2024. AWS CodeCommit existing customers can continue to use the service as normal. AWS continues to invest in security, availability, and performance improvements for AWS CodeCommit, but we do not plan to introduce new features. To migrate AWS CodeCommit Git repositories to other Git providers, reach out to your cloud architect (CA) for guidance. For more information on migrating your Git repositories, see [How to migrate your AWS CodeCommit repository to another Git provider](https://aws.amazon.com/blogs/devops/how-to-migrate-your-aws-codecommit-repository-to-another-git-provider/). Use AMS Self-Service Provisioning (SSP) mode to access AWS CodeCommit capabilities directly in your AMS managed account. AWS CodeCommit is a fully managed [source control](https://aws.amazon.com/devops/source-control/) service that hosts secure Git-based repositories. It helps teams to collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools. To learn more, see [AWS CodeCommit](https://aws.amazon.com/codecommit/). **Note** To onboard CodeCommit, CodeBuild, CodeDeploy, and CodePipeline with a single RFC, submit the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type and request the three services: CodeBuild, CodeDeploy and CodePipeline. Then, all three roles, `customer_codebuild_service_role`, `customer_codedeploy_service_role`, and `aws_code_pipeline_service_role` are provisioned in your account. After provisioning in your account, you must onboard the role in your federation solution. ## CodeCommit in AWS Managed Services FAQ **Q: How do I request access to CodeCommit in my AMS account?** AWS CodeCommit console and data access roles can be requested through the submission of two AWS Service RFCs, console access, and data access: + Request access to AWS CodeCommit by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_codecommit_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. Data access (such as Training and Entity Lists) require separate CTs for each data source specifying the S3 data source (mandatory), output bucket (mandatory) and KMS (optional). There are no limitations to AWS CodeCommit job creation as long as all data sources have been granted access roles. To request data access, submit an RFC with the Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76). **Q: What are the restrictions to using AWS CodeCommit in my AMS account?** Triggers feature on CodeCommit are disabled given the associated rights to create SNS topics. Directly authenticating against CodeCommit is restricted, users should authenticate with Credential Helper. Some KMS commands are also restricted: `kms:Encrypt`, `kms:Decrypt`, `kms:ReEncrypt`, `kms:GenereteDataKey`, `kms:GenerateDataKeyWithoutPlaintext`, and `kms:DescribeKey`. **Q: What are the prerequisites or dependencies to using AWS CodeCommit in my AMS account?** If S3 buckets are encrypted with KMS keys, S3 and KMS are required to use AWS CodeCommit. # Use AMS SSP to provision AWS CodeDeploy in your AMS account AWS CodeDeploy Use AMS Self-Service Provisioning (SSP) mode to access AWS CodeDeploy capabilities directly in your AMS managed account. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers. AWS CodeDeploy helps you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations. The service scales to match your deployment needs. To learn more, see [AWS CodeDeploy](https://aws.amazon.com/codedeploy/). **Note** To onboard CodeCommit, CodeBuild, CodeDeploy, and CodePipeline with a single RFC, submit the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type and request the three services: CodeBuild, CodeDeploy and CodePipeline. Then, all three roles, `customer_codebuild_service_role`, `customer_codedeploy_service_role`, and `aws_code_pipeline_service_role` are provisioned in your account. After provisioning in your account, you must onboard the role in your federation solution. ## CodeDeploy in AWS Managed Services FAQ **Q: How do I request access to CodeDeploy in my AMS account?** Request access to CodeDeploy by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_codedeploy_console_role` and `customer_codedeploy_service_role`. After it's provisioned in your account, you must onboard the `customer_codedeploy_console_role` role in your federation solution. **Q: What are the restrictions to using CodeDeploy in my AMS account?** Currently we are only supporting Compute Platform as — Amazon EC2/On-premises. Blue/Green Deployments are not supported. **Q: What are the prerequisites or dependencies to using CodeDeploy in my AMS account?** There are no prerequisites or dependencies to use CodeDeploy in your AMS account. # Use AMS SSP to provision AWS CodePipeline in your AMS account AWS CodePipeline Use AMS Self-Service Provisioning (SSP) mode to access AWS CodePipeline capabilities directly in your AMS managed account. AWS CodePipeline is a fully managed [continuous delivery](https://aws.amazon.com/devops/continuous-delivery/) service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define. This enables you to rapidly and reliably deliver features and updates. You can easily integrate AWS CodePipeline with third-party services such as GitHub or with your own custom plugin. With AWS CodePipeline, you only pay for what you use. There are no upfront fees or long-term commitments. To learn more, see [AWS CodePipeline](https://aws.amazon.com/codepipeline/). **Note** To onboard CodeCommit, CodeBuild, CodeDeploy, and CodePipeline with a single RFC, submit the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type and request the three services: CodeBuild, CodeDeploy and CodePipeline. Then, all three roles, `customer_codebuild_service_role`, `customer_codedeploy_service_role`, and `aws_code_pipeline_service_role` are provisioned in your account. After provisioning in your account, you must onboard the role in your federation solution. CodePipeline in AMS does not support "Amazon CloudWatch Events" for Source Stage because it needs elevated permissions to create the service role and policy, which bypasses the least-privileges model and AMS change management process. ## CodePipeline in AWS Managed Services FAQ **Q: How do I request access to CodePipeline in my AMS account?** Request access to CodePipeline by submitting a service request for the `customer_code_pipeline_console_role` in the relevant account. After it's provisioned in your account, you must onboard the role in your federation solution. At this time, AMS Operations will also deploy this service role in your account: `aws_code_pipeline_service_role_policy`. **Q: What are the restrictions to using CodePipeline in my AMS account?** Yes. CodePipeline features, stages, and providers are limited to the following: 1. Deploy Stage: Limited to Amazon S3, and AWS CodeDeploy 1. Source Stage: Limited to Amazon S3, AWS CodeCommit, BitBucket, and GitHub 1. Build Stage: Limited to AWS CodeBuild, and Jenkins 1. Approval Stage: Limited to Amazon SNS 1. Test Stage: Limited to AWS CodeBuild, Jenkins, BlazeMeter, Ghost Inspector UI Testing, Micro Focus StormRunner Load, and Runscope API Monitoring 1. Invoke Stage: Limited to Step Functions, and Lambda **Note** AMS Operations will deploy `customer_code_pipeline_lambda_policy` in your account; it must be attached with the Lambda execution role for Lambda invoke stage. Please provide the Lambda service/execution role name that you want this policy added with. If there is no custom Lambda service/execution role, AMS will create a new role named `customer_code_pipeline_lambda_execution_role`, which will be a copy of `customer_lambda_basic_execution_role` along with `customer_code_pipeline_lambda_policy`. **Q: What are the prerequisites or dependencies to using CodePipeline in my AMS account?** AWS supported services AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy must be launched prior to, or along with, the launch of CodePipeline. # Use AMS SSP to provision AWS Compute Optimizer in your AMS account AWS Compute Optimizer Use AMS Self-Service Provisioning (SSP) mode to access AWS Compute Optimizer capabilities directly in your AMS managed account. AWS Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics. Over-provisioning compute (Amazon EC2 and ASGs) can lead to unnecessary infrastructure cost and under-provisioning compute can lead to poor application performance. Compute Optimizer helps you choose the optimal Amazon EC2 instance types, including those that are part of an Amazon EC2 Auto Scaling group, based on your utilization data. To learn more, see [AWS Compute Optimizer](https://aws.amazon.com/compute-optimizer/). ## Compute Optimizer in AWS Managed Services FAQ **Q: How do I request access to Compute Optimizer in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_compute_optimizer_readonly_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Compute Optimizer in my AMS account?** There are no restrictions. Full functionality of AWS Compute Optimizer is available in your AMS account. **Q: What are the prerequisites or dependencies to using Compute Optimizer in my AMS account?