# What is AWS Managed Services?
Welcome to AWS Managed Services (AMS), infrastructure operations management for Amazon Web Services (AWS). AMS is an enterprise service that provides ongoing management of your AWS infrastructure.
This user guide is intended for IT and application developer professionals. A basic understanding of IT functionality, networking, and application deployment terms and practices is assumed.
AMS implements best practices and maintains your infrastructure to reduce your operational overhead and risk. AMS provides full-lifecycle services to provision, run, and support your infrastructure, and automates common activities such as change requests, monitoring, patch management, security, and backup services. AMS enforces your corporate and security infrastructure policies, and enables you to develop solutions and applications using your preferred development approach.
To better understand AMS architecture, see [these diagrams](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/AWS-managed-services-for-operational-excellence-ra.pdf).
**Topics**
+ [
## About this AMS user guide
](#about-guide)
+ [
# AMS operations plans
](what-is-ams-op-plans.md)
+ [
# Getting started with AWS Managed Services
](get-start.md)
+ [
# AMS key terms
](key-terms.md)
+ [
# Service description
](ams-sd.md)
+ [
# AMS information resources
](ams-info-resources.md)
+ [
# AMS compliance
](ams-compliance.md)
+ [
# AMS Amazon Machine Images (AMIs)
](ams-amis.md)
+ [
# How integration between AD FS and AMS works
](how-integ-between-adfs-and-ams-works.md)
+ [
# AMS Managed Active Directory
](ams-managed-AD.md)
+ [
# AMS application deployments
](ams-deployments.md)
![\[AMS cloud services: What you get and when you get it.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/certifications.png)
**Note**
New AWS Regions are added frequently. For the most recent AMS-supported AWS Regions, and the most recent AMS-supported operating systems, see [Supported configurations](supported-configs.md).
To learn more about AWS Regions, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html).
AMS seeks to continuously improve our services based on your feedback. We use several mechanisms to enable your self-service, to automate repetitive tasks, and to implement new AWS services and features as they are released. You can submit an AMS service request at any time to suggest new features or feature improvements.
AMS business hours are 24 hours a day, 7 days a week, 365 days a year.
AMS follows a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of your business.
![\[AMS provides operational structure and control through a unique mix of programmatic interfaces and AWS expertise\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/vpcIntroC.png)
## About this AMS user guide
About this guide
This user guide is intended for AMS Advanced customers with either a multi-account or single-account landing zone. For more details about the AMS landing zone offerings, see the [AMS Key Terms](https://docs.aws.amazon.com/managedservices/latest/userguide/key-terms.html); also see [Multi-Account Landing Zone architecture](https://docs.aws.amazon.com/managedservices/latest/userguide/malz-net-arch.html) and [Single-Account Landing Zone architecture](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-net-arch.html).
# AMS operations plans
Operations plans
AWS Managed Services (AMS) is available with two operations plans: AMS Accelerate and AMS Advanced. An operations plan offers a specific set of features and has differing levels of service, technical capabilities, requirements, price, and restrictions. Our operations plans give you the flexibility to select the right-sized operational capabilities for each of your AWS workloads. This section outlines the capabilities and differences, as well as the responsibilities, features, and benefits associated with each plan, so that you can understand which operations plan is best for your accounts.
For a detailed feature comparison of the two operations plans, see [AWS Managed Services Features](https://aws.amazon.com/managed-services/features/).
## AMS Accelerate operations plan
Accelerate operations plan
AMS Accelerate is the AMS operations plan that helps you operate the day-to-day infrastructure management of your new or existing AWS environment. AMS Accelerate provides operational services, such as monitoring, incident management, and security. AMS Accelerate also offers an optional patch add-on for Amazon EC2-based workloads that require regular patching.
With AMS Accelerate, you decide which AWS accounts you want AMS Accelerate to operate, the AWS Regions you want AMS Accelerate to operate in, the add-ons you require, and the service-level agreements (SLAs) you need. For more details, see [Using the AMS Accelerate operations plan](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-what-is.html) and [Service Description](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html).
## AMS Advanced operations plan
Advanced operations plan
AMS Advanced provides full-lifecycle services to provision, run, and support your infrastructure. In addition to the operational services provided by AMS Accelerate, AMS Advanced also includes additional services, such as landing zone management, infrastructure changes and provisioning, access management, and endpoint security.
AMS Advanced deploys a landing zone to which you migrate your AWS workloads and receive AMS operational services. Our managed multi-account landing zones are pre-configured with the infrastructure to facilitate authentication, security, networking, and logging.
AMS Advanced also includes a change and access management system that protects your workloads by preventing unauthorized access or the implementation of risky changes to your AWS infrastructure. Customers need to create a request for change (RFC) using our change management system to implement most changes in your AMS Advanced accounts. You create RFCs from a library of automated changes that are pre-vetted by our security and operations teams or request manual changes that are reviewed and implemented by our operations team if they are deemed both safe and supported by AMS Advanced.
AMS Advanced also offers different SLAs. For more information, see the [AWS Managed Services AMS Advanced service description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
# Getting started with AWS Managed Services
Getting started
For details about getting started with the multi-account landing zone AMS service, see the [AWS Managed Services Onboarding Introduction](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/og-intro.html). The two onboarding guides provide descriptions of the service and questions to consider to help you get started. Review the feature set [AWS Managed Services Features](https://aws.amazon.com/managed-services/features/), and current resources at [AWS Managed Services Resources](https://aws.amazon.com/managed-services/resources/).
# AMS key terms
Key terms
+ *AMS Advanced*: The services described in the "Service Description" section of the AMS Advanced Documentation. See [Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
+ *AMS Advanced Accounts*: AWS accounts that at all times meet all requirements in the AMS Advanced Onboarding Requirements. For information on AMS Advanced benefits, case studies, and to contact a sales person, see [AWS Managed Services](https://aws.amazon.com/managed-services/).
+ *AMS Accelerate Accounts*: AWS accounts that at all times meet all requirements in the AMS Accelerate Onboarding Requirements. See [Getting Started with AMS Accelerate](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html).
+ *AWS Managed Services*: AMS and or AMS Accelerate.
+ *AWS Managed Services accounts*: The AMS accounts and or AMS Accelerate accounts.
+ *Critical Recommendation*: A recommendation issued by AWS through a service request informing you that your action is required to protect against potential risks or disruptions to your resources or the AWS services. If you decide not to follow a Critical Recommendation by the specified date, you are solely responsible for any harm resulting from your decision.
+ *Customer-Requested Configuration*: Any software, services or other configurations that are not identified in:
+ Accelerate: [Supported Configurations](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html#supported-configs) or [AMS Accelerate; Service Description](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html).
+ AMS Advanced: [Supported Configurations](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html#supported-configs) or [AMS Advanced; Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
+ *Incident communication*: AMS communicates an Incident to you or you request an Incident with AMS via an Incident created in Support Center for AMS Accelerate and in the AMS Console for AMS. The AMS Accelerate Console provides a summary of Incidents and Service Requests on the Dashboard and links to Support Center for details.
+ *Managed Environment*: The AMS Advanced accounts and or the AMS Accelerate accounts operated by AMS.
For AMS Advanced, these include multi-account landing zone (MALZ) and single-account landing zone (SALZ) accounts.
+ *Billing start date*: The next business day after AWS receives the your information requested in the AWS Managed Services Onboarding Email. The AWS Managed Services Onboarding Email refers to the email sent by AWS to the you to collect the information needed to activate AWS Managed Services on the your accounts.
