# Finding the data you need (SKMS), AMS Finding the data you need (SKMS) Finding the data you need when using your AWS Managed Services (AMS) accounts calls on the AMS service knowledge management, or SKMS, system. AMS. SKMS stands for service knowledge management system and refers to all information related to the AWS Managed Services (AMS) service for a customer. AMS has an SKMS API for finding data. **Topics** + [ ## What Is service knowledge management? ](#what-is-skms) + [ # Finding VPC IDs in AMS ](find-vpc.md) + [ # Finding subnet IDs in AMS ](find-subnet.md) + [ # Find AMI IDs, AMS ](find-ami.md) + [ # Find security group (SG) IDs, AMS ](find-SGs.md) + [ # Find IAM entities in AMS ](find-iam-entities.md) + [ # Find stack IDs in AMS ](find-stack.md) + [ # Find instance IDs or IP addresses in AMS ](find-instance-id.md) + [ # Find Amazon Resource Names (ARNs) in AMS ](find-arn.md) + [ # Find resources by ARN in AMS ](find-resource-by-arn.md) + [ # Find AMS account settings ](find-your-settings.md) ## What Is service knowledge management? Service knowledge management is the store of all information on your AMS account. Information about the following is obtained from the AMS service knowledge management system (SKMS), through the AMS SKMS API or through the AMS Console: + VPCs + Managed subnets + Stacks and stack components, including Amazon EC2 instances and other resources + Amazon Machine Images (AMIs) You can use information from the SKMS to understand the infrastructure under management and as input to change management and service requests to create, change, or remove infrastructure. **Note** All AMS SKMS API calls are recorded in AWS CloudTrail. Access the SKMS through the AMS SKMS API, which provides operations for discovering information about an environment (VPCs and subnets) and the application resources (stacks, Amazon EC2 instances, and instance images or AMIs) that can be deployed there. VPCs and instance images are set up in an account, with the necessary access permissions, during onboarding. After they have been established, you can use the change management system to populate the VPCs with working stacks. # Finding VPC IDs in AMS Find VPC IDs A virtual private cloud (VPC) has one or more subnets. In AMS your VPC is in an AWS Region and you have private and public subnets. See also [Finding subnet IDs in AMS](find-subnet.md). Some CTs require the VpcId. To find a VPC ID, you can use either the AMS console or API/CLI. AMS Console: In the navigation pane, select **VPCs** and the relevant VPC. The VPC details page for the selected VPC opens with information including the VPC ID. AMS SKMS API ListVpcSummaries or CLI: **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. 1. In the following examples, the first command requests a list of summaries for all VPCs in the account. The second command requests the list of VPCs, with a query filter to list only those VPCs created in 2016, and output the CreatedTime, VpcId, and Name. **Note** You can obtain the AMS SKMS CLI through the **Developer's Resources** page in the AMS console. ``` aws amsskms list-vpc-summaries --output table ``` ``` ----------------------------------------------------- | ListVPCSummaries | +---------------------------------------------------+ | VPCSummaries | |+------------------+-------------------------------| | CreatedTime | 2016-01-15T18:50:11Z | | VpcId | vpc-01234567890abcdef | | LastModifiedTime| 2016-01-15T18:50:11Z | | Name | 952444781316-initial-vpc | |+------------------+-------------------------------| | Visibility | |+------------------+-------------------------------| | Id | PrivateAndPublic | | Name | PrivateAndPublic | |+------------------+-------------------------------| ``` 1. This time with a query: ``` aws amsskms list-VPC-summaries --query "VPCSummaries[?starts_with(@.CreatedTime,to_string(`2016`))].[CreatedTime, VpcId, Name]" --output table ``` ``` ------------------------------------------------------------------------- | ListVPCSummaries | +---------------------+-----------------------+--------------------------+ |2016-01-15T18:50:11Z | vpc-01234567890abcdef | 952444781316-initial-VPC | +---------------------+-----------------------+--------------------------+ ``` # Finding subnet IDs in AMS Find subnet IDs Several resources require that you specify a subnet, or list of subnets, at configuration time. To find subnets, you can use either the AMS console or AMS SKMS API/CLI. Note that the AMS SKMS API/CLI is private and must be installed before you can use it. AMS Console: 1. In the navigation pane, select **VPCs** and the relevant VPC. The VPC details page for the selected VPC opens with a table of subnets, click a subnet ID to open the details page and find the ID. AMS SKMS API ListSubnetSummaries or CLI: **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. To find the subnets for your VPC, you can search with the `list-subnet-summaries` command as shown. **Note** If you're looking for subnets that are not in an AMS account, you can try `aws ec2 describe-subnets --region us-west-2`. 