** + You must submit an RFC (Management \$1 Other \$1 Other \$1 Update) authorizing AMS Ops to enable the service in the account. During deployment, a service linked role (SLR) is created to allow metrics gathering and report generation. The SLR is labeled "AWSServiceRoleForComputeOptimizer". For more information, see [Using Service-Linked Roles for AWS Compute Optimizer](https://docs.aws.amazon.com/compute-optimizer/latest/ug/using-service-linked-roles.html) + CloudWatch metrics must be enabled for the following metrics: + **CPU utilization**: The percentage of allocated Amazon EC2 compute units that are in use on the instance. This metric identifies the processing power required to run an application upon a selected instance. + **Memory utilization**: The amount of memory that has been used in some way during the sample period. This metric identifies the memory required to run an application upon a selected instance. Memory utilization is analyzed only for resources that have the unified CloudWatch agent installed on them. For more information, see Enabling Memory Utilization with the CloudWatch Agent (p. 10). + **Network in**: The number of bytes received on all network interfaces by the instance. This metric identifies the volume of incoming network traffic to a single instance. + **Network out**: The number of bytes sent out on all network interfaces by the instance. This metric identifies the volume of outgoing network traffic from a single instance. + **Local disk input/output (I/O)**: The number of input/output operations for the local disk. This metric identifies the performance of the root volume of an instance # Use AMS SSP to provision AWS DataSync in your AMS account AWS DataSync Use AMS Self-Service Provisioning (SSP) mode to access AWS DataSync capabilities directly in your AMS managed account. AWS DataSync moves large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon Elastic File System) or Amazon FSx. Manual tasks related to data transfers can slow down migrations and burden IT operations. DataSync eliminates or automatically handles many of these tasks, including scripting copy jobs, scheduling and monitoring transfers, validating data, and optimizing network utilization. The DataSync software agent connects to your Network File System (NFS) and Server Message Block (SMB) storage, so you don’t have to modify your applications. DataSync can transfer hundreds of terabytes and millions of files at speeds up to 10 times faster than open-source tools, over the internet or AWS Direct Connect links. You can use DataSync to migrate active data sets or archives to AWS, transfer data to the cloud for timely analysis and processing, or replicate data to AWS for business continuity. To learn more, see [AWS DataSync](https://aws.amazon.com/datasync/). ## DataSync in AWS Managed Services FAQ **Q: How do I request access to DataSync in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_datasync_console_role`. After provisioned in your account, you must onboard the roles in your federation solution. The CloudWatch log group to use in order to stream task logs is "/aws/datasync". **Q: What are the restrictions to using DataSync in my AMS account?** Full functionality of AWS DataSync is available in your AMS account. **Q: What are the prerequisites or dependencies to using DataSync in my AMS account?** + Amazon S3 ARNs (Amazon Resource Names) are required for all S3 buckets associated with DataSync tasks that will be performed using the DataSync service role `customer_datasync_service_role`. + VPC Endpoints and security groups for DataSync agents must be requested with an RFC with the Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76) change type prior to using VPC Endpoints. + AWS DataSync agents run in AMS as an appliance. The AWS DataSync agent is patched and updated by the service; for details, see [AWS DataSync FAQ](https://aws.amazon.com/datasync/faqs/). + To launch an AWS DataSync agent, submit an RFC with the Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76) change type, requesting the agent be deployed. Provide the AWS DataSync Amazon EC2 AMI ID, instance type, subnet, security group; and either reference an existing Amazon EC2 keypair or request the creation of a new keypair. **Note** AMS provisions the AWS DataSync agent manually on behalf of customer, and doesn't require the WIGS ingestion process on the AWS DataSync Amazon EC2 AMI. # Use AMS SSP to provision AWS Device Farm in your AMS account AWS Device Farm Use AMS Self-Service Provisioning (SSP) mode to access AWS Device Farm capabilities directly in your AMS managed account. AWS Device Farm is an application testing service that lets you improve the quality of your web and mobile apps by testing them across an extensive range of desktop browsers and real mobile devices; without having to provision and manage any testing infrastructure. The service enables you to run your tests concurrently on multiple desktop browsers or real devices to speed up the execution of your test suite, and generates videos and logs to help you quickly identify issues with your app. To learn more, see [AWS Device Farm](https://aws.amazon.com/device-farm/). ## AWS Device Farm in AWS Managed Services FAQ **Q: How do I request access to AWS Device Farm in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_devicefarm_role`. Once provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using AWS Device Farm in my AMS account?** Full access to the AWS Device Farm service is provided with the exception of using the AMS namespace in the 'Name' tag. **Q: What are the prerequisites or dependencies to using AWS Device Farm in my AMS account?** None. # Use AMS SSP to provision AWS Elastic Disaster Recovery in your AMS account AWS Elastic Disaster Recovery Use AMS Self-Service Provisioning (SSP) mode to access AWS Elastic Disaster Recovery capabilities directly in your AMS managed account. AWS Elastic Disaster Recovery minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery. You can increase IT resilience when you use AWS Elastic Disaster Recovery to replicate on-premises or cloud-based applications running on supported operating systems. Use the AWS Management Console to configure replication and launch settings, monitor data replication, and launch instances for drills or recovery. To learn more, see [AWS Elastic Disaster Recovery](https://aws.amazon.com/disaster-recovery/). ## AWS Elastic Disaster Recovery in AWS Managed Services FAQ **Q: How do I request access to AWS Elastic Disaster Recovery in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_drs_console_role`. After its provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Elastic Disaster Recovery in my AMS account?** There are no restrictions to use AWS Elastic Disaster Recovery in your AMS account. **Q: What are the prerequisites or dependencies to using AWS Elastic Disaster Recovery in my AMS account?** + After you have access to the console role, you must initialize the Elastic Disaster Recovery service to create the needed IAM roles within the account. + You must submit change type Management \$1 Applications \$1 IAM instance profile \$1 Create (managed automation) change type ct-0ixp4ch2tiu04 RFC to create a clone of the `customer-mc-ec2-instance-profile` instance profile and attach the `AWSElasticDisasterRecoveryEc2InstancePolicy` policy. You must specify which machines to attach the new policy to. + If the instance isn't using the default instance profile, then AMS can attach `AWSElasticDisasterRecoveryEc2InstancePolicy` through automation. + You must use a customer-owned KMS key for cross-account recovery. The source account's KMS key must be updated following the policy to allow target account access. For more information, see [Share the EBS encryption key with the target account](https://docs.aws.amazon.com/drs/latest/userguide/multi-account.html#multi-account-ebs). + The KMS key policy must be updated to allow the allow `customer_drs_console_role` to view the policy if you don't want to switch roles to view. + For cross-account, cross-Region disaster recovery, AMS must set up the source and target account as Trusted Accounts and deploy the [Failback and in-AWS right-sizing roles](https://docs.aws.amazon.com/drs/latest/userguide/trusted-accounts-failback-role.html) through CloudFormation. # Use AMS SSP to provision AWS Elemental MediaConvert in your AMS account AWS Elemental MediaConvert Use AMS Self-Service Provisioning (SSP) mode to access AWS Elemental MediaConvert capabilities directly in your AMS managed account. AWS Elemental MediaConvert is a file-based video transcoding service with broadcast-grade features. It enables you to create video-on-demand (VOD) content for broadcast and multiscreen delivery at scale. The service combines advanced video and audio capabilities with a simple web services interface and pay-as-you-go pricing. With AWS Elemental MediaConvert, you can focus on delivering compelling media experiences without having to worry about the complexity of building and operating your own video processing infrastructure. To learn more, see [AWS Elemental MediaConvert](https://aws.amazon.com/mediaconvert/). ## MediaConvert in AWS Managed Services FAQ **Q: How do I request access to MediaConvert in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_mediaconvert_author_role`. Once provisioned in your account, you must onboard the role in your federation solution. A second role will be provided, `customer_MediaConvert_Default_Role`, that is used by MediaConvert in order to read from the source S3 bucket and write the output to the destination S3 bucket, and also to invoke the API gateway in case you need digital rights management (DRM). **Q: What are the restrictions to using MediaConvert in my AMS account?** There are no restrictions for the use of MediaConvert in AMS. **Q: What are the prerequisites or dependencies to using MediaConvert in my AMS account?** There are no prerequisites or dependencies to use MediaConvert in your AMS account. # Use AMS SSP to provision AWS Elemental MediaLive in your AMS account AWS Elemental MediaLive Use AMS Self-Service Provisioning (SSP) mode to access AWS Elemental MediaLive capabilities directly in your AMS managed account. AWS Elemental MediaLive is a broadcast-grade live video processing service. It enables you to create high-quality video streams for delivery to broadcast televisions and internet-connected multiscreen devices, like connected TVs, tablets, smartphones, and set-top boxes. The service works by encoding your live video streams in real-time, taking a larger-sized live video source and compressing it into smaller versions for distribution to your viewers. With AWS Elemental MediaLive, you can easily set up streams for both live events and 24x7 channels with advanced broadcasting features, high availability, and pay-as-you-go pricing. AWS Elemental MediaLive lets you focus on creating compelling live video experiences for your viewers without the complexity of building and operating broadcast-grade video processing infrastructure. To learn more, see [AWS Elemental MediaLive](https://aws.amazon.com/medialive/). ## MediaLive in AWS Managed Services FAQ **Q: How do I request access to MediaLive in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_medialive_author_role`. As a part of this RFC, a second role is deployed into your account; `customer_medialive_service_role` role, this role can be assigned to your Media Live channels and inputs to interact with other services such as Amazon S3, MediaStore, and CloudWatch Logs. After the roles are provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using MediaLive in my AMS account?