For accounts subsequently enrolled by you, the billing start date is the next day after AWS Managed Services sends an AWS Managed Services Activation Notification for the enrolled account. An AWS Managed Services Activation Notification occurs when:
1. You grants access to a compatible AWS account and hand it over to AWS Managed Services.
1. AWS Managed Services designs and builds the AWS Managed Services Account.
+ *Service Termination*: You can terminate the AWS Managed Services for all AWS Managed Services accounts, or for a specified AWS Managed Services account for any reason by providing AWS at least 30 days notice through a service request. On the Service Termination Date, either:
1. AWS hands over the controls of all AWS Managed Services accounts or the specified AWS Managed Services accounts as applicable, to you, or
1. The parties remove the AWS Identity and Access Management roles that give AWS access from all AWS Managed Services accounts or the specified AWS Managed Services accounts, as applicable.
+ *Service termination date*: The service termination date is the last day of the calendar month following the end of the 30 days requisite termination notice period. If the end of the requisite termination notice period falls after the 20th day of the calendar month, then the service termination date is the last day of the following calendar month. The following are example scenarios for termination dates.
+ If the termination notice is provided on April 12, then the 30 days notice ends on May 12. The service termination date is May 31.
+ If a termination notice is provided on April 29, then the 30 days notice ends on May 29. The service termination date is June 30.
+ *Provision of AWS Managed Services*: AWS makes available to you and you can access and use AWS Managed Services for each AWS Managed Services account from the service commencement date.
+ *Termination for specified AWS Managed Services accounts*: You can terminate the AWS Managed Services for a specified AWS Managed Services account for any reason by providing AWS notice through a service request ("AMS Account Termination Request").
**Incident management terms**:
+ *Event*: A change in your AMS environment.
+ *Alert*: Whenever an event from a supported AWS service exceeds a threshold and triggers an alarm, an alert is created and notice is sent to your contacts list. Additionally, an incident is created in your Incident list.
+ *Incident*: An unplanned interruption or performance degradation of your AMS environment or AWS Managed Services that results in an impact as reported by AWS Managed Services or you.
+ *Problem*: A shared underlying root cause of one or more incidents.
+ *Incident Resolution* or *Resolve an Incident*:
+ AMS has restored all unavailable AMS services or resources pertaining to that incident to an available state, or
+ AMS has determined that unavailable stacks or resources cannot be restored to an available state, or
+ AMS has initiated an infrastructure restore authorized by you.
+ *Incident Response Time*: The difference in time between when you create an incident, and when AMS provides an initial response by way of the console, email, service center, or telephone.
+ *Incident Resolution Time*: The difference in time between when either AMS or you creates an incident, and when the incident is resolved.
+ *Incident Priority*: How incidents are prioritized by AMS, or by you, as either Low, Medium, or High.
+ *Low*: A non-critical problem with your AMS service.
+ *Medium*: An AWS service within your managed environment is available but is not performing as intended (per the applicable service description).
+ *High*: Either (1) the AMS Console, or one or more AMS APIs within your managed environment are unavailable; or (2) one or more AMS stacks or resources within your managed environment are unavailable and the unavailability prevents your application from performing its function.
AMS may re-categorize incidents in accordance with the above guidelines.
+ *Infrastructure Restore*: Re-deploying existing stacks, based on templates of impacted stacks, and initiating a data restore based on the last known restore point, unless otherwise specified by you, when incident resolution is not possible.
**Infrastructure terms**:
+ *Managed production environment*: A customer account where the customer’s production applications reside.
+ *Managed non-production environment*: A customer account that only contains non-production applications, such as applications for development and testing.
+ *AMS stack*: A group of one or more AWS resources that are managed by AMS as a single unit.
+ *Immutable infrastructure*: An infrastructure maintenance model typical for Amazon EC2 Auto Scaling groups (ASGs) where updated infrastructure components, (in AWS, the AMI) are replaced for every deployment, rather than being updated in-place. The advantages to immutable infrastructure is that all components stay in a synchronous state since they are always generated from the same base. Immutability is independent of any tool or workflow for building the AMI.
+ *Mutable infrastructure*: An infrastructure maintenance model typical for stacks that are not Amazon EC2 Auto Scaling groups and contain a single instance or just a few instances. This model most closely represents traditional, hardware-based, system deployment where a system is deployed at the beginning of its life cycle and then updates are layered onto that system over time. Any updates to the system are applied to the instances individually, and may incur system downtime (depending on the stack configuration) due to application or system restarts.
+ *Security groups*: Virtual firewalls for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could have a different set of security groups assigned to it.
+ *Service Level Agreements (SLAs)*: Part of AMS contracts with you that define the level of expected service.
+ SLA *Unavailable* and *Unavailability*:
+ An API request submitted by you that results in an error.
+ A Console request submitted by you that results in a 5xx HTTP response (the server is incapable of performing the request).
+ Any of the AWS service offerings that constitute stacks or resources in your AMS-managed infrastructure are in a state of "Service Disruption" as shown in the [Service Health Dashboard](https://status.aws.amazon.com/).
+ Unavailability resulting directly or indirectly from an AMS exclusion is not considered in determining eligibility for service credits. Services are considered available unless they meet the criteria for being unavailable.
+ *Service Level Objectives (SLOs)*: Part of AMS contracts with you that define specific service goals for AMS services.
**Patching terms**:
+ *Mandatory patches*: Critical security updates to address issues that could compromise the security state of your environment or account. A "Critical Security update" is a security update rated as "Critical" by the vendor of an AMS-supported operating system.
+ *Patches announced versus released*: Patches are generally announced and released on a schedule. Emergent patches are announced when the need for the patch has been discovered and, usually soon after, the patch is released.
+ *Patch add-on*: Tag-based patching for AMS instances that leverages AWS Systems Manager (SSM) functionality so you can tag instances and have those instances patched using a baseline and a window that you configure.
+ *Patch methods*:
+ *In-place patching*: Patching that is done by changing existing instances.
+ *AMI replacement patching*: Patching that is done by changing the AMI reference parameter of an existing EC2 Auto Scaling group launch configuration.
+ *Patch provider* (OS vendors, third party): Patches are provided by the vendor or governing body of the application.
+ *Patch Types*:
+ *Critical Security Update (CSU)*: A security update rated as "Critical" by the vendor of a supported operating system.
+ *Important Update (IU)*: A security update rated as "Important" or a non-security update rated as "Critical" by the vendor of a supported operating system.
+ *Other Update (OU)*: An update by the vendor of a supported operating system that is not a CSU or an IU.
+ *Supported patches*: AMS supports operating system level patches. Upgrades are released by the vendor to fix security vulnerabilities or other bugs or to improve performance. For a list of currently supported OSs, see [Support Configurations](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html#supported-configs).
**Security terms**:
+ *Detective Controls*: A library of AMS-created or enabled monitors that provide ongoing oversight of customer managed environments and workloads for configurations that do not align with security, operational, or customer controls, and take action by notifying owners, proactively modifying, or terminating resources.
**Service Request terms**:
+ *Service request*: A request by you for an action that you want AMS to take on your behalf.
+ *Alert notification*: A notice posted by AMS to your **Service requests** list page when an AMS alert is triggered. The contact configured for your account is also notified by the configured method (for example, email). If you have contact tags on your instances/resources, and have provided consent to your cloud service delivery manager (CSDM) for tag-based notifications, the contact information (key value) in the tag is also notified for automated AMS alerts.
+ *Service notification*: A notice from AMS that is posted to your **Service request** list page.
**Miscellaneous terms**:
+ *AWS Managed Services Interface*: For AMS: The AWS Managed Services Advanced Console, AMS CM API, and Support API. For AMS Accelerate: The Support Console and Support API.
+ *Customer satisfaction (CSAT)*: AMS CSAT is informed with deep analytics including Case Correspondence Ratings on every case or correspondence when given, quarterly surveys, and so forth.
+ *DevOps*: DevOps is a development methodology that strongly advocates automation and monitoring at all steps. DevOps aims at shorter development cycles, increased deployment frequency, and more dependable releases by bringing together the traditionally-separate functions of development and operations over a foundation of automation. When developers can manage operations, and operations informs development, issues and problems are more quickly discovered and solved, and business objectives are more readily achieved.