1. The SKMS API/CLI ListSubnetSummaries operation: A simple list: ``` aws amsskms list-subnet-summaries ``` Output to a table: ``` aws amsskms list-subnet-summaries --output table ``` 1. The SKMS API ListSubnetSummaries operation has parameters to narrow the results based on visibility. In addition, you can [Filter](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_Filter.html) results based on name. If you're using the CLI, you can also use the `--query` option to narrow the output or search on a portion of a value. For example, to find all of the subnets for a particular VPC, you can use this command: ``` aws amsskms list-subnet-summaries --query "SubnetSummaries.sort_by(@,&Visibility.Name)[].[Visibility.Name,SubnetId,Name]" --output table ``` Which returns something like this: ``` -------------------------------------------------------------------- | ListSubnetSummaries | +---------+------------ -------+---------------------------+ | Private| subnet-01234567890abcdef | Demo Deployment Zone #1 | | Private| subnet-01234567890abcdef | Demo Deployment Zone #1 | | Public | subnet-01234567890abcdef | Demo DMZ #1 | | Public | subnet-01234567890abcdef | Demo DMZ #1 | +---------+---------- ---------+---------------------------+ ``` For information about using CLI queries, see [ How to Filter the Output with the --query Option](https://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html#controlling-output-filter) and the query language reference, [JMESPath Specification](http://jmespath.org/specification.html). 1. If you have multiple VPCs, include a VPC filter in the command, and then run the command for each VPC. For example: ``` list-subnet-summaries --filter Attribute=VpcId,Value=vpc-xxxxxxxx --query "SubnetSummaries.sort_by(@,&Visibility.Name)[].[Visibility.Name,SubnetId,Name]" --output table ``` 1. In AWS, use [describe-subnets](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-subnets.html). For information about using CLI queries, see [ How to Filter the Output with the --query Option](https://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html#controlling-output-filter) and the query language reference, [JMESPath Specification](http://jmespath.org/specification.html).. **Subnet names** Your AMS subnets are created automatically after input is gathered from you and added to the system. AMS uses a formula to create your subnet names: A*ACCOUNT\$1ID*-*SUBNET-TYPE*-*AZ-IDENTIFIER*. The subnet type would be either `dmz`, `shared-services`, or `customer-application`. Should you have more than one customer-application subnet, an optional identifier may be added to the subnet name, after the account ID, to indicated that the subnet is an "additional" or "reserved" subnet. # Find AMI IDs, AMS Find AMI IDs An Amazon Machine Image, or AMI, is a template for Amazon EC2 instances, created from an Amazon EC2 instance. AWS provides updated AMIs (with patches, for example) every month; however, AWS Managed Services (AMS) requires AMIs that have been modified for AMS use. AMS releases new AMIs that you can use shortly after Patch Tuesday every month. Amazon Machine Images (AMIs) are instance configuration templates that are used to create EC2 instances in AWS. AMS requires that specific AMIs be used for AMS-managed resources. The change types for creating EC2 instances and EC2 Auto Scaling groups require that you specify an AMI for AMS to use as the basis for the instances that the change type creates. AMS recommends that you always select the most recent AMI available to you. To learn more about AWS AMIs, see [AWS AMI Design](https://aws.amazon.com/answers/configuration-management/aws-ami-design/). When creating an Amazon EC2 stack or Amazon EC2 Auto Scaling group for your AMS account, you must specify an AMI by **AmiId**. You're limited to AMIs that begin with "customer-" and we recommend that you always choose the most recent AMI. To find the most recent AMI for your account, you can search with an AMS SKMS CLI command or use the AMS console details page for relevant VPC: + Use the AMS console: Available AMIs are listed on the **AMI** page in the AMS console. Select from AMIs with names that begin with "customer-". + Use the AMS SKMS API/CLI ListAmis operation. **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. Here is a CLI example with a `query` option that restricts the results to customer AMIs: ``` aws amsskms list-amis --vpc-id VPC_ID --query "Amis.sort_by(@,&Name)[?starts_with(Name,'customer')].