** There are no restrictions for the use of MediaLive in AMS. **Q: What are the prerequisites or dependencies to using MediaLive in my AMS account?** There are no prerequisites or dependencies to use MediaLive in your AMS account. # Use AMS SSP to provision AWS Elemental MediaPackage in your AMS account AWS Elemental MediaPackage Use AMS Self-Service Provisioning (SSP) mode to access AWS Elemental MediaPackage capabilities directly in your AMS managed account. AWS Elemental MediaPackage reliably prepares and protects your video for delivery over the internet. From a single video input, AWS Elemental MediaPackage creates video streams formatted to play on connected TVs, mobile phones, computers, tablets, and game consoles. It makes it easy to implement popular video features for viewers (start-over, pause, rewind, and so on.), like those commonly found on DVRs. AWS Elemental MediaPackage can also protect your content using Digital Rights Management (DRM). AWS Elemental MediaPackage scales automatically in response to load, so your viewers will always get a great experience without you having to accurately predict in advance the capacity you’ll need. To learn more, see [AWS Elemental MediaPackage](https://aws.amazon.com/mediapackage/). ## MediaPackage in AWS Managed Services FAQ **Q: How do I request access to AWS Elemental MediaPackage in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_mediapackage_author_role`. After it's provisioned in your account, you must onboard the role in your federation solution. A second role will be provided, `customer_mediapackage_service_role`, that can be assigned to your Media Live channels and inputs to interact with other services such as S3 and Secrets Manager. **Q: What are the restrictions to using MediaPackage in my AMS account?** There are no restrictions for the use of MediaPackage in AMS. **Q: What are the prerequisites or dependencies to using MediaPackage in my AMS account?** There are no prerequisites or dependencies to use MediaPackage in your AMS account. # Use AMS SSP to provision AWS Elemental MediaStore in your AMS account AWS Elemental MediaStore **Note** After careful consideration, AWS has made the decision to discontinue MediaStore, effective November 13, 2025. If you are an active customer of MediaStore, you can use MediaStore as normal until November 13, 2025, when support for the service will end. After this date, you will no longer be able to use MediaStore or any of the capabilities provided by this service. Use AMS Self-Service Provisioning (SSP) mode to access AWS Elemental MediaStore capabilities directly in your AMS managed account. AWS Elemental MediaStore is an AWS storage service optimized for media. It gives you the performance, consistency, and low latency required to deliver live streaming video content. AWS Elemental MediaStore acts as the origin store in your video workflow. Its high performance capabilities meet the needs of the most demanding media delivery workloads, combined with long-term, cost-effective storage. To learn more, see [AWS Elemental MediaStore](https://aws.amazon.com/mediastore/). ## MediaStore in AWS Managed Services FAQ **Q: How do I request access to MediaStore in my AMS account?** Request access to MediaStore by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_mediastore_author_role`. As a part of this RFC, a second role is deployed into your account; `MediaStoreAccessLogs` role, which is used by the MediaStore service to log activity in CloudWatch, if you choose to enable that feature. After it's provisioned in your account, you must onboard the roles in your federation solution. At this time, AMS Operations will also deploy this service role in your account: `aws_code_pipeline_service_role_policy`. **Q: What are the restrictions to using MediaStore in my AMS account?** There are no restrictions for the use of MediaStore in AMS. **Q: What are the prerequisites or dependencies to using MediaStore in my AMS account?** There are no prerequisites or dependencies to use MediaStore in your AMS account. # Use AMS SSP to provision AWS Elemental MediaTailor in your AMS account AWS Elemental MediaTailor Use AMS Self-Service Provisioning (SSP) mode to access AWS Elemental MediaTailor capabilities directly in your AMS managed account. AWS Elemental MediaTailor lets video providers insert individually targeted advertising into their video streams without sacrificing broadcast-level quality-of-service. With AWS Elemental MediaTailor, viewers of your live or on-demand video each receive a stream that combines your content with ads personalized to them. But unlike other personalized ad solutions, with AWS Elemental MediaTailor your entire stream – video and ads – is delivered with broadcast-grade video quality to improve the experience for your viewers. AWS Elemental MediaTailor delivers automated reporting based on both client and server-side ad delivery metrics, to accurately measure advertising impressions and viewer behavior. You can easily monetize unexpected high-demand viewing events with no up-front costs using AWS Elemental MediaTailor. It also improves ad delivery rates, helping you make more money from every video, and it works with a wider variety of content delivery networks, ad decision servers, and client devices. To learn more, see [AWS Elemental MediaTailor](https://aws.amazon.com/mediatailor/). ## MediaTailor in AWS Managed Services FAQ **Q: How do I request access to MediaTailor in my AMS account?** Request access to MediaTailor by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer-mediatailor-role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using MediaTailor in my AMS account?** There are no restrictions for the use of MediaTailor in AMS. **Q: What are the prerequisites or dependencies to using MediaTailor in my AMS account?** There are no prerequisites or dependencies to use MediaTailor in your AMS account. # Use AMS SSP to provision AWS Global Accelerator in your AMS account AWS Global Accelerator Use AMS Self-Service Provisioning (SSP) mode to access Global Accelerator capabilities directly in your AMS managed account. Global Accelerator is a network layer service in which you create accelerators to improve availability and performance for internet applications used by a global audience. To learn more, see [Global Accelerator](https://aws.amazon.com/global-accelerator/). ## Global Accelerator in AWS Managed Services FAQ Common questions and answers: **Q: How do I request Global Accelerator to be set up in my AMS account?** Request access through the submission of the AWS Services RFC (Management \$1 AWS service \$1 Self-provisioned Service). Through this RFC, the following IAM roles will be provisioned in your account: `customer_global_accelerator_console_role`. Once provisioned in your account you must onboard the console role in your federation solution. **Q: What are the restrictions to using Global Accelerator in my AMS account?** Global Accelerator is a global service that supports endpoints in multiple AWS Regions, which are listed in the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). **Q: What are the prerequisites or dependencies to using Global Accelerator in my AMS account?** When you set up your accelerator with Global Accelerator, you associate the static IP addresses to regional endpoints in one or more AWS Regions. For standard accelerators, the endpoints are Network Load Balancers, Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses. For custom routing accelerators, endpoints are virtual private cloud (VPC) subnets with one or more EC2 instances. # Use AMS SSP to provision AWS Glue in your AMS account AWS Glue Use AMS Self-Service Provisioning (SSP) mode to access AWS Glue capabilities directly in your AMS managed account. AWS Glue is a fully managed extract, transform, and load (ETL) service that helps you to prepare and load your data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console. You point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog. Once cataloged, your data is immediately searchable, queryable, and available for ETL actions. To learn more, see [AWS Glue](https://aws.amazon.com/glue/). ## AWS Glue in AWS Managed Services FAQ Common questions and answers: **Q: How do I request AWS Glue to be set up in my AMS account?** Request access to AWS Glue by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM roles to your account: + `customer_glue_console_role` + `customer_glue_service_role` The preceding roles include the following attached policies: + `customer_glue_secrets_manager_policy` + `customer_glue_deny_policy` After the roles are provisioned in your account, you must onboard them in your federation solution. For access to Crawlers, Jobs, and Development endpoints (roles needed for specific use cases), submit an RFC with the Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create entity or policy (ct-3dpd8mdd9jn1r). **Q: What are the restrictions to using AWS Glue in my AMS account?