+ *ITIL*: Information Technology Infrastructure Library (called ITIL) is an ITSM framework designed to standardize the lifecycle of IT services. ITIL is arranged in five stages that cover the IT service lifecycle: service strategy, service design, service transition, service operation, and service improvement.
+ *IT service management (ITSM)*: A set of practices that align IT services with the needs of your business.
+ *Managed Monitoring Services (MMS)*: AMS operates its own monitoring system, Managed Monitoring Service (MMS), that consumes AWS Health events and aggregates Amazon CloudWatch data, and data from other AWS services, notifying AMS operators (online 24x7) of any alarms created through an Amazon Simple Notification Service (Amazon SNS) topic.
+ *Namespace*: When you create IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS service by using a namespace. You use namespaces when identifying actions and resources.
# Service description
AMS Advanced (AMS) is an operation plan of the AWS Managed Services service for managing operations of your AWS infrastructure. AMS Advanced provides routine infrastructure operations such as patch, continuity management, security management, and IT management processes such as incident, change and service request management. For a list of supported services, see [Supported AWS services](supported-services.md).
**YouTube Video**: [How can AMS help me achieve operational excellence in the cloud?](https://youtu.be/wpfPthp3tw8)
**Topics**
+ [
# AWS Managed Services (AMS) AMS Advanced operation plan features
](features.md)
+ [
# What we do, what we do not do
](ams-do-not-do.md)
+ [
# AMS responsibility matrix (RACI)
](raci-table.md)
+ [
# AMS environment basic components
](basic-components.md)
+ [
# AMS account limits
](account-limits.md)
+ [
# AMS service level objectives (SLOs)
](apx-slo.md)
+ [
# Supported AWS services
](supported-services.md)
+ [
# Supported configurations
](supported-configs.md)
+ [
# Capabilities for unsupported operating systems in AMS
](ams-unsupported-os.md)
+ [
# AMS Advanced interfaces
](ams-interfaces.md)
+ [
# AMS VPC endpoints
](ams-endpoints.md)
+ [
# AMS protected namespaces
](apx-namespaces.md)
+ [
# AMS reserved prefixes
](ams-reserved-prefixes-2.md)
+ [
# AMS maintenance window
](maintenance-win.md)
# AWS Managed Services (AMS) AMS Advanced operation plan features
AMS Advanced offers the following features for supported AWS services:
+ **Logging, Monitoring, Guardrails, and Event Management**:
AMS configures and monitors your managed environment for logging activity and defines alerts based on a variety of health checks. Alerts are investigated by AMS for applicable AWS services, and those that negatively impact your usage of those services result in the creation of incidents. AMS aggregates and stores all logs generated as a result of all operations in CloudWatch, CloudTrail, and system logs in Amazon S3. You can ask for additional alerts to be put in place. In addition to AMS’ preventative controls, AMS deploys configuration guardrails and detective controls to provide ongoing protection for you from misconfigurations that could reduce the operational and security integrity of the managed accounts, to enforce your controls such as tagging and compliance. When a monitored control is detected an alarm is generated that results in notification, modification, or termination of resources based on predefined AMS defaults that can be modified by you.
+ **Continuity management** (Backup and Restore):
AMS provides backups of resources using standard, existing AWS Backup functionality on a scheduled interval determined by you. Restore actions from specific snapshots can be performed by AMS with your RFC. Data changes that occur between snapshot intervals are the responsibility of you to backup. You can submit an RFC for backup or snapshot requests outside of scheduled intervals. In the case of Availability Zone (AZ) unavailability in an AWS Region, with your permission, AMS restores the managed environment by recreating new stack(s) based on templates and available EBS snapshots of the impacted Stacks.
+ **Security and access management**:
AMS provides endpoint security (EPS) such as configuring anti-virus and anti-malware protection. You can also use your own EPS tool and processes and not use AMS for EPS using a feature called bring your own EPS (BYOEPS). AMS also configures default AWS security capabilities that are approved by you during onboarding, such as AWS Identity and Access Management (IAM) roles and Amazon EC2 security groups, and uses standard AWS tools (e.g. AWS Security Hub CSPM, Amazon Macie, Amazon GuardDuty) to monitor and respond to security issues. You manage your users through an approved directory service provided by you. For a list of approved directory services, see [Supported configurations](supported-configs.md).
AMS includes endpoint security (EPS), which is inclusive of antivirus (AV), and anti-malware protection, malware and intrusion detection (Trend Micro). Security groups are defined per stack template and are modified at launch depending on the visibility of the application (public/private) security groups.
Access to systems is requested through change management requests for change (RFCs). Access management provides access to distinct resources, such as Amazon EC2 instances, the AWS Management Console, and APIs. After establishing a one-way trust with an AMS Microsoft Active Directory deployment during onboarding and federating to AWS, you can use your existing corporate credentials for all interactions.
+ **Patch management**:
AMS applies and installs updates to EC2 instances for supported operating systems (OSs) and software pre-installed with supported operating systems. For a list of supported operating systems, see [Supported configurations](supported-configs.md).
AMS offers two models for patching:
+ AMS standard patch for traditional account-based patching, and
+ AMS Patch Orchestrator, for tag-based patching.
In AMS standard patch, a monthly maintenance window is chosen by you for AMS to perform most patching activities. AMS applies *critical security updates* outside of the selected maintenance window (with appropriate notifications) and *important updates* during the selected maintenance window. AMS additionally applies updates to infrastructure management tools during the selected maintenance window. You can exclude stacks from patch management or reject updates, if you want.
With AMS Patch Orchestrator, a default maintenance window per account, is defined by you for AMS to perform patching activities. You can schedule additional custom maintenance windows for AMS to patch a specific set of instances defined by you with tags. AMS applies all available updates, but you can filter or reject updates by creating a custom patch baseline. For both models, if you approve or reject an update provided under patch management but later change your mind, you are responsible for initiating the update via an RFC. AMS tracks the patch status of resources and highlights systems that aren’t current in the monthly business review. Patch management is limited to stacks in the managed environment, including all AMS managed applications and supported AWS services with patching capabilities (for example, RDS). In order to support all types of infrastructure configurations when an update is released, AMS a) updates the EC2 instance and b) provides an updated AMS AMI for you to use. It is your responsibility to install, configure, patch, and monitor any additional applications not specifically covered above.
+ **Change management**:
AMS change management is the mechanism for you to control changes in your managed environment. AMS uses a combination of preventative and detective controls to facilitate this process and provides different level of control and associated risk depending on the AMS mode selected.
All actions in your AMS environment are logged in AWS CloudTrail.
For more information about AMS Change Management and different modes, see [AMS Change Management guide](https://docs.aws.amazon.com/managedservices/latest/ctref/index.html) and [AMS Modes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-modes-ug.html).
+ **Automated and self-service provisioning management**:
You can provision AWS resources on AMS Advanced in several ways:
+ Submit provisioning and configuration Requests for Change (RFCs)
+ Deploy through AWS Service Catalog
+ Deploy through [Direct Change mode](https://docs.aws.amazon.com/managedservices/latest/userguide/direct-change-mode.html)
+ Deploy through [Developer mode](https://docs.aws.amazon.com/managedservices/latest/userguide/developer-mode.html). Remember that the resources created through the Developer mode are not managed by AMS.
+ Configure AWS services directly using self-service provisioning for select AWS services (see [Supported AWS services](supported-services.md)).
+ **Incident management**:
AMS proactively notifies you of incidents detected by AMS. AMS responds to both customer-submitted and AMS-generated incidents and resolves incidents based on the incident priority. Unless otherwise instructed by you, incidents that are determined by AMS to be a risk to the security of your managed environment, and incidents relating to the availability of AMS and other AWS services, are proactively actioned. AMS takes action on all other incidents once your authorization is received. Recurring incidents are addressed by the problem management process.
