# Self-service reports AWS Managed Services (AMS) self-service reports (SSR) is a feature that collects data from various native AWS services and provides access to reports on major AMS offerings. SSR provides information that you can use to support operations, configuration management, asset management, security management, and compliance. Use SSR to access the reports from the AMS console and report datasets through Amazon S3 buckets (one bucket per account). You can plug the data into your favorite business intelligence (BI) tool to customize the reports based on your unique needs. AMS creates this S3 bucket (S3 bucket name: (ams-reporting-data-a) in your primary AWS Region, and the data is shared from the AMS control plane hosted in the us-east-1 Region. **Important** To access this feature, you must have one of the following roles: Multi-Account Landing Zone: **AWSManagedServicesReadOnlyRole** Single-Account Landing Zone: **Customer\$1ReadOnly\$1Role** **Important** **Using custom keys with AWS Glue** To encrypt your AWS Glue metadata with a customer-managed KMS key, you must perform the following additional steps to allow AMS to aggregate data from the account: Open the AWS Key Management Service console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms), and then choose **Customer Managed Keys**. Select the key ID that you plan to use to encrypt the AWS Glue metadata. Choose the **Aliases** tab, and then choose **Create alias**. In the text box, enter **AmsReportingFlywheelCustomKey**, and then choose **Create alias**. **Topics** + [ # Internal API operations ](internal-apis.md) + [ # Patch report (daily) ](daily-patch-report.md) + [ # Backup report (daily) ](daily-backup-report.md) + [ # Incident report (weekly) ](weekly-incident-report.md) + [ # Billing report (monthly) ](monthly-billing.md) + [ # Aggregated reports ](aggregated-reports.md) + [ # AMS self-service reports dashboards ](ssr-dashboards.md) + [ # Data retention policy ](data-retention-policy.md) + [ # Offboard from SSR ](offboarding-ssr.md) # Internal API operations If you monitor API operations, you might see calls to the following internal-only operations: + `GetDashboardUrl` + `ListReportsV2` ## Internal API operation: GetDashboardUrl This operation appears in system logs when invoked by the AMS console. It has no other use case. It is not available for your direct use. Returns the embedded dashboard URL for the corresponding report. This operation accepts a `dashboardName` returned by `ListReports`. **Request syntax** ``` HTTP/1.1 200 Content-type: application/json { "dashboardName": "string" } ``` **Request elements** **`dashboardName`**: The name of the Quick dashboard that the URL is being requested for. The dashboard name is returned in ListReportsV2. Type: String **Response syntax** ``` HTTP/1.1 200 Content-type: application/json { "url": "string" } ``` **Response elements** If the action is successful, the service sends back an HTTP 200 response. The following data is returned in JSON format by the service. **`url`**: Returns the Quick URL for the requested `dashboardName`. Type: String **Errors** For information about the errors that are common to all actions, see [Common errors](https://docs.aws.amazon.com/apigateway/latest/api/CommonErrors.html). **`BadRequestException`**: The submitted request is not valid. For example, if the input is incomplete or incorrect. See the accompanying error message for details. HTTP Status Code: 400 **`NotFoundException`**: The requested resource is not found. Make sure that the request URI is correct. HTTP Status Code: 404 **`TooManyRequestsException`**: The request has reached its throttling limit. Retry after the specified time period. HTTP Status Code: 429 **`UnauthorizedException`**: The request is denied because the caller has insufficient permissions. HTTP Status Code: 401 ## Internal API operation: ListReportsV2 This API appears in system logs when invoked by the AMS console. It has no other use case. It is not available for your direct use. Returns a list of operational reports that are available for a specified account. **Request syntax** The request doesn't have a request body. **Response syntax** ``` HTTP/1.1 200 Content-type: application/json { "reportsList": [ { "dashboard": "string", "lastUpdatedTime": "string", } ], "reportsType": "string" } ``` **Response elements** If the action is successful, the service sends back an HTTP 200 response. The following data is returned in JSON format by the service. **`reportsList`**: The list of available operational reports. Type: Array of Dashboard objects **`reportsType`**: Indicates whether a report is aggregated across multiple accounts or not. Type: String **Errors** For information about the errors that are common to all actions, see [Common errors](https://docs.aws.amazon.com/apigateway/latest/api/CommonErrors.html). **`BadRequestException`**: The submitted request is not valid. For example, the input is incomplete or incorrect. See the accompanying error message for details. HTTP Status Code: 400 **`NotFoundException`**: The requested resource is not found. Make sure that the request URI is correct. HTTP Status Code: 404 **`TooManyRequestsException`**: The request has reached its throttling limit. Retry after the specified time period. HTTP Status Code: 429 **`UnauthorizedException`**: The request is denied because the caller has insufficient permissions. HTTP Status Code: 401 # Patch report (daily) **Topics** + [](#instance-details-summary-po) + [ ## Patch details ](#patch-details) + [ ## Instances that missed patches ](#instances-that-missed-patches) This is an informational report that helps identify all the instances onboarded to Patch Orchestrator (PO), account status, instance details, maintenance window coverage, maintenance window execution time, stack details, and platform type. **This dataset provides:** + Data on the Production and Non-Production instances of an account. Production and Non-Production stage is derived from the account name and not from the instance tags. + Data on the distribution of instances by platform type. The 'N/A' platform type occurs when AWS Systems Manager (SSM) can't get the platform information. + Data on the distribution of state of instances, number of instances running, stopped, or terminating. | **Console Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Access Restrictions | access\$1restrictions | Regions to which access is restricted | | Account Id | aws\$1account\$1id | AWS Account ID to which the instance ID belongs | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Account Name | account\$1name | AWS account name | | Account Status | account\$1status | AMS account status | |   | account\$1sla | AMS account service commitment | | Account Type | malz\$1role | MALZ role | | Auto Scaling Group Name | instance\$1asg\$1name | Name of Auto Scaling Group (ASG) that contains the instance | | Instance Id | instance\$1id | ID of EC2 instance | | Instance Name | instance\$1name | Name of EC2 instance | | Instance Patch Group | instance\$1patch\$1group | Patch group name used to group instances together and apply the same maintenance window | | Instance Patch Group Type | instance\$1patch\$1group\$1type | Patch group type | | Instance Platform Type | instance\$1platform\$1type | Operating System (OS) type | | Instance Platform Name | instance\$1platform\$1name | Operating System (OS) name | | Instance State | instance\$1state | State within the EC2 instance lifecycle | | Instance Tags | ec2\$1tags | The tags associated with the Amazon EC2 instance ID | | Landing Zone | malz\$1flag | Flag for MALZ-related account | | Maintenance Window Coverage | mw\$1covered\$1flag | If an instance has at least one enabled maintenance window with a future execution date, then it’s considered covered, otherwise not covered | | Maintenance Window Execution Datetime | earliest\$1window\$1execution\$1time | Next time the maintenance window is expected to execute | | Maintenance Window Execution Datetime | earliest\$1window\$1execution\$1time | Next time the maintenance window is expected to execute | | Production Account | prod\$1account | Identifier of AMS prod, non-prod accounts, depending on whether account name include value 'PROD', 'NONPROD'. | | Report Datetime | dataset\$1datetime | The date and time the report was generated. | | Stack Name | instance\$1stack\$1name | Name of stack that contains instance | | Stack Type | instance\$1stack\$1type | AMS stack (AMS infrastructure within customer account) or Customer stack (AMS managed infrastructure that supports customer applications) | ## Patch details This report provides patch details and maintenance window coverage of various instances. **This report provides:** + Data on Patch groups and its types. + Data on Maintenance Windows, duration, cutoff, future dates of maintenance window executions (schedule) and instances impacted in each window. + Data on all the operating systems under the account and the number of instances that the operating system is installed. | **Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated. | | Account Id | aws\$1account\$1id | AWS Account ID to which the instance ID belongs | | Account Name | account\$1name | AWS account name | | Account Status | account\$1status | AMS account status | | Compliant - Critical | compliant\$1critical | Count of compliant patches with "critical" severity | | Compliant - High | compliant\$1high | Count of compliant patches with "high" severity | | Compliant - Medium | compliant\$1medium | Count of compliant patches with "medium" severity | | Compliant - Low | compliant\$1low | Count of compliant patches with "low" severity | | Compliant - Informational | compliant\$1informational | Count of compliant patches with "informational" severity | | Compliant - Unspecified | compliant\$1unspecified | Count of compliant patches with "unspecified" severity | | Compliant - Total | compliant\$1total | Count of compliant patches (all severities) | | Instance Id | instance\$1id | ID of EC2 instance | | Instance Name | instance\$1name | Name of EC2 instance | | | account\$1sla | AMS account service tier | | Instance Platform Type | instance\$1platform\$1type | Operating System (OS) type | | Instance Platform Name | instance\$1platform\$1name | Operating System (OS) name | | Instance Patch Group Type | instance\$1patch\$1group\$1type | DEFAULT: default patch group w/ default maintenance window, determined by AMSDefaultPatchGroup:True tag on the instance CUSTOMER: customer created patch group NOT\$1ASSIGNED: no patch group assigned | | Instance Patch Group | instance\$1patch\$1group | Patch group name used to group instances together and apply the same maintenance window | | Instance State | instance\$1state | State within the EC2 instance life cycle | | Instance Tags | ec2\$1tags | The tags associated with the Amazon EC2 instance ID | | Last Execution Maintenance Window | last\$1execution\$1window | The latest time the maintenance window was executed | | Maintenance Window Id | window\$1id | Maintenance window ID | | Maintenance Window State | window\$1state | Maintenance window state | | Maintenance Window Type | window\$1type | Maintenance window type | | Maintenance Window Next Execution Datetime | window\$1next execution\$1time | Next time the maintenance window is expected to execute | | Maintenance Window Duration (hrs) | window\$1duration | The duration of the maintenance window in hours | | Maintenance Window Coverage | mw\$1covered\$1flag | If an instance has at least one enabled maintenance window with a future execution date, then it’s considered covered, otherwise not covered | | Noncompliant - Critical | noncompliant\$1critical | Count of noncompliant patches with "critical" severity | | Noncompliant - High | noncompliant\$1high | Count of noncompliant patches with "high" severity | | Noncompliant - Medium | noncompliant\$1medium | Count of noncompliant patches with "medium" severity | | Noncompliant - Low | noncompliant\$1low | Count of noncompliant patches with "low" severity | | Noncompliant - Informational | noncompliant \$1informational | Count of noncompliant patches with "informational" severity | | Noncompliant - Unspecified | noncompliant \$1unspecified | Count of noncompliant patches with "unspecified" severity | | Noncompliant - Total | noncompliant\$1total | Count of noncompliant patches (all severities) | | Patch Baseline Id | patch\$1baseline\$1id | Patch baseline currently attached to instance | | Patch Status | patch\$1status | Overall patch compliance status. If there is at least one missing patch, instance is considered noncompliant, otherwise compliant. | | Production Account | prod\$1account | Identifier of AMS prod, non-prod accounts, depending on whether account name include value 'PROD', 'NONPROD'. | | Stack Type | instance\$1stack\$1type | AMS stack (AMS infrastructure within customer account) or Customer stack (AMS managed infrastructure that supports customer applications) | | | window\$1next\$1exec\$1yyyy | Year part of window\$1next\$1execution\$1time | | | window\$1next\$1exec\$1mm | Month part of window\$1next\$1execution\$1time | | | window\$1next\$1exec\$1D | Day part of window\$1next\$1execution\$1time | | | window\$1next \$1exec\$1HHMI | Hour:Minute part of window\$1next\$1execution\$1time | ## Instances that missed patches This report provides details on instances that missed patches during the last maintenance window execution. **This report provides:** + Data on missing patches at the patch ID level. + Data on all the instances that have at least one missing patch and attributes such as patch severity, unpatched days, range, and release date of the patch. | **Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated | | Account Id | aws\$1account\$1id | AWS Account ID that the instance ID belongs to | | Account Name | account\$1name | AWS account name | | Customer Name Parent | customer\$1name\$1parent | | | Customer Name | customer\$1name | | | Production Account | prod\$1account | Identifier of AMS prod or non-prod accounts, depending on whether the account name includes the value 'PROD' or 'NONPROD'. | | Account Status | account\$1status | AMS account status | | Account Type | account\$1type | | | | account\$1sla | AMS account service tier | | Instance Id | instance\$1id | ID of your EC2 instance | | Instance Name | instance\$1name | Name of your EC2 instance | | Instance Platform Type | instance\$1platform\$1type | Operating System (OS) type | | Instance State | instance\$1state | State within the EC2 instance life cycle | | Instance Tags | ec2\$1tags | The tags associated with the Amazon EC2 instance ID | | Patch Id | patch\$1id | ID of released patch | | Patch Severity | patch\$1sev | Severity of patch per publisher | | Patch Classification | patch\$1class | Classification of patch per the patch publisher | | Patch Release Datetime (UTC) | release\$1dt\$1utc | Release date of patch per publisher | | Patch Install State | install\$1state | Install state of patch on instance per SSM | | Days Unpatched | days\$1unpatched | Number of days instance unpatched since last SSM scanning | | Days Unpatched Range | days\$1unpatched\$1bucket | Bucketing of days unpatched | # Backup report (daily) The backup report covers primary and secondary (when applicable) regions. It covers the status of backups (success/failure), and data on snapshots taken. **This report provides:** + Backup status + Number of snapshots taken + Recovery point + Backup plan and vault information | **Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated. | | Account Id | aws\$1account\$1id | AWS Account ID to which the instance ID belongs | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Account Name | account\$1name | AWS account name | | Account SLA | account\$1sla | AMS account service commitment | | | malz\$1flag | Flag for MALZ-related account | | | malz\$1role | MALZ role | | | access\$1restrictions | Regions to which access is restricted | | Backup snapshot scheduled start datetime | start\$1by\$1dt\$1utc | Timestamp when snapshot is scheduled to begin | | Backup snapshot actual start datetime | creation\$1dt\$1utc | Timestamp when snapshot actually begins | | Backup snapshot completion datetime | completion\$1dt\$1utc | Timestamp when snapshot is completed | | Backup snapshot expiration datetime | expiration\$1dt\$1utc | Timestamp when snapshot expires | | Backup Job status | backup\$1job\$1status | State of the snapshot | | Backup Type | backup\$1type | Type of backup | | Backup Job Id | backup\$1job\$1id | The unique identifier of the backup job | | Backup Size In Bytes | backup\$1size\$1in\$1bytes | The backup size in bytes | | Backup Plan ARN | backup\$1plan\$1arn | The backup plan ARN | | Backup Plan Id | backup\$1plan\$1id | Backup plan unique identifier | | Backup Plan Name | backup\$1plan\$1name | The Backup Plan name | | Backup Plan Version | backup\$1plan\$1version | The backup plan version | | Backup Rule Id | backup\$1rule\$1id | The backup rule id | | Backup Vault ARN | backup\$1vault\$1arn | Backup vault ARN | | Backup Vault Name | backup\$1vault\$1name | The backup vault name | | IAM Role ARN | iam\$1role\$1arn | The IAM role ARN | | Instance Id | instance\$1id | Unique instance Id | | Instance State | instance\$1state | Instance state | | Instance Tags | ec2\$1tags | The tags associated with the EC2 Instance ID | | Resource ARN | resource\$1arn | The Amazon resource name | | Resource Id | resource\$1id | The unique resource identifier | | Resource Region | resource\$1region | The resource's primary (and secondary, when applicable) regions. | | Resource Type | resource\$1type | The type of resource | | Recovery Point ARN | recovery\$1point\$1arn | The ARN of the recovery point | | Recovery Point Id | recovery\$1point\$1id | The unique identifier of the recovery point | | Recovery Point Status | recovery\$1point\$1status | Recovery point status | | Recovery Point Delete After Days | recovery\$1point\$1delete\$1after\$1days | Recovery point delete after days | | Recovery point move to cold storage after days | recovery\$1point\$1move\$1to\$1cold\$1storage\$1after\$1days | Number of days after completion date when backup snapshot is moved to cold storage | | Recovery Point Encryption Status | recovery\$1point\$1is\$1encrypted | Recovery point encryption status | | Recovery Point Encryption Key ARN | recovery\$1point\$1encryption\$1key\$1arn | Recovery point encryption key ARN | | Stack Id | stack\$1id | Cloudformation stack unique identifier | | Stack Name | stack\$1name | Stack Name | | Tag: AMS Default Patch Group | tag\$1ams\$1default\$1patch\$1group | Tag Value: AMS Default Patch Group | | Tag: App Id | tag\$1app\$1id | Tag Value: App ID | | Tag: App Name | tag\$1app\$1name | Tag Value: App Name | | Tag: Backup | tag\$1backup | Tag Value: Backup | | Tag: Compliance Framework | tag\$1compliance\$1framework | Tag Value: Compliance Framework | | Tag: Cost Center | tag\$1cost\$1center | Tag Value: Cost Center | | Tag: Customer | tag\$1customer | Tag Value: Customer | | Tag: Data Classification | tag\$1data\$1classification | Tag Value: Data Classification | | Tag: Environment Type | tag\$1environment\$1type | Tag Value: Environment Type | | Tag: Hours of Operation | tag\$1hours\$1of\$1operation | Tag Value: Hours of Operation | | Tag: Owner Team | tag\$1owner\$1team | Tag Value: Owner Team | | Tag: Owner Team Email | tag\$1owner\$1team\$1email | Tag Value: Owner Team Email | | Tag: Patch Group | tag\$1patch\$1group | Tag Value: Patch Group | | Tag: Support Priority | tag\$1support\$1priority | Tag Value: Support Priority | | Volume State | volume\$1state | Volume State | # Incident report (weekly) This report provides the aggregated list of incidents along with its priority, severity and latest status, including: + Data on support cases categorized as incidents on the managed account + Incident information required to visualize the incident metrics for the managed account + Data on incident categories and remediation status of every incident Both visualization and data are available for the Weekly incident report. + Visualization can be accessed through the AMS console in the account through the **Reports** page. + Dataset with the following schema, can be accessed through S3 bucket in the managed account. + Use the provided date fields to filter incidents based on the month, quarter, week, and/or day that the incident was created or resolved. | **Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated. | | Account Id | aws\$1account\$1id | AWS Account ID to which the incident belongs. | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Account Name | account\$1name | AWS account name. | | Case Id | case\$1id | The ID of the incident. | | Created Month | created\$1month | The month when the incident was created. | | Priority | priority | The priority of the incident. | | Severity | severity | The severity of the incident. | | Status | status | The status of the incident. | | Category | yuma\$1category | The category of the incident. | | Created Day | created\$1day | The day when the incident was created in YYYY-MM-DD format. | | Created Week | created\$1wk | The week when the incident was created in YYYY-WW format. Sunday to Saturday is counted as the beginning and end of a week. Week is from 01 to 52. Week 01 is always the week that contains the first day of the year. For example, 2023-12-31 and 2024-01-01 are in week 2024-01. | | Created Quarter | created\$1qtr | The quarter when the incident was created in YYYY-Q format. 01/01 to 03/31 is defined as Q1, and so on. | | Resolved Day | resolved\$1day | The day when the incident was resolved in YYYY-MM-DD format. | | Resolved Week | resolved\$1wk | The week when the incident was resolved in YYYY-WW format. Sunday to Saturday is counted as the beginning and end of a week. Week is from 01 to 52. Week 01 is always the week that contains the first day of the year. For exmaple, 2023-12-31 and 2024-01-01 are in week 2024-01. | | Resolved Month | resolved\$1month | The month when the incident was resolved in YYYY-MM format. | | Resolved Quarter | resolved\$1qtr | The quarter when the incident was resolved in YYYY-Q format. 01/01 to 03/31 is defined as Q1, and so on. | | Created Grouping rule | grouping\$1rule | The grouping rule that applies to the incident. Either "no\$1grouping" or "instance\$1grouping". | | Instance IDs | instance\$1ids | The instance associated with the incident. | | Number of alerts | number\$1of\$1alerts | The number of alerts associated with that incident. If you have grouping enabled, then this number can be greater than 1. If you do not have grouping enabled, then it will always be 1. | | Created at | created\$1at | The timestamp when the incident was created. | | Alarm ARNs | alarm\$1arns | The Amazon Resource Name ("arn") of the alarms associated with your incident. | | Related alarms | related\$1alarms | The human-readable names of all the alarms associated with the incident. | # Billing report (monthly) ## Billing charges details This report provides details about AMS billing charges with linked accounts and respective AWS services. **This report provides:** + Data on AMS service-level charges, uplift percentages, account-level AMS service tiers and AMS fees. + Data on linked accounts and AWS usage charges. **Important** The Monthly Billing report is only available in your Management Payer Account (MPA) or your defined Charge Account. These are the accounts where your AMS monthly bill is sent. If you're unable to locate these accounts, then contact your Cloud Service Delivery Manager (CSDM) for assistance. | **Field Name** | **Dataset Field Name** | **Definition** | | --- | --- | --- | | Billing Date | date | The month and year of the service billed | | Payer Account Id | payer\$1account\$1id | The 12 digit ID identifying the account responsible for paying the AMS charges | | Linked Account Id | linked\$1account\$1id | The 12 digit ID identifying the AMS account that consumes services that generates expanses | | AWS Service Name | product\$1name | The AWS service that was used | | AWS Charges | aws\$1charges | The AWS charges for the AWS service name in AWS Service Name | | Pricing Plan | pricing\$1plan | The pricing plan associated with the linked account | | AMS Service Group | tier\$1uplifting\$1groups | AMS service group code that determines uplift percentage | | Uplift Proportion | uplift\$1percent | The uplift percentage (as a decimal V.WXYZ) based on pricing\$1plan, SLA, and AWS service | | Adjusted AWS Charges | adjusted\$1aws\$1usage | AWS usage adjusted for AMS | | Uplifted AWS Charges | uplifted\$1aws\$1charges | The percentage of AWS charges to be charged for AMS; adjusted\$1aws\$1charges \$1 uplift\$1percent | | Instances EC2 RDS Spend | instances\$1ec2\$1rds\$1spend | Spend on EC2 and RDS instances | | Reserved Instance Charges | ris\$1charges | Reserved instance charges | | Uplifted Reserved Instance Charges | uplifted\$1ris | The percentage of reserved instance charges to becharged for AMS; ris\$1charges \$1 uplift\$1percent | | Savings Plan Charges | sp\$1charges | SavingsPlan usage charges | | Uplifted Savings Plan Charges | uplifted\$1sp | The percentage of savings plans charges to be chargedfor