** There are no restrictions. Full functionality of AWS Glue is available in your AMS account. For an interactive environment where you can author and test ETL scripts, use Notebooks on AWS Glue Studio. AWS Glue Interactive Sessions and Job Notebooks are serverless features of AWS Glue that you can use in AWS Glue and that make use of the AWS Glue service role. **AWS Glue prior to 2.0:** AWS Glue Notebooks are a non-managed resource that launches Amazon EC2 instances in an account. It's a best practice to launch your own Amazon EC2 instances and install the software necessary to support a notebook environment and development. For more information, see [ Tutorial: Set Up a Local Apache Zeppelin Notebook to Test and Debug ETL Scripts](https://docs.aws.amazon.com/glue/latest/dg/dev-endpoint-tutorial-local-notebook.html) and [ Using Development Endpoints for Developing Scripts](https://docs.aws.amazon.com/glue/latest/dg/dev-endpoint.html). **Q: What are the prerequisites or dependencies to using AWS Glue in my AMS account?** AWS Glue has a dependency on Amazon S3, CloudWatch, and CloudWatch Logs. Transitive dependencies vary based on data sources, and other AWS Glue service features may be interacting with (example: Amazon Redshift, Amazon RDS, Athena). # Use AMS SSP to provision AWS Lake Formation in your AMS account AWS Lake Formation Use AMS Self-Service Provisioning (SSP) mode to access AWS Lake Formation capabilities directly in your AMS managed account. AWS Lake Formation is a service that makes it easy to set up a secure data lake in days. A data lake is a centralized, curated, and secured repository that stores all your data, both in its original form and prepared for analysis. A data lake enables you to break down data silos and combine different types of analytics to gain insights and guide better business decisions. Creating a data lake with Lake Formation is as simple as defining data sources and what data access and security policies you want to apply. Lake Formation then helps you collect and catalog data from databases and object storage, move the data into your new Amazon S3 data lake, clean and classify your data using machine learning algorithms, and secure access to your sensitive data. Your users can access a centralized data catalog (for details, see [AWS Glue FAQ](https://aws.amazon.com/glue/faqs/#AWS_Glue_Data_Catalog/)) that describes available data sets and their appropriate usage. Your users then leverage these data sets with their choice of analytics and machine learning services, like [Amazon Redshift](https://aws.amazon.com/redshift/), [Amazon Athena](https://aws.amazon.com/athena/), and (in beta) [Amazon EMR](https://aws.amazon.com/emr/) for Apache Spark. Lake Formation builds on the capabilities available in [AWS Glue](https://aws.amazon.com/glue/). To learn more, see [AWS Lake Formation](https://aws.amazon.com/lake-formation/). ## Lake Formation in AWS Managed Services FAQ **Q: How do I request access to AWS Lake Formation in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer_lakeformation_data_analyst_role`. After it's provisioned in your account, you must onboard the roles in your federation solution. Additionally, the following two roles are optional: + `customer_lakeformation_admin_role` + `customer_lakeformation_workflow_role` For admin permissions, you can choose to onboard the role `customer_lakeformation_admin_role` as part of the same SSPS change type (ct-3qe6io8t6jtny). If you want to create Blueprints in the AWS Lake Formation Console, you need to submit a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type and explicitly add to deploy the `customer_lakeformation_workflow_role`. In the RFC, you must provide the S3 bucket name if the bucket is a source when Blueprints are created. S3 bucket is applicable if the Blueprint type is AWS CloudTrail, Classic Load Balancer Logs or Application Load Balancer Logs. **Q: What are the restrictions to using AWS Lake Formation in my AMS account?** Full functionality of Lake Formation is available in AMS. **Q: What are the prerequisites or dependencies to using AWS Lake Formation in my AMS account?** Lake Formation integrates with the AWS Glue service, therefore AWS Glue users can access only the databases and tables on which they have Lake Formation permissions. Additionally AWS Athena and Amazon Redshift users can only query the AWS Glue databases and tables on which they have Lake Formation permissions. # Use AMS SSP to provision AWS Lambda in your AMS account AWS Lambda Use AMS Self-Service Provisioning (SSP) mode to access AWS Lambda capabilities directly in your AMS managed account. AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume, there is no charge when your code is not running. With Lambda, you can run code for virtually any type of application or back-end service, all with zero administration. upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services, or call it directly from any Web or mobile app. To learn more, see [AWS Lambda](https://aws.amazon.com/lambda/). ## Lambda in AWS Managed Services FAQ **Q: How do I request access to AWS Lambda in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM roles to your account: `customer_lambda_admin_role` and `customer_lambda_basic_execution_role`. After it's provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using AWS Lambda in my AMS account?** + A Lambda function is designed to be invoked by event sources. For a list of services that can be used as a Lambda event source, see [Using AWS Lambda with Other Services](https://docs.aws.amazon.com/lambda/latest/dg/lambda-services.html). Not all of these services are currently available in AMS accounts. If you require a service that isn't available, then work with your AMS CSDM to file an exception. + By default AMS provides you with a basic Lambda initiation role containing the `AWSLambdaBasicExecutionRole` and `AWSXrayWriteOnlyAccess` permissions; for information, see [AWS Lambda Initiation Role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html). If you require additional permissions, such as the ability to provision Lambda functions within your AMS VPC, submit an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation)(ct-3qe6io8t6jtny) change type. **Q: What are the prerequisites or dependencies to using AWS Lambda in my AMS account?** There are no prerequisites or dependencies to get started with AWS Lambda; however, depending on your specific use case, you might require access to other AWS services to create event sources, or additional permissions for your function to perform various actions. If additional permissions are needed, submit an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) change type (ct-3qe6io8t6jtny). **Q: What do I need to do to run a Lambda function in any of my accounts?** To deploy a Lambda function in a core account, use the following guidelines: + Make sure that SSPS for AWS Lambda is onboarded. + There are no specific restrictions prohibiting this deployment under the AMS responsibilities, as long as your AMS resources are protected and compliant. + If you want AMS to create the Lambda function, then you must first use the SSPS role provided for AWS Lambda. Then, if you still want AMS assistance to deploy or support the function, contact your CA and start the out of scope (OOS) process. # Use AMS SSP to provision AWS License Manager in your AMS account AWS License Manager Use AMS Self-Service Provisioning (SSP) mode to access AWS License Manager capabilities directly in your AMS managed account. AWS License Manager integrates with AWS services to simplify the management of licenses across multiple AWS accounts, IT catalogs, and on-premises, through a single AWS account. AWS License Manager lets administrators create customized licensing rules that emulate the terms of their licensing agreements, and then enforces these rules when an instance of Amazon EC2 gets launched. The rules in AWS License Manager enable you to limit a licensing breach by physically stopping the instance from launching or by notifying administrators about the infringement. To learn more, see [AWS License Manager](https://aws.amazon.com/license-manager/). ## License Manager in AWS Managed Services FAQ Common questions and answers: **Q: How do I request AWS License Manager to be set up in my AMS account?** Request access to AWS License Manager by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_license_manager_role`. Once the License Manager IAM role is provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS License Manager in my AMS account?** You're able to associate AWS License Manager rules to the AMIs you own (filtered under "Owned by me"). If you choose to enforce a limit association to an AMI (example: can only support 100 vCPU of this AMI) and exhaust the limit, future launches with that AMI are blocked and return an error stating "No licenses available." This is the intended behavior of this service (not allowing license exhaustion). In the event you exhaust the limit but need to launch the AMI again, you must modify the rule configured in AWS License Manager. **Q: What are the prerequisites or dependencies to using AWS License Manager in my AMS account?** There are no prerequisites or dependencies to use AWS License Manager in your AMS account. # Use AMS SSP to provision AWS Migration Hub in your AMS account AWS Migration Hub Use AMS Self-Service Provisioning (SSP) mode to access AWS Migration Hub capabilities directly in your AMS managed account. AWS Migration Hub provides a single location where you can track the progress of application migrations across multiple AWS and partner solutions. Using Migration Hub allows you to choose the AWS and partner migration tools that best fit your needs, while providing visibility into the status of migrations across your application portfolio. Migration Hub also provides key metrics and progress for individual applications, regardless of which tools are being used to migrate them. This allows you to quickly get progress updates across all of your migrations, easily identify and troubleshoot any issues, and reduce the overall time and effort spent on your migration projects. To learn more, see [AWS Migration Hub](https://aws.amazon.com/migration-hub/). ## Migration Hub in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Migration Hub in my AMS account?