+ **Problem management**:
AMS performs trend analysis to identify and investigate problems and to identify the root cause. Problems are remediated either with a workaround or a permanent solution that prevents recurrence of similar future service impact. A post incident report (PIR) may be requested for any "High" incident, upon resolution. The PIR captures the root cause and preventative actions taken, including implementation of preventative measures.
+ **Reporting**:
AMS provides you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS cloud service delivery manager (CSDM) assigned to you.
+ **Service request management **:
To request information about your managed environment, AMS, or AWS service offerings, submit service requests using the AMS console. You can submit a service request for "How to" questions about AWS services and features or to request additional AMS services.
+ **Service Desk **:
AMS staffs engineering operations with full-time Amazon employees to fulfill non-automated requests including incident management, service request management, and change management. The Service Desk operates 24 x 7 365 days a year.
+ **Designated resources**:
Each customer is assigned a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA).
+ CSDMs can be contacted directly. They perform service reviews, and delivery reporting and insights through all phases of the implementation, migration and operational life cycle. CSDMs conduct monthly business reviews and detail items such as financial spend, cost-saving recommendations, service utilization, and risk reporting. They dive deep into operational performance statistics and provide recommendations of areas of improvements.
+ CAs can be contacted directly and provide technical expertise to help you optimize your use of the AWS cloud. Example CA activities include, selecting workloads for migration, assisting with the onboarding additional accounts and workloads, acting as the technical lead in operational activities such as game days, disaster recovery testing, problem management, and technical advice to get the most out of AMS and AWS. CAs drive technical discussions at all levels of your organization and assist with incident management, making trade-offs, establishing best practices, and technical risk mitigation.
+ **Developer mode **:
This feature enables you to iterate infrastructure designs and deployments quickly within AMS-configured accounts[1] by allowing direct access to AWS service APIs and the AWS console in addition to access to the AMS change management process. Resources provisioned or configured with developer mode permissions outside of the change management process are your responsibility to manage (See "Automated and Self-Service Provisioning Management"). Resources provisioned through the AMS change management process are supported like other change management-provisioned workloads on AMS.
+ **AWS support**:
AMS customers can choose the level of AWS Support they require to complement their AMS Operations plan. Accounts enrolled in AMS can be subscribed to either Business Support or Enterprise Support. To learn about the differences in Support Plans, see [AWS Support Plans](https://aws.amazon.com/premiumsupport/plans/).
+ **Customer-managed account**:
This feature enables you to request AWS accounts within the same managed environment but the ongoing operations of workloads and AWS resources within those accounts are your responsibility. AMS provisions customer-managed accounts, but once the accounts are created, no other AMS features or services are provided to those accounts. AWS will not enroll customer-managed accounts in enterprise-level premium support. It will be your responsibility to enroll customer-managed accounts in AWS support at the support rate you choose.
+ **Firewall management**:
AMS provides an optional managed firewall solution for Supported Firewall Services, which enables internet-bound egress traffic filtering for networks in your managed environment. This excludes public-facing services that do not use the AWS network infrastructure and whose traffic goes directly to the internet. The solution combines industry-leading firewall technology with AMS infrastructure management capabilities to deploy, monitor, manage, scale, and restore the firewall infrastructure.
When you onboard AMS, you receive a complete list of your AMS network infrastructure. To get an updated list of services running in support of your AMS infrastructure at any time, file a service request with specifics about the information you want. To request a change to your network design, create a service request describing the changes you want to make—for example, adding a VPC or requesting a security group rule change.
# What we do, what we do not do
AMS gives you a standardized approach to deploying AWS infrastructure and provides the necessary ongoing operational management. For a full description of roles, responsibilities, and supported services, see [Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
**Note**
To request that AMS provide an additional AWS service, file a service request. For more information, see [Making Service Requests](https://docs.aws.amazon.com/managedservices/latest/userguide/mk-service-requests.html).
+ **What we do**:
After you complete onboarding, the AMS environment is available to receive requests for change (RFCs), incidents, and service requests. Your interaction with the AMS service revolves around the lifecycle of an application stack. New stacks are ordered from a preconfigured list of templates, launched into specific virtual private cloud (VPC) subnets, modified during their operational life through requests for change (RFCs), and monitored for events and incidents 24/7.
Active application stacks are monitored and maintained by AMS, including patching, and require no further action for the life of the stack unless a change is required or the stack is decommissioned. Incidents detected by AMS that affect the health and function of the stack generate a notification and may or may not need your action to resolve or verify. How-to questions and other inquiries can be made by submitting a service request.
Additionally, AMS allows you to enable compatible AWS services that are not managed by AMS. For information about AWS-AMS compatible services, see [Self-service provisioning mode](https://docs.aws.amazon.com/managedservices/latest/userguide/setting-up-compatible.html).
+ **What we DON'T do**:
While AMS simplifies application deployment by providing a number of manual and automated options, you're responsible for the development, testing, updating, and management of your application. AMS provides troubleshooting assistance for infrastructure issues that impact applications, but AMS can't access or validate your application configurations.
# AMS responsibility matrix (RACI)
**Note**
In order to fulfill its obligations in a timely manner, AWS Managed Services (AMS) may require inputs from you for deciding an appropriate course of action. AMS will contact the designated customer contact for all such clarifications and inputs. AMS will expect a response to such queries within 24 business hours. In case there is no reply within 24 business hours, AMS may choose an action on your behalf.
The AMS responsible, accountable, consulted, and informed, or RACI, matrix assigns primary responsibility either to the customer or AMS for a variety of activities.
AMS manages your AWS infrastructure. The following table provides an overview of the responsibilities of customer and AMS for activities in the lifecycle of an application running within an AMS managed environment.
AMS is not responsible for any of the following activities for Customer Managed accounts or the infrastructure running within them; therefore this RACI is not applicable.
+ **R** stands for responsible party that does the work to achieve the task.
+ **C** stands for consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
+ **I** stands for informed; a party which is informed on progress, often only on completion of the task or deliverable.
+ **Self-service Provisioning** refers to resources that are provisioned by the customer with self-service through the AWS API or Console, including Developer Mode and Self-Service Provisioned Services.
**Note**
Some sections contain 'R' for both AMS and Customers. This is because, in the AWS Shared Responsibility model, both AMS and the customers take joint ownership to respond to infrastructure and application issues.
To provide self-service provisioning capabilities, AMS has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. Roles do not prevent all changes and you are responsible to adhere to your internal controls, compliance, and to validate that all AWS services being used meet the required certifications. We call this the Self-Service Provisioning mode. For details on AWS compliance requirements, see [AWS Compliance](https://aws.amazon.com/compliance/).
For resources that you provision through self-service, AMS provides incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), Security & access, and technical support through service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS change management system.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/raci-table.html)
8AMS provides AMIs for Amazon EC2 only
9AMS is responsible for End of Life OSes only when the customer signs an extended support agreement with OS vendor
# AMS environment basic components
------
#### [ Multi-Account Landing Zone ]
This is an estimate of the components, and potential costs, of the infrastructure in the core accounts. This does not include other costs such as bandwidth, CloudWatch detailed monitoring, logging, alarms, Route53, Amazon S3, Simple Notification Service (Amazon SNS), snapshots, or reserved Amazon EC2 instances.
You pay for the components required by the AMS-Managed AWS landing zone infrastructure. Estimates place the cost of a plain AMS multi-account landing zone environment at \$12,450 per month and \$150 for a plain application account.
For information about pricing, see [AWS pricing](https://aws.amazon.com/pricing/).