AMS; sp\$1charges \$1 uplift\$1percent | | AMS Charges | ams\$1charges | Total ams charges for the product; uplifted\$1aws\$1charges \$1 instance\$1ec2\$1rds\$1spend \$1 uplifted\$1ris \$1 uplifted\$1sp | | Prorated Minimum Fee | prorated\$1minimum | The amount we charge to meet the contractual minimum | | Linked Account Total AMS Charges | linked\$1account\$1total ams\$1charges | Sum of all charges for the linked\$1account | | Payer Account Total AMS Charges | payer\$1account\$1total ams\$1charges | Sum of all charges for payer account | | Minimum Fee | minimum\$1fees | AMS Minimum Fees (if applicable) | | Reserved Instance and Savings Plan discount | adj\$1ri\$1sp\$1charges | RI/SP discount to be applied against RI/SP charges (applicable under certain circumstances) | # Aggregated reports Aggregated self-service reporting (SSR) provides you a view of existing self-service reports aggregated at the organization level, cross-account. This gives you visibility into key operational metrics, like patch compliance, backup coverage, and incidents, across all the accounts under AMS management within your AWS Organizations. Aggregated SSR is available across all commercial AWS Regions where AWS Managed Services is available. For a full list of available Regions, see the [Region table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). ## Enable aggregated reports You must manage aggregated SSR from an AWS Organizations [management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs-manage_accounts_management.html). The management account is the AWS account that you used to create your organization. To enable Aggregated SSR for an AWS Organizations management account that's onboarded to AMS, access your AMS console and navigate to **Reports**. Select **Organization Access** in the top-right-hand corner to open the [AWS Managed Services Console: Organization View](https://console.aws.amazon.com/managedservices/organization-access) pane. From this pane, you can manage the Aggregated SSR functionality. AWS Organizations management accounts that aren't onboarded to AMS don't have access to the AMS console. To enable Aggregated SSR for an AWS Organizations management account that is not onboarded to AMS, first authenticate to your AWS account, then navigate to the [AWS console](https://console.aws.amazon.com/) and search for **Managed Services**. This opens the AMS Marketing page. On this page, select the **Organization Access** link in the navigation bar to open the AWS Managed Services console: Organization View, where you can manage the Aggregated SSR functionality. The first time you access the [AWS Managed Services Console: Organization View](https://console.aws.amazon.com/managedservices/organization-access), complete the following steps: 1. If you have not already set up AWS Organizations, choose **Enable AWS Organizations** from your console. For additional information on setting up AWS Organizations, see the * [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html)*. You can skip this step if you already use AWS Organizations. 1. To enable the Aggregated Self-Service Reporting service. select **Enable trusted access** on the console. 1. (Optional) Register a Delegated Administrator to have read access for the organizational view. ## View aggregated reports as a delegated administrator A delegated administrator is the account you choose to have read access to the aggregated reports. The delegated administrator must be an account onboarded to AMS and be the only account that has read access to aggregated reports. To choose a delegated administrator, enter the account ID in Step 3 on the AWS Managed Services Console: Organization View. You can have only one delegated administrator account registered at a time. Note that the delegated administrator account must be an AMS-managed account. To update a delegated administrator account, navigate to the [AWS Managed Services Console: Organization View](https://console.aws.amazon.com/managedservices/organization-access) and select **Remove the Delegated Administrator**. The console prompts you to insert a new account ID to register as the delegated administrator. ## Read aggregated reports If you don't register a delegated administrator, and your AWS Organizations management account is onboarded to AMS, then the AWS Organizations management account gets read access to the aggregated reports by default. If the AWS Organizations management account is not managed by AMS, then you must choose a delegated administrator account to have read access to the aggregated reports. At any time, only a single account onboarded to AMS has read access to the aggregated reports, either the AWS Organizations management account or the registered delegated administrator. All other member accounts within your organization (and onboarded to AMS) still have access only to single-account reports for each individual account. After you enable Aggregated SSR, navigate to your [https://console.aws.amazon.com/managedservices/](https://console.aws.amazon.com/managedservices/). All