** Request access to Migration Hub by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_migrationhub_author_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions for Migration Hub?** None. **Q: What are the prerequisites to enable Migration Hub?** There are no prerequisites to start using Migration Hub in your AMS account. However, permissions outside Migration Hub might be required during the management of the service, such as writing permissions to Amazon S3 to upload server information. # Use AMS SSP to provision AWS Outposts in your AMS account AWS Outposts Use AMS Self-Service Provisioning (SSP) mode to access AWS Outposts capabilities directly in your AMS managed account. AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a consistent hybrid experience. AWS Outposts is good for workloads that require low latency access to on-premises systems, local data processing, or local data storage. To learn more, see [AWS Outposts](https://aws.amazon.com/outposts/). ## AWS Outposts in AWS Managed Services FAQ Common questions and answers: **Q: How do I request AWS Outposts to be set up in my AMS account?** Request access to AWS Outposts by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_outposts_role`. Once the role is provisioned in your account, you must onboard it in your federation solution. **Q: What are the restrictions to using AWS Outposts in my AMS account?** There are no restrictions for the use of AWS Outposts in your AMS account. **Q: What are the prerequisites or dependencies to using AWS Outposts in my AMS account?** There are no prerequisites or dependencies to use AWS Outposts in your AMS account. # Use AMS SSP to provision AWS Resilience Hub in your AMS account AWS Resilience Hub Use AMS Self-Service Provisioning (SSP) mode to access AWS Resilience Hub capabilities directly in your AMS managed account. AWS Resilience Hub helps you proactively prepare and protect your AWS applications from disruptions. The Resilience Hub offers resiliency assessment and validation that integrate into your software development lifecycle to uncover resiliency weaknesses. Resilience Hub helps you estimate whether or not your applications can meet the recovery time objective (RTO) and recovery point objective (RPO) targets, and helps resolve issues before they are released into production. After you deploy an AWS application into production, you can use Resilience Hub to continue tracking the resiliency posture of your application. If an outage occurs, Resilience Hub sends a notification to the operator to launch the associated recovery process. ## AWS Resilience Hub in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Resilience Hub in my AMS account?** Request access to Resilience Hub by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles and policies to your account: **IAM roles** + `customer_resiliencehub_console_role` + `customer_resiliencehub_service_role` **Policies** + `customer_resiliencehub_console_policy` + `customer_resiliencehub_service_policy` After the role is provisioned in your account, you must onboard the role `customer_resiliencehub_console_role` in your federation solution. **Q: What are the restrictions to using AWS Resilience Hub in my AMS account?** There are no restrictions. Full functionality of Resilience Hub is available in your AMS acount. **Q: What are the prerequisites or dependencies to using AWS Resilience Hub in my AMS account?** There are no prerequisites or dependencies to use Resilience Hub in your AMS account. # Use AMS SSP to provision AWS Secrets Manager in your AMS account AWS Secrets Manager Use AMS Self-Service Provisioning (SSP) mode to access AWS Secrets Manager capabilities directly in your AMS managed account. AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to the Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. To learn more, see [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). **Note** By default, AMS operators can access secrets in AWS Secrets Manager that are encrypted using the account's default AWS KMS key (CMK). If you want your secrets to be inaccessible to AMS Operations, use a custom CMK, with an AWS Key Management Service (AWS KMS) key policy that defines permissions appropriate to the data stored in the secret. ## Secrets Manager in AWS Managed Services FAQ **Q: How do I request access to AWS Secrets Manager in my AMS account?** Request access to Secrets Manager by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM roles to your account: `customer_secrets_manager_console_role` and `customer-rotate-secrets-lambda-role`. The `customer_secrets_manager_console_role` is used as an Admin role to provision and manage the secrets, and `customer-rotate-secrets-lambda-role` is used as the Lambda execution role for the Lambda functions that rotate the secrets. After it's provisioned in your account, you must onboard the `customer_secrets_manager_console_role` role in your federation solution. **Q: What are the restrictions to using AWS Secrets Manager in my AMS account?** Full functionality of AWS Secrets Manager is available in your AMS account, along with automatic rotation functionality of secrets. However, note that setting up your rotation using 'Create a new Lambda function to perform rotation' is not supported because it requires elevated permissions to create the CloudFormation stack (IAM Role and Lambda function creation), which bypasses the Change Management process. AMS Advanced only supports 'Use an existing Lambda function to perform rotation' where you manage your Lambda functions to rotate secrets using the AWS Lambda SSPS Admin role. AMS Advanced doesn't create or manage Lambda to rotate the secrets. **Q: What are the prerequisites or dependencies to using AWS Secrets Manager in my AMS account?** The following namespaces are reserved for use by AMS and are unavailable as part of direct access to AWS Secrets Manager: + arn:aws:secretsmanager:\$1:\$1:secret:ams-shared/\$1 + arn:aws:secretsmanager:\$1:\$1:secret:customer-shared/\$1 + arn:aws:secretsmanager:\$1:\$1:secret:ams/\$1 ## Sharing keys using Secrets Manager (AMS SSPS) Secrets Manager: Sharing keys Sharing secrets with AMS in the plain text of an RFC, service request, or incident report, results in an information disclosure incident and AMS redacts that information from the case and requests that you regenerate the keys. You can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (Secrets Manager) under this namespace, `customer-shared`. ![\[Secrets Manager workflow.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/secretsManager.png) ### Sharing Keys using Secrets Manager FAQ **Q: What type of secrets must be shared using Secrets Manager?** A few examples are pre-shared keys for VPN creation, confidential keys such as Authentication keys (IAM, SSH), License keys and Passwords. **Q: How can I share the keys with AMS using Secrets Manager?** 1. Login to the AWS Management console using your federated access and the appropriate role: for SALZ, the `Customer_ReadOnly_Role` for MALZ, `AWSManagedServicesChangeManagementRole`. 1. Navigate to the [AWS Secrets Manager console](https://console.aws.amazon.com/secretsmanager/home) and click **Store a new secret**. 1. Select **Other type of secrets**. 1. Enter the secret value as a plain-text and use the default KMS encryption. Click **Next**. 1. Enter the secret name and description, the name always starts with **customer-shared/**. For example **customer-shared/mykey2022**. Click **Next**. 1. Leave automatic rotation disabled, Click **Next**. 1. Review and click **Store** to save the secret. 1. Reply to us with the secret name through the Service request, RFC, or incident report, so we can identify and retrieve the secret. **Q: What permissions are required for sharing the keys using Secrets Manager?** **SALZ**: Look for the `customer_secrets_manager_shared_policy` managed IAM policy and verify that the policy document is the same as the one attached in the creation steps below. Confirm that the policy is attached to the following IAM Roles: `Customer_ReadOnly_Role`. **MALZ**: Validate that the `AMSSecretsManagerSharedPolicy`, is attached to the `AWSManagedServicesChangeManagementRole` role that allows you the `GetSecretValue` action in the `ams-shared`namespace. Example: ``` { "Action": "secretsmanager:*", "Resource": [ "arn:aws:secretsmanager:*:*:secret:ams-shared/*", "arn:aws:secretsmanager:*:*:secret:customer-shared/*" ], "Effect": "Allow", "Sid": "AllowAccessToSharedNameSpaces" } ``` **Note** The requisite permissions are granted when you add AWS Secrets Manager as a self-service provisioned service. # Use AMS SSP to provision AWS Security Hub CSPM in your AMS account AWS Security Hub CSPM Use AMS Self-Service Provisioning (SSP) mode to access AWS Security Hub CSPM capabilities directly in your AMS managed account. AWS Security Hub CSPM provides you with a comprehensive view of your security state within AWS and your compliance with security industry standards and best practices. Security Hub CSPM centralizes and prioritizes security and compliance findings from across AWS accounts, services, and supported third-party partners to help you analyze your security trends and identify the highest priority security issues. To learn more, see [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/). ## Security Hub CSPM in AWS Managed Services FAQ **Q: How do I request access to AWS Security Hub CSPM in my AMS account?** Request access to Security Hub CSPM by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_securityhub_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using Security Hub CSPM in my AMS account?** Archiving functionality has been noted as a potential security and operational risk and has been restricted as a part of the self-provisioned service Security role. **Q: What are the prerequisites or dependencies to using AWS Security Hub CSPM in my AMS account?