**Basic Environment Components**
| Component | Est. Cost | Description |
| --- | --- | --- |
| Management account | \$160 | An AWS Organizations Management account; creates and financially manages member accounts. It contains the AWS Landing Zone (ALZ) framework, account configuration stack sets, and AWS Organization service control policies (SCPs). [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) |
| Shared Services Account | \$12000 | Contains infrastructure and resources required for access management (i.e., Active Directory), end-point security management (Trend Micro), and your bastions (SSH/RDP); estimate is \$12400 a month. This estimate does not include the cost of the Trend Micro licenses. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) |
| Networking Account | \$1350 | The central hub for network routing between AMS accounts, your on-premise network, and egress traffic to the Internet. Additionally, contains public DMZ bastions (the entry point for AMS engineers to access hosts in your AMS environment). Price may increase depending on traffic traversing the Transit Gateway and Direct Connect. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) |
| Log Archive Account | \$120 | An S3 bucket with copies of AWS CloudTrail and AWS Config log files from each of your AMS environment accounts. Costs increase as more logs are collected. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) |
| Security Account | \$120 | The central hub for security related operations, and the main point for funneling notifications and alerts to AMS control plane services. Additionally, houses the Amazon Guard Duty management account. Costs increase as more events are analyzed using Amazon GuardDuty. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) |
------
#### [ Single-Account Landing Zone ]
The following table lists the components of an example AMS-managed infrastructure.
**Basic Environment Components, Last Updated 2020/07/09**
| Name | Instance Type | OS | \$1 of Components |
| --- | --- | --- | --- |
| mc-eps-dsm | m5.large | Linux | 2 |
| mc-management | m5.large | Windows | 2 |
| mc-bastion-dmz-ssh | m5.large | Linux | 2 |
| mc-bastion-customer-rdp | m5.large | Windows | 2 |
| mc-eps-relay | m5.large | Linux | 2 |
| directory services | N/A | N/A | |
| additional components | N/A | N/A | |
For information about pricing, see [AWS Pricing](https://aws.amazon.com/pricing/).
------
# AMS account limits
There are three distinct types of limits to consider within AMS multi-account landing zone: AMS API limits, AMS resource limits, and AWS limits.
There are two distinct types of limits to consider within AMS single-account landing zone: AMS API limits, and AWS limits.
## AMS account API limits
This section describes the account level limits after which AWS Managed Services (AMS) throttles the AMS SKMS API service. This means, if you call any of the listed APIs more than 10 times in a second, one of the calls is "throttled" (you receive a `ThrottleException`). Under rare situations, an external or downstream dependency might throttle the AMS API and then AMS may throttle your API calls at a possibly lower rate.
**Note**
For information on the AMS SKMS API, download the reference through the **Reports** tab of the AWS Artifact console.
For each AMS SKMS API listed, the operation is throttled after 10 TPS (transactions per second):
+ `GetStack`
+ `GetSubnet`
+ `GetVpc`
+ `ListAmis`
+ `ListStackSummaries`
+ `ListSubnetSummaries`
+ `ListVpcSummaries`
## AMS multi-account landing zone account resource limits
Account resource limits relate to AMS multi-account landing zone application accounts and VPCs and subnets.
### Application account resource limits
There is a soft limit of 50 application accounts per organization. If you have a use case for more than 50 application accounts, contact your cloud service delivery manager (CSDM) to relay your requirements.
### VPCs and subnets resource limits
There is a soft limit of 10 VPCs per application account within the pre-defined AWS Region for the organization.
Each VPC may have 1 to 10 private subnet tiers spanned across 2 to 3 availability zones. Additionally, each VPC may have 0 to 5 public subnet tiers spanned across 2 to 3 availability zones. If you have requirements beyond these limits, inform your CSDM or Cloud Architect to review your use case.
### AMS multi-account landing zone application to account ratio
One account per application is supported in AMS multi-account landing zone; however, each Application account has a small cost, and you are charged for the number of connections to the Transit Gateway per hour, and the amount of traffic that flows through AWS Transit Gateway. So, the more segregated applications are into accounts or VPCs, the higher the costs.
To reduce costs and still ensure an appropriate segregation of duties, AMS recommends that you 1) group applications by teams with tightly coupled business processes, and 2) do not mix applications that are in different stages (prod vs. non-prod) or managed by different teams. In this way, you will have fewer accounts, access management and the segregation of duties will be easier, and traffic cost could be mitigated.
For example: An enterprise has in production a Trading application and a Portfolio Management application, both applications are managed by the Investments IT team and exchange a lot of traffic with each other. In this scenario the company can benefit from grouping both applications in the same account and same the VPC, because the Investments IT team won’t have to request access to multiple Application accounts and the company will save on traffic costs. In this case, the company should create another account for the same applications in development stage and provide access to the development team.
In another scenario, the enterprise has in production a Payroll application and an Accounting application, managed by the Human Resources IT and Accounting IT teams respectively. Although the Payroll application has to exchange information with the Accounting application, we recommend segregating both applications in different accounts, one per team, and establishing a connection between both application’s VPCs using the Networking account. In this way, the company will prevent HR IT team request changes affecting the accounting application infrastructure, of which they would have no knowledge.
Tips on how to group accounts into organizational units (OUs). An OU is logical grouping mechanism that enables you to categorize (group) accounts and apply policies and configurations to based on those groups. The recommended approach for creating OUs is to base them on policies that need to be applied to a specific group of accounts, not on the internal hierarchy of teams within your reporting structure. An OU is not equivalent to an Active Directory’s OU, and attempting to replicate the AD OU structure in AWS Organizations is discouraged and results in a difficult to maintain and/or operate structure.
## AWS account limits
AWS account limits apply to your AWS Managed Services (AMS) accounts. The easiest method to determine default and current limits for AWS services is by leveraging [AWS Service Quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). AMS recommends right-sizing individual service limits to the appropriate size to run the service(s) in the account. Limits act like guard-rails to protect your accounts for security and cost runaways. If you would like to raise a specific limit, submit a service request with AMS, and AMS Operations will raise the limit on your behalf. For example, the default limit (or quota) for RDS instances is 40; if your workload requires 50 RDS instances, raise a service request for AMS Operations to raise the limit to your needed value.
# AMS service level objectives (SLOs)
The following table describes the goals of the AWS Managed Services (AMS) service. Service Level Agreements (SLAs) for other aspects of the AMS service, including incident management, are covered in the SLA document shared with you when you subscribed to AMS. For more information, speak to your CSDM.
**AMS Service Level Objectives**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/apx-slo.html)
# Supported AWS services
AWS Managed Services (AMS) provides operational management support services for the following AWS services. Each AWS service is distinct, and as a result AMS's level of operational management, support varies depending on the nature and characteristics of the underlying AWS service. Specific AWS services are grouped based on the complexity and scope of the operational management support service provided by AMS.
**Note**
The three groups, A, B, and C, indicate pricing as a percentage of total monthly spend per account for the AMS service, based on support plan (Plus or Premium), for AMS customers before March 16, 2021. AMS customers onboarded after March 16, 2021 should submit a service request for additional pricing information. Group A indicates no additional charge. Group B indicates an additional charge of 12% (Plus) or 18% (Premium). Group C indicates an additional charge of 25% (Plus) or 42% (Premium).
One star (\$1) indicates services that are deployed within an AMS managed environment by a customer using the AWS Console and APIs. See 'Automated and self-service provisioning management' in [AWS Managed Services (AMS) AMS Advanced operation plan features](features.md) for additional details on customer responsibilities when provisioning and configuring services in this manner.
Two stars (\$1\$1) indicate that Amazon EC2 on AWS Outposts will be billed as a Group B service; all other resources hosted on AWS Outposts will be billed at their standard rate.