your existing self-service reports are listed in this section, and a blue tag indicates that they have been aggregated. Note that you must access the AMS console from the account that you chose to have read access to the aggregated reports. This is either the AWS Organizations management account or the delegated administrator account. After you enable Aggregated SSR, aggregated reports are available from the next reporting cycle onward. ## Disable aggregated reports To disable Aggregated SSR, open the [AWS Managed Services Console: Organization View](https://console.aws.amazon.com/managedservices/organization-access). Select **Disable trusted access**. After you disable trusted access for Aggregated SSR, your AMS self-service reports stop being aggregated at the organization level, across accounts. Also note that deactivation takes effect from the next reporting cycle onwards. After disabling Aggregated SSR, there is a wait before the reports in your AMS console appear as single-account reports. This delay occurs because the feature deactivation takes effect from the next reporting cycle onwards. # AMS self-service reports dashboards AMS self-service reports offers two dashboards: [Resource Tagger dashboard](#resource-tagger-dashboard) and [Security Config Rules dashboard](#sec-config-dashboard). ## Resource Tagger dashboard The AMS Resource Tagger Dashboard provides detailed information about the resources supported by Resource Tagger, as well as the current status of the tags that Resource Tagger is configured to apply to those resources. ### Resource Tagger coverage by resource type This dataset consists of a list of resources that have tags managed by Resource Tagger. Resource coverage by resource type is visualized as four line charts that describe the following metrics: + **Resource Count:** The total number of resources in the Region, by resource type. + **Resources Missing Managed Tags:** The total number of resources in the Region, by resource type, that require managed tags but aren't tagged by Resource Tagger. + **Unmanaged Resources:** The total number of resources in the Region, by resource type, that don't have managed tags applied to them by Resource Tagger. This usually means that these resources are not matched by any Resource Tagger configurations, or are explicitly excluded from configurations. + **Managed Resources:** Counterpart to **Unmanaged Resources** metric (**Resource Count - Unmanaged Resources**). The following table lists the data provided by this report. | Field name | Dataset field name | Definition | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated (UTC time) | | AWS account ID | aws\$1account\$1id | AWS account ID | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Region | region | AWS Region | | Resource Type | resource\$1type | This field identifies the type of resource. Only resource types supported by Resource Tagger are included. | | Resource Count | resource\$1count | Number of resources (of the specified resource type) deployed in this Region. | | ResourcesMissingManagedTags | resource\$1missing\$1managed\$1tags\$1count | Number of resources (of the specified resource type) that require managed tags, according to the configuration profiles, but have not yet been tagged by Resource Tagger. | | UnmanagedResources | unmanaged\$1resource\$1count | Number of resources (of the specified resource type) with no managed tags applied by Resource Tagger. Typically, these resources didn't match any Resource Tagger configuration block, or are explicitly excluded from configuration blocks. | ### Resource Tagger configuration rule compliance This dataset consists of a list of resources in an AWS Region, by resource type, that have a certain configuration profile applied to them. It's visualized as a line chart. The following table lists the data provided by this report. | Field name | Dataset field name | Definition | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated (UTC time) | | AWS account ID | aws\$1account\$1id | AWS account ID | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Region | region | AWS Region | | Resource Type | resource\$1type | This field identifies the type of resource. Only resource types supported by Resource Tagger are included. | | Configuration Profile ID | configuration\$1profile\$1id | The ID of the Resource Tagger configuration profile. A configuration profile is used to define policies and rules used to tag your resources. | | MatchingResourceCount | resource\$1count | Number of resources (of the specified resource type) that match the Resource Tagger configuration profile ID. For a resource to match the configuration profile, the profile must be enabled and the resource must match the profile's rule. | ### Resource Tagger non-compliant resources This dataset consists of a list of resources that are non-compliant for a single Resource Tagger configuration. This data is a daily snapshot of resource compliance, showing the state of customer resources at the time these reports are delivered to customer