** There are no prerequisites or dependencies to use AWS Security Hub CSPM in your AMS account. # Use AMS SSP to provision AWS Service Catalog AppRegistry in your AMS account AWS Service Catalog AppRegistry Use AMS Self-Service Provisioning (SSP) mode to access AppRegistry capabilities directly in your AMS managed account. AppRegistry enables application search, reporting, and management actions from a central location. Builders seldom create applications in a single AWS account. They typically separate application resources by lifecycle phases, such as development, test, and production. AppRegistry allows you to group and view all your resource collections across the AWS accounts that you define. With AppRegistry, you can store your AWS applications, the collection of resources that are associated with your applications, and application attribute groups. To learn more, see [What is AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html). ## FAQ: AWS Service Catalog AppRegistry in AMS **Q: How do I request access to AWS Service Catalog AppRegistry in my AMS account?** Request access to AppRegistry by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (managed automation) (ct-3qe6io8t6jtny) change type. This RFC provisions the following IAM role to your account: `customer-appregistry-console-role`. After provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Service Catalog AppRegistry in my AMS account?** Full access to the AppRegistry service is provided with the exception of using the AMS namespace in the `'Name'` tag. **Q: What are the prerequisites or dependencies to using AWS Service Catalog AppRegistry in my AMS account?** There are no prerequisites or dependencies to use AppRegistry in your AMS account. # Use AMS SSP to provision AWS Shield Advanced in your AMS account AWS Shield Use AMS Self-Service Provisioning (SSP) mode to access AWS Shield Advanced capabilities directly in your AMS managed account. AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield Advanced provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced; AMS offers Shield Advanced. To learn more, see [Shield Advanced](https://aws.amazon.com/shield/). All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring, network and transport layer DDoS attacks that target your website or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with AWS Shield Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (Elastic Load Balancing), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 charges. ## Shield Advanced in AWS Managed Services FAQ **Q: How do I request access to Shield Advanced in my AMS account?** Request access to Shield Advanced by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM roles to your account: `customer_shield_role` and `aws_drt_shield_role`. Once provisioned in your account, you must onboard the roles in your federation solution. After the roles are deployed into your account, you can use the `customer_shield_role` to confirm your subscription to AWS Shield Advanced in your account. **Note** Note that there is a monthly fee and a one-year commitment associated with the use of AWS Shield Advanced. Additionally, using AWS Shield Advanced in AMS authorizes AMS to escalate to the AWS Shield (SRT), who may make changes to your web application firewall (AWS WAF) rules during escalated distributed denial of service (DDoS) incidents. These changes will be made in coordination with AMS. **Q: What are the restrictions to using Shield Advanced in my AMS account?** Although not a restriction, you should understand that using Shield Advanced deploys the `aws_drt_shield_role`, which allows AWS Shield teams (SRT) to make emergency changes to AWS WAF rules inside of AMS accounts during escalated DDoS incidents. This is recommended by AMS for the fastest remediation of DDoS attacks, and would occur after an AMS escalation to the SRT. **Q: What are the prerequisites or dependencies to using Shield Advanced in my AMS account?** There are no prerequisites or dependencies to use Shield Advanced in your AMS account. # Use AMS SSP to provision AWS Snowball Edge in your AMS account AWS Snowball Edge Use AMS Self-Service Provisioning (SSP) mode to access Snowball Edge capabilities directly in your AMS managed account. Snowball Edge is a petabyte-scale data transport solution that uses devices designed to be secure, to transfer large amounts of data into and out of the AWS Cloud. Snowball Edge addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns. You can use Snowball Edge to migrate analytics data, genomics data, video libraries, image repositories, backups, and to archive part of data center shutdowns, tape replacement or application migration projects. Transferring data with Snowball Edge is simple, fast, more secure, and can be as little as one-fifth the cost of transferring data by way of high-speed Internet. With Snowball Edge, you don’t need to write any code or purchase any hardware to transfer your data. Start by using the AWS Management Console to [Create an Import Job](https://docs.aws.amazon.com/snowball/latest/ug/create-import-job.html) for Snowball, and a Snowball device will be automatically shipped to you. Once it arrives, attach the device to your local network, download and run the Snowball Client ("Client") to establish a connection, and then use the Client to select the file directories that you want to transfer to the device. The Client then encrypts and transfers the files to the device at high speed. Once the transfer is complete and the device is ready to be returned, the E Ink shipping label automatically updates and you can track the job status with Amazon Simple Notification Service (Amazon SNS), text messages, or directly in the Console. To learn more, see [AWS Snowball Edge](https://aws.amazon.com/snowball/). ## Snowball Edge in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Snowball Edge in my AMS account?** Implementation of Snowball Edge in AMS is a two-step process: 1. Submit a Management \$1 Other \$1 Other \$1 Create (ct-1e1xtak34nx76) change type and request a service role for Snowball Edge for your AMS Account. 1. Request user access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM roles to your account: `customer_snowball_console_role`, `customer_snowball_export_role`, and `customer_snowball_import_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Snowball Edge in my AMS account?** Full functionality of the AWS Snowball Edge is available in your AMS account. **Q: What are the prerequisites or dependencies to using AWS Snowball Edge in my AMS account?** You must have the service role account as noted above. # Use AMS SSP to provision AWS Step Functions in your AMS account AWS Step Functions Use AMS Self-Service Provisioning (SSP) mode to access AWS Step Functions capabilities directly in your AMS managed account. AWS Step Functions is a Web service that enables you to coordinate the components of distributed applications and microservices by using visual workflows. You build applications from individual components that each perform a discrete function, or task, allowing you to scale and change applications quickly. Step Functions provides a reliable way to coordinate components and step through the functions of your application. Step Functions offers a graphical console to visualize the components of your application as a series of steps. It automatically triggers and tracks each step, and retries when there are errors, so your application runs in order and as expected, every time. Step Functions logs the state of each step, so when things do go wrong, you can diagnose and debug problems quickly. To learn more, see [AWS Step Functions](https://aws.amazon.com/step-functions/). ## Step Functions in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Step Functions in my AMS account?** Request access to AWS Step Functions by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_step_functions_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Step Functions in my AMS account?** Full functionality of the AWS Step Functions is available in your AMS account. **Q: What are the prerequisites or dependencies to using AWS Step Functions in my AMS account?** At runtime, the role used by Step Functions must have access to the services used by the step function. For example, a step function could depend on Lambda functions. Someone authoring a step function is likely to be creating Lambda functions at the same time and would have to request access to that service as well. # Use AMS SSP to provision AWS Systems Manager Parameter Store in your AMS account AWS Systems Manager Parameter Store Use AMS Self-Service Provisioning (SSP) mode to access AWS Systems Manager Parameter Store capabilities directly in your AMS managed account. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter. Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud. To learn more, see [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html). **Note** If you want a dedicated secrets store with lifecycle management, use [Use AMS SSP to provision AWS Secrets Manager in your AMS account](secrets-manager.md) instead of Parameter Store. Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate secrets automatically. Secrets Manager offers built-in integration for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS, that's extensible to other types of secrets by customizing Lambda functions. ## AWS Systems Manager Parameter Store in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Systems Manager Parameter Store in my AMS account?** Request access to AWS Systems Manager Parameter Store by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_systemsmanager_parameterstore_console_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Systems Manager Parameter Store in my AMS account?** You are required to use AWS Managed keys; access is restricted from creating custom KMS keys. However, if a custom key is required, submit an RFC to create a customer-managed key (CMK) using the Deployment \$1 Advanced Stack Components \$1 KMS Key \$1 Create change type (ct-1d84keiri1jhg) with this IAM role, `customer_systemsmanager_parameterstore_console_role` as the value for the `IAMPrincipalsRequiringDecryptPermissions` and `IAMPrincipalsRequiringEncryptPermissionsPrincipal` parameters. After the KMS Key is created, you can create a Secure String using it. **Q: What are the prerequisites or dependencies to using AWS Systems Manager Parameter Store in my AMS account?