**Supported AWS services**
| Group A | Group B | Group C |
| --- | --- | --- |
| Amazon Alexa for Business*
Amazon Managed Streaming for Apache Kafka*
Amazon CloudFront
Amazon Elastic File System
Amazon Glacier
Amazon Simple Storage Service
AWS Amplify*
AWS AppMesh*
AWS Auto Scaling
AWS Backup
AWS CloudFormation
AWS Compute Optimizer
AWS Global Accelerator*
AWS Identity and Access Management
AWS License Manager*
AWS Management Console
AWS Marketplace
AWS Lake Formation*
AWS Well-Architected Tool*
VM Import/ Export*
| Amazon API Gateway*
Amazon AppStream*
Amazon Athena*
Amazon Bedrock*
Amazon CloudSearch*
Amazon Cognito*
Amazon Comprehend*
Amazon Connect*
Amazon Document DB (with MongoDB compatibility)*
Amazon DynamoDB*
Amazon EC2 Container Registry (ECR)*
Amazon Elastic Container Service (ECS) on AWS Fargate*
Amazon Elastic Kubernetes Service (EKS) on Fargate*
Amazon Elemental MediaConvert*
Amazon Elemental MediaPackage*
Amazon Elemental MediaStore*
Amazon Elemental MediaTailor*
Amazon Elastic MapReduce*
AmazonEventBridge*
Amazon Forecast*
Amazon FSx*
Amazon Inspector*
Amazon Kendra*
Amazon Kinesis Analytics*
Amazon Kinesis Data Stream*
Amazon Kinesis Firehose*
Amazon Kinesis Video Streams*
Amazon Lex*
Amazon Managed Service for Prometheus*
Amazon MQ*
Amazon Personalize**
Amazon Quantum Ledger Database (QLDB)*
Amazon QuickSight*
Amazon Rekognition*
Amazon SageMaker*
Amazon SimpleDB*
Amazon Simple Workflow*
Amazon Textract*
Amazon Transcribe*
Amazon Translate*
Amazon WorkSpaces*
AWS AppSync*
AWS Audit Manager*
AWS Batch*
AWS Certificate Manager*
AWS CloudEndure*
AWS CloudHSM*
AWS CodeBuild*
AWS CodeCommit*
AWS CodeDeploy*
AWS CodePipeline*
AWS DataSync*
AWS Elemental MediaLive*
AWS Glue*
AWS Lambda*
AWS MigrationHub*
AWS Outposts**
AWS Resilience Hub*
AWS Secrets Manager*
AWS Security Hub*
AWS Service Catalog
AWS Service Catalog AppRegistry*
AWS Transfer for SFTP*
AWS Shield*
AWS Snowball*
AWS Step Functions*
AWS Transit Gateway*
AWS WAF*
AWS X-Ray*
| Amazon Aurora
Amazon CloudWatch
Amazon Elastic Block Store (EBS)
Amazon Elastic Compute Cloud**
Amazon Elastic Load Balancing (classic, application, and network; not gateway)
Amazon ElastiCache
Amazon OpenSearch Service
Amazon GuardDuty
Amazon Macie
Amazon Redshift
Amazon Relational Database Service
Amazon Route 53
Amazon Route 53 Resolver DNS Firewall
Amazon Simple Email Service
Amazon Simple Notification Service
Amazon Simple Queue Service
Amazon Virtual Private Cloud (VPC)
AWS CloudTrail
AWS Config
AWS Database Migration Service
AWS Data Transfer
AWS Direct Connect
AWS Directory Service
AWS Key Management Service
AWS Systems Manager (SSM)
|
If you request AWS Managed Services to provide services for any software or service that is not expressly identified as supported below, any AWS Managed Services provided for such customer requested configurations will be treated as a "Beta Service" under the Service Terms.
# Supported configurations
These are the configurations AWS Managed Services (AMS) supports:
+ Language: AMS is available in English.
+ Firewall Services:
+ Amazon Route 53 Resolver DNS Firewall
+ Palo Alto VM-Series Next-Generation Firewall
+ Security software: Deep Security from Trend Micro (Required). AWS Marketplace: [Trend Micro Deep Security](https://aws.amazon.com/marketplace/pp/B01AVYHVHO?ref_=srh_res_product_title)
+ Approved directory services: Microsoft Active Directory (AD)
+ [Supported AWS services](supported-services.md).
+ Supported AWS Regions:
AMS operates in a subset of all AWS Regions; however, the AMS API/CLI runs out of the "USA East (N. Virginia)" Region only. If you run either the AMS change management API (`amscm`) or the AMS service knowledge management API (`amsskms)`, in a non-USA East Region, you must add `--region us-east-1` to the command.
+ US East (Virginia)
+ US West (N. California)
+ US West (Oregon)
+ US East (Ohio)
+ Canada (Central)
+ South America (São Paulo)
+ EU (Ireland)
+ EU (Frankfurt)
+ EU (London)
+ EU West (Paris)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Seoul)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Tokyo)
+ Amazon machine images (AMIs): AMS provides security enhanced images (AMIs) based on the CIS Level 1 benchmark for a subset of operating systems supported by AMS. To find operating systems that have a security enhanced image available, see the *AMS Security User Guide*. To access this guide, in AWS Artifact, filter the **Reports** tab for AWS Managed Services. To access AWS Artifact, contact your CSDM or see, [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started).
+ Supported operating systems:
**Supported operating systems (x86-64)**
+ Amazon Linux 2023
+ Amazon Linux 2 (**expected AMS support end date June 30, 2026**)
+ Oracle Linux 9.x, 8.x
+ Red Hat Enterprise Linux (RHEL) 9.x, 8.x
+ SUSE Linux Enterprise Server 15 SP6
+ SUSE Linux Enterprise Server for SAP 15 SP3 and later
+ Microsoft Windows Server 2025, 2022, 2019, 2016
+ Ubuntu 20.04, 22.04, 24.04
**Supported operating systems (ARM64)**
+ Amazon Linux 2023
+ Amazon Linux 2 (**expected AMS support end date June 30, 2026**)
+ Supported End of Support (EOS) operating systems:
**Note**
End of Support (EOS) operating systems are outside of the general support period of the operating system manufacturer and have increased security risk. EOS operating systems are considered supported configurations only if AMS-required agents support the operating system and the following are true:
you have extended support with the operating system vendor that allows you to receive updates, or
any instances using an EOS operating system follow the [ security controls](https://docs.aws.amazon.com/managedservices/latest/userguide/key-terms.html#CritRec) as specified by AMS in the Advanced User Guide, or
you comply with any other compensating security controls required by AMS.
In the event AMS is no longer able to support an EOS operating system, AMS issues a [Critical Recommendation](https://docs.aws.amazon.com/managedservices/latest/userguide/key-terms.html#CritRec) to upgrade the operating system.
AMS-required agents may include but are not limited to: AWS Systems Manager, Amazon CloudWatch, Endpoint Security (EPS) agent, and Active Directory (AD) Bridge (Linux only).
+ Ubuntu Linux 18.04
+ SUSE Linux Enterprise Server 15 SP3, SP4, and SP5
+ SUSE Linux Enterprise Server for SAP 15 SP2
+ SUSE Linux Enterprise Server 12 SP5
+ SUSE Linux Enterprise Service for SAP 12 SP5
+ Microsoft Windows Server 2012/2012 R2
# Capabilities for unsupported operating systems in AMS
Unsupported operating systems
An *unsupported* operating system is any operating system not listed in the [Supported configurations](supported-configs.md). AMS considers instances with unsupported operating systems to be "Customer-Requested Configurations" that are subject to the [AWS Betas and Previews service terms](https://aws.amazon.com/service-terms/#2._Betas_and_Previews).