[Name,AmiId]" --output table ``` This example uses the `filter` option with the `query` option to find Windows AMIs that start with "customer": ``` aws amsskms list-amis --vpc-id VPC_ID --query "Amis.sort_by(@,&Name)[?starts_with(Name,'customer')].[Name,AmiId]" --filter Attribute=Platform,Value=windows --output table ``` + For information about using CLI queries, see [ How to Filter the Output with the --query Option](https://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html#controlling-output-filter) and the query language reference, [JMESPath Specification](http://jmespath.org/specification.html). # Find security group (SG) IDs, AMS Find security group (SG) IDs Amazon EC2 create and OpenSearch create domain CTs require a security group ID. This will be in the form `sg-02ce123456e7893c7`. Your account has at least two default security groups; see [Security groups](about-security-groups.md). Additionally, you may have security groups that you created for specific purposes. To discover your security groups: + AWS Console: Use the EC2 or VPC console to view all security groups for the selected VPC. + API/CLI (when logged into your AMS account): List your security groups: ``` aws ec2 describe-security-groups ``` # Find IAM entities in AMS Find IAM entities Your account has default IAM Roles and Policies; see [IAM user role in AMS](defaults-user-role.md) and default IAM instance profiles; see [EC2 IAM instance profile](defaults-instance-profile.md) with default policies. To discover your IAM roles and policies: + Console: Use the IAM console to view all IAM policies and roles for your account. + API/CLI (when logged into your AMS account): **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. List your roles: ``` aws --profile saml iam list-roles ``` List your policies: ``` aws --profile saml iam list-role-policies --role-name ROLE_NAME ``` # Find stack IDs in AMS Find stack IDs To find a Stack ID, you can use either the Amazon EC2 console, AMS console, or the AMS SKMS API/CLI. AMS Console: + In the navigation pane, select **RFCs**, and then click the RFC that created the stack. Use the filter option at the top to reduce the list. The RFC details page opens and includes the run output with the stack ID. + Alternatively, you can select **Stacks in the navigation pane** to open the stacks list page, and then page through the stack list to the stack you're interested in. This method is more useful if you know the subject of the stack you are looking for. Amazon EC2 Console: In the navigation pane, select **Instances** or **Load Balancers** or **Auto Scaling Groups**. AMS SKMS API ListStackSummaries or CLI: **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. To view a list of stacks in the current account, run the ListStackSummaries operation of the SKMS API (CLI: `list-stack-summaries`). To get complete information about a particular stack instance, by StackId, run GetStack. + In the following examples, the first command requests a list of summaries for all stack instances in the account. The second command requests the list of stack instances, with a query filter to list only those of a specific stack template, and output the VpcId, Name, and StackId. ``` aws amsskms list-stack-summaries --output table ``` ``` -------------------------------------------------------------------- | ListStackSummaries | | StackSummaries | +------------+----------------------+---------------------+--------+ | VpcId | StackId | StackTemplateId | Name | +------------+----------------------+---------------------+--------+ |vpc-0123abcd|stack-1fb7fe2212345678|stm-sdhopvbb123456789|Test ELB| |vpc-0123abcd|stack-8323cc0e12345678|stm-s2b72beb123456789|S3 store| |vpc-0123abcd|stack-2309fa0712345678|stm-sdhopvbb123456789|ELB | |vpc-0123abcd|stack-5e61a70512345678|stm-sdpabqbb123456789|PatchSim| |vpc-0123abcd|stack-bd0e080d12345678|stm-s2b72beb123456789|CLI demo| +------------+----------------------+---------------------+--------+ ``` For information about using CLI queries, see [ How to Filter the Output with the --query Option](https://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html#controlling-output-filter) and the query language reference, [JMESPath Specification](http://jmespath.org/specification.html).. **Note** For information on using instance IDs for access, see also [Accessing instances using bastions](using-bastions.md). # Find instance IDs or IP addresses in AMS Find instance IDs or IP addresses + To request