** There are no prerequisites; however, SSM Parameter Store is dependent on KMS to create a Secure String so you can encrypt and decrypt their Values stored in Parameter Store. # Use AMS SSP to provision AWS Systems Manager Automation in your AMS account AWS Systems Manager Automation Use AMS Self-Service Provisioning (SSP) mode to access AWS Systems Manager Automation capabilities directly in your AMS managed account. AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud instances and other AWS resources using runbooks, actions and service quotas. It enables you to build, execute and monitor automations at scale. A Systems Manager Automation is a type of Systems Manager document that defines the actions that Systems Manager performs on your managed instances. A runbook you use to perform common maintenance and deployment tasks such as running commands or automation scripts within your managed instances. Systems Manager includes features that help you target large groups of instances by using Amazon Elastic Compute Cloud tags, and velocity controls that help you roll out changes according to the limits you define. The runbooks are written using JavaScript Object Notation (JSON) or YAML. Using the Document Builder in the Systems Manager Automation console, however, you can create a runbook without having to author in native JSON or YAML. Alternatively you can use Systems Manager-provided runbooks with pre-defined steps that suits your needs. To learn more, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html) in AWS Systems Manager documentation. **Note** Although Systems Manager Automation supports 20 action types that can be used in the runbook, a limited number of actions you can use while authoring runbook to be used in your AMS Advanced account. Similarly, a limited number of Systems Manager-provided runbook can be used either directly or from within your own runbook. For details, see the restrictions in the following FAQ. ## AWS Systems Manager Automation in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to Systems Manager Automation in my AMS account?** Request access to AWS Systems Manager Automation by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_systemsmanager_automation_console_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the limitations to using AWS Systems Manager Automation in my AMS account?** You are required to author your runbook, with limited set of Systems Manager supported actions for automation, only to run commands and/or scripts within your managed instances. The actions that are available to you along with any restrictions are outlined as below. **AWS Systems Manager Automation Limitations** | Action | Description | Limitation | | --- | --- | --- | | aws:assertAwsResourceProperty – | Assert an AWS resource state or event state | Only EC2 instances | | aws:aws:branch – | Run conditional automation steps | No limitation | | aws:createTags – | Create tags for AWS resources | Only to SSM automation runbooks that you author | | aws:executeAutomation – | Run another automation | Only the automation runbook that you author | | aws:executeScript – | Run a script | Only script that does not make any API call to any services | | aws:pause – | Pause an automation | No limitation | | aws:runCommand – | Run a command on a managed instance | Only using System Manager provided document - AWS-RunShellScript and AWS-RunPowerShellScript | | aws:sleep – | Delay an automation | No limitation | | aws:waitForAwsResourceProperty – | Wait on an AWS resource property | Only EC2 instances | You can also chose to run command or script directly with Systems Manager provided runbook AWS-RunShellScript and AWS-RunPowerShellScript using the 'Run Command' feature from within the Systems Manager console. You can also nest these runbooks within your runbook that caters for additional pre and/or post validation or any complex automation logic. The role adheres to least privilege principle and only provides permission required to author, execute and retrieve execution details of runbooks aimed to executing command and/or scripts within your managed instances. It does not provide permission for any other capabilities that AWS Systems Manager service provides. While the feature allows you to author automation runbooks, execution of the runbooks can not be targeted for AMS owned resources. **Q: What are the prerequisites or dependencies to using AWS Systems Manager Automation in my AMS account?** There are no prerequisites; however, you must ensure your internal process and/or compliance controls are adhered to while authoring runbooks. We also recommend to thoroughly test runbooks before executing them against production resources. **Q: Can the Systems Manager policy `customer_systemsmanager_automation_policy` be attached to other IAM roles?** No, unlike other self-provision enabled services, this policy can only be assigned to the provisioned default role `customer_systemsmanager_automation_console_role`. Unlike the policies of other SSPS roles, this SSM SSPS policy cannot be shared with other custom IAM roles, because this AMS service is only for running commands or automation scripts within your managed instances. If these permissions were allowed to be attached to other custom IAM roles, potentially with permissions on other services, the scope of allowed actions could extend to managed services, and potentially lower the security posture of your account. To evaluate any requests for change (RFCs) against our AMS technical standards, work with your respective Cloud Architect or Service Delivery Manager, see [RFC security reviews](https://docs.aws.amazon.com/managedservices/latest/ctref/rfc-security.html). **Note** AWS Systems Manager allows you to use runbooks that are shared with your account. We recommend you exercise caution and perform a due-diligence check when using shared runbooks and make sure to review the content to understand the command/scripts they run before executing the runbooks. For details refer to [Best practices for shared SSM documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html). # Use AMS SSP to provision AWS Transfer Family in your AMS account AWS Transfer Family Use AMS Self-Service Provisioning (SSP) mode to access AWS Transfer Family (Transfer Family) capabilities directly in your AMS managed account. AWS Transfer Family is a fully managed AWS service that enables you to transfer files over Secure File Transfer Protocol (SFTP), into and out of Amazon Simple Storage Service (Amazon S3) storage. SFTP is also known as Secure Shell (SSH) File Transfer Protocol. SFTP is used in data exchange workflows across different industries such as financial services, healthcare, advertising, and retail, among others. With AWS SFTP, you get access to an SFTP server in AWS without the need to run any server infrastructure. You can use this service to migrate your SFTP-based workflows to AWS while maintaining your end users' clients and configurations as is. You first associate your hostname with the SFTP server endpoint, then add your users and provision them with the right level of access. After you do, your users' transfer requests are serviced directly out of your AWS SFTP server endpoint. To learn more, see [AWS Transfer for SFTP](https://aws.amazon.com/aws-transfer-family), also [Create an SFTP-enabled server](https://docs.aws.amazon.com/transfer/latest/userguide/create-server-sftp.html). ## AWS Transfer for SFTP in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Transfer for SFTP in my AMS account?** Request access to AWS Transfer for SFTP by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). Through this RFC the following IAM roles, and a policy, are provisioned in your account: + `customer_transfer_author_role`. This role is designed for you to manage the SFTP service through the console. + `customer_transfer_sftp_server_logging_role`. This role is designed to be attached on the SFTP Server. It allows the SFTP server to pull logs into CloudWatch. + `customer_transfer_sftp_user_role`. This role is designed to be attached on the SFTP users. It allows the SFTP users to interact with the S3 bucket. + `policy customer_transfer_scope_down_policy`. This policy is a scope-down policy that can be applied to the SFTP User to limit their access on the S3 bucket to their home folders. + `customer_transfer_sftp_efs_user_role`. This role is designed to be attached on the SFTP users. It allows the SFTP users to interact with the EFS file system. After it's provisioned in your account, you must onboard the roles in your federation solution. **Q: What are the restrictions to using AWS Transfer for SFTP in my AMS account?** AWS Transfer for SFTP configuration is limited to resources without "AMS-" or "MC-" prefixes to prevent any modifications to AMS infrastructure. **Q: What are the prerequisites or dependencies to using AWS Transfer for SFTP in my AMS account?