The following limited set of AMS capabilities are available to instances with unsupported operating systems:
| **Capability** | **Notes** |
| --- | --- |
| Incident management | AMS provides incident response. |
| Service request management | AMS responds to service requests. |
| Requests for change (RFCs) | AMS evaluates RFCs for execution. Unsupported operating systems may impact the ability to execute RFCs. |
| Monitoring | AMS monitors and responds to Amazon EC2 system status checks and instance status checks. System status checks include: loss of network connectivity, loss of system power, software issues on the physical host, and hardware issues on the physical host that impact network reachability. Instance status checks include: incorrect networking or startup configuration, exhausted memory, corrupted file system, and incompatible kernel. |
| Security management | AMS monitors and responds to Amazon EC2 [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html). |
| Backup management | AMS provides [Continuity management in AMS Advanced](https://docs.aws.amazon.com/managedservices/latest/userguide/continuity-mgmt.html) for EC2 using AMS-customized AWS Backup plans and vaults. |
# AMS Advanced interfaces
+ *AMS Advanced console*: You use the AMS Advanced console to create RFCs, report and respond to incidents, make service requests, and find information on existing VPCs and stacks. When in doubt of what to do, or when you need help with AMS or your managed resources, create a service request by using this interface.
+ *AWS Management Console*: Many AWS consoles can be useful for viewing AMS information, for example:
+ *Amazon EC2 console*: Use to view instance information including bastion IP addresses, Amazon EC2 Auto Scaling groups, and load balancers.
+ *Multi-Account Landing Zone AWS Config Rules compliance*: You can view compliance status across your accounts and identify non-compliant resources.
+ *AWS CloudFormation console*: Use to view stack information including stack IDs (you can find Amazon RDS stacks and Amazon RDS instance IDs here, and event information).
+ *Amazon RDS console*: Use to view event information such as a post made to a WordPress app on a site in your account. Note you must have the Amazon RDS instance ID.
Depending on the mode of your login role, you have different level of access to the AWS Management Console. For more information on modes, see [AMS modes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-modes.html).
+ *AMS Advanced change management API* – Read/Write: Use the change management API (CM API) to request additions and specific changes to your managed infrastructure including resource monitoring, log, backup, and patch configurations. Also, use this API to request access to resources, delete resources, create AMIs, and create IAM instance profiles. You can access the CM API through the AMS CLI and SDKs.
+ *AMS SKMS API* – Read-Only: Use this API to list managed resources and get information needed for reporting or preparing requests for change.
+ *Support API*: Use the standard Support API to programmatically create and respond to incidents and service requests. To learn more, see [Getting Started with Support](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html).
+ *AWS APIs* – Read Only: Your main IT administrator can use the AWS APIs to see all resources under management, view CloudTrail logs, billing information, and many other read functions.
# AMS VPC endpoints
VPC endpoints
A VPC endpoint lets you privately connect your VPC to AWS services without requiring an Internet gateway. Instances in your VPC do not require public IP addresses to communicate with resources in the service.
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. To learn more, see [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html).
There are two types of VPC endpoints: interface endpoints and gateway endpoints.
+ Gateway endpoints: The VPC in the account has an Amazon S3 Gateway endpoint enabled by default.
+ Interface endpoints: Instances in your AMS environment can talk to supported services without leaving the Amazon network. This is optional for **single-account landing zone** and it is not enabled in the account by default; submit a service request to AMS operations to get this enabled. However, for **multi-account landing zone**, interface endpoints are enabled by default in the Shared Services account.
List of interface endpoints supported by AMS:
+ AWS CloudFormation
+ AWS CloudTrail
+ AWS Config
+ Amazon EC2 API
+ AWS Key Management Service
+ Amazon CloudWatch
+ Amazon CloudWatch Events
+ Amazon CloudWatch Logs
+ AWS Secrets Manager
+ Amazon SNS
+ AWS Systems Manager
+ AWS Security Token Service
# AMS protected namespaces
The list of protected namespaces for AWS Managed Services (AMS). When you work with AWS resources, prevent conflict with AMS by not using these namespaces. For details on other AWS service namespaces, see [ Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces).
+ `ams-*` (this is the preferred naming standard for new resources)
+ `/ams/*` (this is the preferred naming standard for path-based resources)
+ `AWSManagedServices*` (this is the preferred naming standard for resources where CamelCase is appropriate)
+ `ams*` and `AMS*` and `Ams*`
+ `AWS_*` and `aws*`
+ `*/aws_reserved/*`
+ `CloudTrail*` and `Cloudtrail*`
+ `codedeploy_service_role`
+ `customer-mc-*`
+ `eps` and `EPS`
+ `EPSMarketplaceSubscriptionRole`
+ `EPSDB*`
+ `IAMPolicy*`
+ `INGEST*`
+ `LandingZone*`
+ `Managed_Services*`
+ `managementhost`
+ `mc*` and `MC*` and `Mc*`
+ `MMS*`
+ `ms-`
+ `NewAMS*`
+ `Root*`
+ `sentinel*` and `Sentinel*`
+ `sentinel.int.`
+ `StateMachine*`
+ `StackSet-ams*`
+ `StackSet-AWS-Landing-Zone`
+ `TemplateId*`
+ `UnhealthyInServiceBastion`
+ `VPC_*`
# AMS reserved prefixes
AMS resource attributes must comply with certain patterns; for example, IAM instance profile names, BackupVault names, tag names, and so forth, must not start with AMS reserved prefixes. Those reserved prefixes are:
```
*/aws_reserved/*
ams-*
/ams/*
ams*
AMS*
Ams*
aws*
AWS*
AWS_*
AWSManagedServices*
codedeploy_service_role
CloudTrail*
Cloudtrail*
customer-mc-*
eps
EPSDB*
IAMPolicy*
INGEST*
LandingZone*
Managed_Services*
managementhost
mc*
MC*
Mc*
MMS*
ms-
NewAMS*
Root*
sentinel*
Sentinel*
sentinel.int.
StackSet-ams*
StackSet-AWS-Landing-Zone
StateMachine*
TemplateId*
VPC_*
UnhealthyInServiceBastion
```
# AMS maintenance window
The AWS Managed Services Maintenance Window (or Maintenance Window) performs maintenance activities for AWS Managed Services (AMS) and recurs the second Thursday of every month from 3 PM to 4 PM Pacific Time. AMS may change the maintenance window with 48 hours notice. This is for AWS Managed Services (AMS); to perform maintenance activities for managed infrastructures, such as deploying new AMS AMIs.
*Your* maintenance window is when AMS will apply patching and you determine your maintenance window at onboarding. You can also agree to the proposed patching window provided in your patching service notification, or suggest a different window.
For guidance on creating a maintenance window, see [Maintenance Window](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/og-maintenance-window.html).
# AMS information resources
AMS provides several information resources to help you succeed.
+ **AMS Accelerate User Guide**: Helps you understand the components and features that AMS Accelerate provides and how to use them. Look here for AMS Accelerate background information and details on default settings, finding resources, and how-to examples. [HTML index](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/index.html), [PDF](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/accelerate-guide.pdf)
+ **AMS Advanced User Guide**: Helps you understand the components and features that AMS Advanced provides and how to use them. Look here for AMS Advanced background information and details on default settings, finding resources, and how-to examples. [HTML index](https://docs.aws.amazon.com/managedservices/latest/userguide/index.html), [PDF](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-ug.pdf)
+ **AMS Advanced Application Guide**: Describes the steps for deploying applications to AWS Managed Services infrastructure. Look here for information on application deployment and maintenance methodologies and considerations. [HTML index](https://docs.aws.amazon.com/managedservices/latest/appguide/index.html), [PDF](https://docs.aws.amazon.com/managedservices/latest/appguide/ams-appguide.pdf).
+ **AMS Advanced Onboarding Guide**: Describes the initial steps for creating the basic AWS Managed Services multi-account, or single-account, landing zone infrastructure in an AMS account. Look here for information on AMS account basics, validation, and questions to prepare you for onboarding to AMS. [HTML index](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/index.html), [PDF](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/ams-og.pdf).
+ **AMS Advanced Change Type Reference**: Provides reference material on the current change types that AWS Managed Services provides, including change type schemas and example walkthroughs for each change type and tips. Includes general information about change types Helps you understand all aspects of requests for change (RFCs) and AMS change types (CTs). Look here for specifics on change types, including links to relevant information. [HTML index](https://docs.aws.amazon.com/managedservices/latest/ctref/index.html), [PDF](https://docs.aws.amazon.com/managedservices/latest/ctref/ams-ct.pdf).