accounts (there isn't a historical view). It's visualized as a pivot table consisting of resources that are non-complaint for a given configuration. The following table lists the data provided by this report. | Field name | Dataset field name | Definition | | --- | --- | --- | | Report Datetime | dataset\$1datetime | The date and time the report was generated (UTC time) | | AWS account ID | aws\$1account\$1id | AWS account ID | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | Region | region | AWS Region | | Resource Type | resource\$1type | This field identifies the type of resource. Only resource types supported by Resource Tagger are included. | | Resource ID | resource\$1id | The unique identifier for resources supported by Resource Tagger. | | Coverage State | coverage\$1state | This field indicates if the resource is tagged as configured by the Resource Tagger configuration ID. | | Configuration Profile ID | configuration\$1profile\$1id | The ID of the Resource Tagger configuration profile. A configuration profile is used to define policies and rules used to tag your resources. | ## Security Config Rules dashboard The Security Config Rules Dashboard provides an in-depth look at resource and AWS Config rule compliance of AMS accounts. You can filter the report by rule severity to prioritize the most critical findings. The following table lists the data provided by this report. | Field name | Dataset field name | Definition | | --- | --- | --- | | AWS account ID | AWS account ID | The account ID tied to related resources. | | Admin Account Id | aws\$1admin\$1account\$1id | Trusted AWS Organizations account enabled by you. | | report datetime | Report Date | The date and time the report was generated. | | customer\$1name | Customer Name | The customer name. | | account\$1name | Account Name | The name associated with the account ID | | resource\$1id | Resource ID | An identifier for a resource. | | resource\$1region | Resource Region | The AWS Region where the resource is located. | | resource\$1type | Resource Type | The AWS service or resource type. | | resource\$1name | Resource Name | The name for the resource. | | resource\$1ams\$1flag | Resource AMS Flag | If the resource is AMS owned, then this flag is set to TRUE. If the resource is customer-owned, then this flag is set to FALSE. If ownership is not known, then this flag is set to UNKNOWN. | | config\$1rule | Config Rule | The non-customizable name for the config rule. | | config\$1rule\$1description | Config Rule Description | A description of the config rule. | | source\$1identifier | Source Identifier | A unique identifier for the managed config rule and no identifier for a custom config rule. | | compliance\$1flag | Compliance Flag | Shows if the resources are compliant or non-compliant with the config rules. | | rule\$1type | Rule Type | Indicates if the rule is predefined or custom built. | | exception\$1flag | Exception Flag | The resource exception flag shows the risk acceptance against a noncompliant resource. If the resource exception flag is TRUE for a resource, then the resource is exempted. If the exception flag is NULL, then the resource is not exempted. | | cal\$1dt | Date | The evaluation date of the rule. | | remediation\$1description | Remediation Description | A description of how to remediate rule compliance. | | severity | Severity | Config rule severity indicates the impact of non-compliance. | | customer\$1action | Customer Action | Action needed by you to remediate thus rule. | | recommendation | Recommendation | A description of what the config rule checks for. | | remediation\$1category | Remediation Category | The default actions that AMS takes when this rule becomes non-compliant. | # Data retention policy AMS SSR has a data retention policy per report after the period reported, the data is cleared out and no longer available. | Report name | Data Retention SSR Console | Data Retention SSR S3 Bucket | | --- | --- | --- | | Instance Details Summary (Patch Orchestrator) | 2 Months | 2 Years | | Patch Details | 2 Months | 2 Years | | Instances that missed patches during maintenance window execution | 2 Months | 2 Years | | AMS Billing Charges Details | 2 Years | 2 Years | | Daily Backup Report | 1 Month | 2 Years | | Weekly Incident Report | 2 Months | 2 Years | | Security Config Rules Dashboard | 3 Months | 2 Years | | Resource Tagger dashboard | 1 year | 2 years | # Offboard from SSR To offboard from the SSR service, create a service request (SR) through the AMS console. After you submit the SR, an AMS operations engineers helps you offboard from SSR. In the SR, provide the reason for that you want to offboard. To offboard an account and perform a resources cleanup, create an SR through the AMS console. After you submit the SR, an AMS operations engineers helps you delete the SSR Amazon S3 bucket. If you offboard from AMS, you are automatically offboarded from the AMS SSR console. AMS automatically stops sending data to your account. AMS deletes your SSR S3 bucket as part of the offboarding process.