** + You must have an Amazon S3 bucket with a name that contains the keyword "transfer" before creating the AWS Transfer for SFTP server and users. + To use a "Customer Identify Provider," you must deploy the API Gateway, Lambda function, and your user repository (AD, Secrets Manager, and so on). For more information, see [ Enable password authentication for AWS Transfer for SFTP using AWS Secrets Manager](https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/) and [Working with Identity Providers](https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html). # Use AMS SSP to provision AWS Transit Gateway in your AMS account AWS Transit Gateway Use AMS Self-Service Provisioning (SSP) mode to access AWS Transit Gateway capabilities directly in your AMS managed account. AWS Transit Gateway is a service that enables you to connect your Amazon Virtual Private Cloud (VPCs) and your on-premises networks to a single gateway. As you grow the number of workloads running on AWS, you need to be able to scale your networks across multiple accounts and Amazon VPCs to keep up with the growth. Today, you can connect pairs of Amazon VPCs using peering. However, managing point-to-point connectivity across many Amazon VPCs, without the ability to centrally manage the connectivity policies, can be operationally costly and cumbersome. For on-premises connectivity, you need to attach your AWS VPN to each individual Amazon VPC. This solution can be time consuming to build and hard to manage when the number of VPCs grows into the hundreds. To learn more, see [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/). ## AWS Transit Gateway in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Transit Gateway in my AMS account?** Request access to AWS Transit Gateway by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_tgw_console_role`. Once provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Transit Gateway in my AMS account?** Full functionality of AWS Transit Gateway is available in your AMS single-account landing zone account for the exception of route table modifications for Transit Gateway routing. Request route table changes by submitting a Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). **Note** This service is only supported for single-account landing zone (SALZ), not multi-account landing zone (MALZ). **Q: What are the prerequisites or dependencies to using AWS Transit Gateway in my AMS account?** There are no prerequisites or dependencies to use AWS Transit Gateway in your AMS account. # Use AMS SSP to provision AWS WAF - Web Application Firewall in your AMS account AWS WAF Use AMS Self-Service Provisioning (SSP) mode to access AWS WAF capabilities directly in your AMS managed account. AWS WAF is a web application firewall (AWS WAF) that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow, or block, to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting; and rules that are designed for your specific application. To learn more, see [AWS WAF - Web Application Firewall](https://aws.amazon.com/waf/). AMS doesn't support monitoring (CloudWatch alarms / events / MMS alerts) for AWS WAF. Due to the nature of AWS WAF, you must create custom rules for your applications; AMS can't quantify and create alarms for you, without context of your application. To learn more, see [AWS WAF - Web Application Firewall](https://aws.amazon.com/waf/). ## AWS WAF in AWS Managed Services FAQ Common questions and answers: **Q: How do I request AWS WAF to be set up in my AMS account?** Request access to AWS WAF by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_waf_role`. After the AWS WAF IAM role is provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS WAF?** After permissions are provisioned, you have the full functionality of AWS WAF. **Q: What are the prerequisites or dependencies to using AWS WAF?** There are no prerequisites or dependencies to use AWS WAF in your AMS account. # Use AMS SSP to provision AWS Well-Architected Tool in your AMS account AWS Well-Architected Tool Use AMS Self-Service Provisioning (SSP) mode to access AWS Well-Architected Tool capabilities directly in your AMS managed account. The AWS Well-Architected Tool helps you review the state of your workloads and compares them to the latest AWS architectural best practices. The tool is based on the [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/), developed to help cloud architects build secure, high-performing, resilient, and efficient application infrastructure. This framework provides a consistent approach for you to evaluate architectures, has been used in tens of thousands of workload reviews conducted by the AWS solutions architecture team, and provides guidance to help implement designs that scale with application needs over time. To learn more, see [AWS Well-Architected Tool](https://aws.amazon.com/well-architected-tool/). ## AWS WA Tool in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS Well-Architected Tool in my AMS account?** Request access to AWS Well-Architected Tool by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM role to your account: `customer_well_architected_tool_console_admin_role`. After it's provisioned in your account, you must onboard the role in your federation solution. **Q: What are the restrictions to using AWS Well-Architected Tool in my AMS account?** Full functionality of the AWS Well-Architected Tool is available in your AMS account. **Q: What are the prerequisites or dependencies to using AWS Well-Architected Tool in my AMS account?** There are no prerequisites or dependencies to use AWS Well-Architected Tool in your AMS account. # Use AMS SSP to provision AWS X-Ray in your AMS account AWS X-Ray Use AMS Self-Service Provisioning (SSP) mode to access AWS X-Ray (X-Ray) capabilities directly in your AMS managed account. AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing, to identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components. You can use X-Ray to analyze both applications in development and in production, from simple three-tier applications, to complex microservices applications consisting of thousands of services. To learn more, see [AWS X-Ray](https://aws.amazon.com/xray/). ## X-Ray in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to AWS X-Ray in my AMS account?** Request access by submitting a Management \$1 AWS service \$1 Self-provisioned service \$1 Add (ct-1w8z66n899dct) change type. This RFC provisions the following IAM role to your account: `customer_xray_console_role`. After it's provisioned in your account, you must onboard the role in your federation solution. Additionally, you must have the `customer_xray_daemon_write_instance_profile` to push data from your Amazon EC2 instances to X-Ray. This instance profile is created when you receive the `customer_xray_console_role`. You can submit a service request to AMS Operations to assign the `customer_xray_daemon_write_policy` to the existing instance profile, or you can use the instance profile that is created when AMS Operations enables X-Ray for you. **Q: What are the restrictions to using AWS X-Ray in my AMS account?** Full functionality of AWS X-Ray is available in your AMS account except for encryption with AWS KMS key (KMS key). AWS X-Ray encrypts all trace data by default. By default, X-Ray encrypts traces and related data at rest. If you need to encrypt data at rest with a key, you can choose either AWS-managed KMS key (aws/xray) or KMS Customer-Managed key. For KMS Customer-Managed key for X-Ray encryption, submit a Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). **Q: What are the prerequisites or dependencies to using AWS X-Ray in my AMS account?** AWS X-Ray has a dependency on Amazon S3, CloudWatch, and CloudWatch Logs, which are already implemented in AMS accounts. Transitive dependencies vary based on data sources and other AWS service AWS X-Ray that features may be interacting with (for example, Amazon Redshift, Amazon RDS, Athena). # Use AMS SSP to provision VM Import/Export in your AMS account VM Import/Export Use AMS Self-Service Provisioning (SSP) mode to access VM Import/Exportcapabilities directly in your AMS managed account. VM Import/Export enables you to easily import virtual machine images from your existing environment to Amazon EC2 instances and export them back to your on-premises environment. This offering allows you to leverage your existing investments in the virtual machines that you have built to meet your IT security, configuration management, and compliance requirements by bringing those virtual machines into Amazon EC2 as ready-to-use instances. You can also export imported instances back to your on-premises virtualization infrastructure, allowing you to deploy workloads across your IT infrastructure. To learn more, see [VM Import/Export](https://aws.amazon.com/ec2/vm-import/). ## VM Import/Export in AWS Managed Services FAQ Common questions and answers: **Q: How do I request access to VM Import/Export in my AMS account?** Request access to VM Import/Export by submitting an RFC with the Management \$1 AWS service \$1 Self-provisioned service \$1 Add change type (ct-1w8z66n899dct). This RFC provisions the following IAM policy to your account: `customer_vmimport_policy`. After it's provisioned in your account, you must onboard the role in your federation solution. An additional role, the **VM Import/Export Service** role, is required for the service to perform actions in your account. **Q: What are the restrictions to using VM Import/Export in my AMS account?** + Functionality to import custom machine images and data volumes is both available in AMS VM Import/Export. However, permissions to S3 have been scoped down to limit actions to buckets matching the name `customer-vmimport-*` in order to limit access to information within the account. + Image and snapshot import is supported in AMS VM Import/Export. However, instance import and instance export functionality is not available due to security measures. + Additionally, export functionality has been disabled to mitigate the risk of exporting restricted and sensitive data. **Q: What are the prerequisites or dependencies to using VM Import/Export in my AMS account?** + You must provide a supported disk image to import into the AWS environment. For information, see [VM Import/Export Requirements](https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html). + VM Import/Export isn't accessible through the AWS console. You must access this service through the AWS CLI, AWS Tools for PowerShell, or the AWS SDKs. Or, you can request an instance profile by submitting change type ct-117rmp64d5mvb: Deployment \$1 Advanced stack components \$1 Identity and Access Management (IAM) \$1 Create EC2 instance profile. This instance profile allows the tools to perform commands from an instance.