access to an instance, to log in to an instance, or to create an AMI, you must have the instance ID. For an EC2 instance (either a standalone instance or a part of a stack), or a database instance, you can find the ID in a few different ways: + The AMS Console for an instance in an ASG stack: Look on the RFC detail page for the RFC that created the stack. In the Execution Output section, you will find the stack ID for the ASG stack and you can then go to the EC2 Console **Auto Scaling Groups** page and search for that stack ID and find instances for it. When you find the instance, select it and an area opens at the bottom of the page with details, including the IP address. + The AMS Console for a standalone EC2 or database (DB) instance: Look on the RFC detail page for the RFC that created the EC2 stack or DB instance. In the Execution Output section, you will find the Instance ID and IP address. + AWS EC2 Console: 1. In the navigation pane, select **Instances**. The **Instances** page opens. 1. Click the instance that you want the ID for. The instance details page opens and displays the ID and IP address. + AWS Database Console: 1. On the Home page, select **DB Instances**. The **Instances** page opens. 1. Filter for the DB instance that you want the ID for. The instance details page opens and displays the ID. + AMS CLI/API. **Note** The AMS CLI must be installed for these commands to work. To install the AMS API or CLI, go to the AMS console **Developers Resources** page. For reference material on the AMS CM API or AMS SKMS API, see the AMS Information Resources section in the User Guide. You may need to add a `--profile` option for authentication; for example, `aws amsskms ams-cli-command --profile SAML`. You may also need to add the `--region` option as all AMS commands run out of us-east-1; for example `aws amscm ams-cli-command --region=us-east-1`. **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. Run the following command to get stack execution output details: ``` aws amsskms get-stack --stack-id STACK_ID ``` The output looks similar to this with the InstanceId appearing near the bottom, under `Outputs` (values shown are examples): ``` { "Stack": { "StackId": "stack-7fa52bd5eb8240123", "Status": { "Id": "CreateCompleted", "Name": "CreateCompleted" }, "VpcId": "vpc-01234567890abcdef", "Description": "Amazon", "Parameters": [ { "Value": "sg-01234567890abcdef,sg-01234567890abcdef", "Key": "SecurityGroups" }, { "Value": "subnet-01234567890abcdef", "Key": "InstanceSubnetId" }, { "Value": "t2.large", "Key": "InstanceType" }, { "Value": "ami-01234567890abcdef", "Key": "InstanceAmiId" } ], "Tags": [], "Outputs": [ { "Value": "i-0b22a22eec53b9321", "Key": "InstanceId" }, { "Value": "10.0.5.000", "Key": "InstancePrivateIP" } ], "StackTemplateId": "stm-s6xvs000000000000", "CreatedTime": "1486584508416", "Name": "Amazon" } } ``` # Find Amazon Resource Names (ARNs) in AMS Find ARNs An Amazon Resource Name (ARN) is a string that uniquely identifies an AWS resource, such as EC2 instances, S3 buckets, accounts, Lambda functions, and so forth. AWS requires an ARN when you want to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. ARNs are constructed from identifiers that specify the service, Region, account, and other information. There are three ARN formats: ``` arn:aws:service:region:account-id:resource-id arn:aws:service:region:account-id:resource-type/resource-id arn:aws:service:region:account-id:resource-type:resource-id ``` **Note** The exact format of an ARN depends on the service and resource type. To learn more about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) and [ARN Formats](https://docs.aws.amazon.com/quicksight/latest/APIReference/qs-arn-format.html). For ARN format examples by resource, see the AWS *Service Authorization Reference* [resource types table](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#resources_table). Finding the ARN of an AWS object can be difficult. Here are three ways to try: + AWS service console: Go to the relevant AWS service console, locate the resource and find the ARN in the details for the resource. + AWS API/CLI (you must first install the AWS CLI): Look for the relevant service in the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/index.html), then, depending on the AWS service, look for the relevant operation, such as `describe`, or `get`, and so forth. For example, for all IAM roles, policies and users, you can get the ARN in the output from the CLI with: ``` aws iam get-role --role-name EMR_DefaultRole ``` + Construct the ARN based on the relevant format: Find the ARN format for the resource, by looking at the [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) page, finding the relevant service, and then the relevant action, and drilling down to the resource ARN format. Once you have the format, replace the variables with the relevant settings. You can construct the ARN yourself by following the appropriate format (the formats change per service and resource type) and filling in the information. Here are some ARN examples: + An AWS account ARN has the following syntax: ``` arn:aws:iam::ACCOUNT-ID:root ``` + An S3 ARN has a flat hierarchy of buckets and associated objects: ``` arn:aws:s3:::ams-bucket ``` + An EC2 ARN has sub resource-types like image, security groups, instance, and so forth. This example includes the instance ID at the end: ``` arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56 ``` + A Lambda ARN has the function name for the resource-id part, and you may need to include the version number at the end, as shown in this example: ``` arn:aws:lambda:us-east-1:123456789012:function:api-function:1 ``` The AWS Key Management Service service provides this information: [Finding the key ID and key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html). To find the ARN of a DynamoDB table, use the DynamoDB [describe-table](https://docs.aws.amazon.com/cli/latest/reference/dynamodb/describe-table.html) CLI. For an outsider's look at finding AWS ARNs, see [AWS ARN Explained: Amazon Resource Name Guide](https://devopscube.com/aws-arn-guide/). # Find resources by ARN in AMS Find resources by ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. To learn about ARNs and ARN formats, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) and [ARN Formats](https://docs.aws.amazon.com/quicksight/latest/APIReference/qs-arn-format.html). **Note** In order to obtain details about a resource from its ARN, *you must have access to the account that created the resource*. There is no direct path in AWS to look up all resource details from the resource ARN, because services have multiple resource types with various related information. If you have the ARN for a resource, you can determine: + The related AWS service (the third ARN segment) tells you what AWS console to look at to find the resource + The resource ID (the sixth or seventh ARN segment) confirms that you've found the right resource Or you can look for the AWS CLI commands available for that service in the [https://docs.aws.amazon.com/cli/latest/index.html](https://docs.aws.amazon.com/cli/latest/index.html) for information about obtaining details about the resource. For example, from the following ARN, you can determine that the service is `lambda`, the account is `123456789012`, the resource type is `function`, and the name of the function is `TestFunction`. ``` arn:aws:lambda:us-east-1:123456789012:function:TestFunction ``` From this, you can review the [AWS CLI documentation for the Lambda service](https://docs.aws.amazon.com/cli/latest/reference/lambda/index.html) to learn how more details can be retrieved with various commands, such as `get-function` and `get-function-configuration`. For example, you can use the following commands to get more information about a Lambda function if you have its name or ARN: ``` aws lambda get-function-configuration --function-name TestFunction ``` ``` aws lambda get-function-configuration --function-name arn:aws:lambda:us-east-1:123456789012:function:TestFunction ``` # Find AMS account settings Find account settings Account settings that are used to create AMS RFCs, set schedules, and determine who receives notifications. Some settings are created during onboarding and require a service request to change. You should make a note of these account details because you will use them when communicating with AMS: + **Credentials**: If you need to retrieve your AMS user name or password, contact your local IT administrator--AMS uses your corporate Active Directory. + **Cloud Service Delivery Manager (CSDM)**: This person is your liaison with AMS and is available to answer service questions. You are given this person's contact information at onboarding and should keep it available to all in your organization who interact with AMS. You can expect to receive monthly reports on your AMS service from this person. + **Console access**: You access the AMS console at a URL set up specifically for your account. You can get the URL from your CSDM. + **AMS CLI**: You can obtain the AMS CLI through the AMS console **Developer's resources** page, or the distributables package that you get from your CSDM. After you have the distributables package, follow the steps outlined in [Installing or upgrading the AMS CLI](https://docs.aws.amazon.com/managedservices/latest/userguide/understand-sent-api.html#install-sent-cli). + **Maintenance window**: Your maintenance window determines when patching happens for your EC2 instances. The AWS Managed Services Maintenance Window (or Maintenance Window) performs maintenance activities for AWS Managed Services (AMS) and recurs the second Thursday of every month from 3 PM to 4 PM Pacific Time. AMS may change the maintenance window with 48 hours notice. You may have chosen a different window at onboarding--keep a record of your chosen maintenance window. + **Monitoring**: AMS provides a set of CloudWatch metrics by default, but you can also request additional metrics. If you do, keep record of those. + **Logs**: By default, your logs are stored at ams-a-*ACCOUNT\$1ID*-log-management-*REGION* where *REGION* is the region where the log was generated. + **Mitigation**: At onboarding, AMS records the mitigation action of your choice in case a malware attack against your resources is identified. For example, contact certain people. Keep this information available to all in your organization who interact with AMS. + **Region**: You can look at the VPC details page in the AMS console. You can also run this command after you have installed the AMS SKMS CLI (this command uses a SAML profile, remove if your authentication method is different): ``` aws --profile saml amsskms get-vpc --vpc-id VPC_ID ``` **Important** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. # Find FQDNs in AMS Find FQDNs AWS Managed Services (AMS) access change types (CTs) require the fully qualified domain name, or FQDN, of your AMS-trusted domain, in the form of `C844273800838.amazonaws.com`. To discover your AWS FQDN, do one of the following: + AWS Console: Look in the AWS Directory Service console in the **Directory name** column. + CLI: Use these commands while logged into your domain: Windows (returns user and FQDN): ``` whoami /upn ``` or (DC\$1DC\$1DC=FQDN) ``` whoami /fqdn ``` Linux: ``` hostname --fqdn ``` **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. # Find availability zones (AZs) in AMS Find availability zones (AZs) **Availability Zone**: All accounts have at least two availability zones. To accurately find your availability zone names, you must first know the associated subnet ID. + AMS Console: In the navigation pane click **VPCs**, and then click the relevant VPC, if necessary. On the VPCs details page, select the relevant subnet in the table of subnets to open the subnet details page with the name of the associated availability zone. + AMS SKMS API/CLI: ``` aws amsskms list-subnet-summaries --output table ``` ``` aws amsskms get-subnet --subnet-id SUBNET_ID ``` **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. # Find SNS topics in AMS Find SNS topics Your SNS topics determine who is notified under various circumstances. AMS provides SNS topics for AMI notifications (see [AMS AMI notifications with SNS](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-ami-notifications.html)), CloudWatch alarms and EC2 resources (see [Receiving alerts generated by AMS](https://docs.aws.amazon.com/managedservices/latest/userguide/sent-alert-views.html)) and more. To discover your existing SNS topics: + AWS Console: Use the SNS console to view all topics, applications, and subscriptions, and a graph of messages. Also create, delete, subscribe to, and publish to topics. + API/CLI (when logged into your AMS account, requires the AWS CLI): List your SNS topics: ``` aws sns list-topics ``` List your SNS subscriptions: ``` aws sns list-subscriptions ``` **Note** The AMS API/CLI (amscm and amsskms) endpoints are in the AWS N. Virginia Region, `us-east-1`. Depending on how your authentication is set, and what AWS Region your account and resources are in, you may need to add `--region us-east-1` when issuing commands. You may also need to add `--profile saml`, if that is your authentication method. # Find backup settings in AMS Find backup settings Backups and snapshots are managed by AMS through the native [AWS Backup](https://aws.amazon.com/backup/) service. The configuration is managed through AWS Backup plans. You can have multiple AWS Backup plans that associate tagged resources with backup schedules and retention policies. To find your AMS account AWS Backup settings, use the [https://console.aws.amazon.com/backup](https://console.aws.amazon.com/backup) console, or the *AWS CLI Command Reference* for [backup](https://docs.aws.amazon.com/cli/latest/reference/backup/index.html) commands. For more information about AMS and AWS Backup, see [Continuity Management](https://docs.aws.amazon.com/managedservices/latest/userguide/continuity-mgmt.html).