+ **AMS CM (change management) API Reference**: Describes the AWS Managed Services CM API, which provides operations for creating and monitoring change requests and provides information about your resources that are managed by Managed Services. [HTML index](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/index.html).
+ **AMS Security Guides**: Describe proprietary AMS security information.
Private; available on the AMS **Reports** tab in the AWS Artifact Console.
+ **AMS Developer's Resources**: Access to the AMS CLI and SDK, for both amscm and amsskms. See [https://console.aws.amazon.com/managedservices/](https://console.aws.amazon.com/managedservices/).
+ **AMS YouTube Videos**: Key customer operations explained in video. See [AWS Managed Services YouTube Instructional Videos](https://www.youtube.com/playlist?list=PLhr1KZpdzukc_VXASRqOUSM5AJgtHat6-).
+ **AMS Blog posts**: Specialty information on AWS Managed Services. See [AWS Blogs](https://aws.amazon.com/search/?searchQuery=MANAGED+SERVICES).
# AMS compliance
AMS has undergone auditing for the following standards and is eligible for use as part of solutions for which you must obtain compliance certification.
## AMS Supported Compliance Standards
AMS supports AWS compliance standards. To learn more about AWS compliance programs, see [AWS Compliance](https://aws.amazon.com/compliance/).
These are the current compliance standards supported by AMS.
| | |
| --- |--- |
| ![\[FedRAMP logo with "FR" initials in white on a navy blue square background.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/fedramp.png) | **FedRAMP**: The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data. For more information, see [FedRAMP](https://aws.amazon.com/compliance/fedramp/). |
| ![\[HIPAA logo with caduceus medical symbol and acronym in blue and white.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/HIPAA.png) | **HIPAA**: AWS has expanded its Health Insurance Portability and Accountability Act (HIPAA) compliance program to include AMS as a [ HIPAA Eligible Service](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/). If you have a Business Associate Agreement (BAA) with AWS, you can use AMS to help build your HIPAA-compliant applications. See [HIPAA-focused whitepaper](https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/welcome.html) to learn how to leverage AMS for the processing and storage of health information. For more information, see [HIPAA Compliance](https://aws.amazon.com/compliance/hipaa-compliance/). |
| ![\[Logo for HITRUST CSF Certified with red and black text.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/hitrust.png) | **HITRUST**: The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls. For more information, see [HITRUST CSF](https://aws.amazon.com/compliance/hitrust/). |
| ![\[ISO 27001 logo with blue circular design and text for International Organization for Standardization.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/iso27001.png) | **ISO 27001**: ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how AWS perpetually manages security in a holistic, comprehensive manner. For more information, see [ ISO/IEC 27001:2013](https://aws.amazon.com/compliance/iso-27001-faqs/). |
| ![\[ISO 27017 logo with blue circular design and text for International Organization for Standardization.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/iso27017.png) | **ISO 27017**: ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers. For more information, see [ ISO/IEC 27017:2015 Compliance](https://aws.amazon.com/compliance/iso-27017-faqs/). |
| ![\[Cloud-shaped logo with "ISO" and "27018" text representing a standardization symbol.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/iso27018.png) | **ISO 27018**: ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set. For more information, see [ ISO/IEC 27018:2019 Compliance](https://aws.amazon.com/compliance/iso-27018-faqs/). |
| ![\[ISO 9001 certification logo with blue cloud shape and text.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/iso9001.png) | **ISO 9001**: ISO 9001:2015 outlines a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management within an organization. Specific sections of the standard contain information on topics such as: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/ams-compliance.html) For more information, see [ ISO 9001:2015 Compliance](https://aws.amazon.com/compliance/iso-9001-faqs/). |
| ![\[PCI Security Standards Council Participating Organization logo with globe icon.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/PCI.png) | **PCI**: AMS has an Attestation of Compliance for Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 at Service Provider Level 1. Customers who use AWS products and services to store, process, or transmit cardholder data can use AMS as they manage their own PCI DSS compliance certification. For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see [PCI DSS Level 1](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/). Importantly, you must configure fine-grained password policies in AMS to be consistent with PCI DSS version 3.2 standards. For details on which policies must be enforced, see [ Enable PCI Compliance for Your AWS Microsoft AD Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_compliance.html#enablepciad). |
| ![\[AICPA SOC circular logo for Service Organization Control certification.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/SOC.png) | **SOC**: AMS System & Organization Control (SOC) Reports are independent, third-party examination reports that demonstrate how AMS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AMS controls established to support operations and compliance. There are three types of AMS SOC reports: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/ams-compliance.html) For more information, see [ SOC Compliance](https://aws.amazon.com/compliance/soc-faqs/). |
## Shared Responsibility
Security, including PCI compliance, is a [shared responsibility](https://aws.amazon.com/compliance/shared-responsibility-model/). It is important to understand that AMS compliance status does not automatically apply to applications that you run in the AWS Cloud. You need to ensure that your use of AWS services complies with the standards. For more details on how AMS works together with customers across specific activities, see the AMS [AMS responsibility matrix (RACI)](raci-table.md).
# AMS Amazon Machine Images (AMIs)
AMS produces updated Amazon Machine Images (AMIs) every month for AMS supported operating systems. In addition, AMS also produces security enhanced images (AMIs) based on CIS Level 1 benchmark for a subset of [AMS's supported operating systems](https://docs.aws.amazon.com/managedservices/latest/userguide/supported-configs.html). To find out which operating systems have a security enhanced image available, see the AMS Security User Guide, which is available through AWS Artifact -> Reports page (find the **Reports** option in the left navigation pane) filtered for AWS Managed Services. To access AWS Artifact, can contact your CSDM for instructions or go to [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started).
To receive alerts when new AMS AMIs are released, you can subscribe to an Amazon Simple Notification Service (Amazon SNS) notification topic called "AMS AMI". For details, see [AMS AMI notifications with SNS](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-ami-notifications.html).
The AMS AMI naming convention is: `customer-ams-- - `. (for example, `customer-ams-rhel6-2018.11-3`)
Only use AMS AMIs that start with `customer`.
AMS recommends always using the most recent AMI. You can find the most recent AMIs by either:
+ Looking in the AMS console, on the **AMIs** page.
+ Viewing the latest AMS AMI CSV file, available from your CSDM or through this ZIP file: [AMS 11.2024 AMI contents and CSV file in a ZIP](https://docs.aws.amazon.com/managedservices/latest/userguide/samples/AMIs.csv-and-notes.11.2024.zip).
For past AMI ZIP files, see the [Doc History](https://docs.aws.amazon.com/managedservices/latest/userguide/doc-history-ug.html).
+ Running this AMS `SKMS` command (AMS SKMS SDK required):
```
aws amsskms list-amis --vpc-id VPC_ID --query "Amis.sort_by(@,&Name)[? starts_with(Name,'customer')].[Name,AmiId,CreationTime]" --output table
```
**AMS AMI content added to base AWS AMIs, by operating system (OS)**
+ Linux AMIs:
+ [AWS CLI Tools](https://aws.amazon.com/cli/)
+ [NTP](http://www.ntp.org/documentation.html)
+ [Trend Micro Endpoint Protection Service Agent](https://www.trendmicro.com/en_us/business.html)
+ [Code Deploy](https://github.com/aws/aws-codedeploy-agent)
+ [PBIS Enterprise / Beyond Trust AD Bridge](https://www.beyondtrust.com/products/active-directory-bridge)
**Note**
As of June 2022, BeyondTrust no longer supports PBIS Open. You can't use PBIS Open on AMIs that AMS supports after June 2022. If AMS supported your AMI before June 2022, you can continue to use PBIS Open at your own discretion.
+ [SSM Agent](https://github.com/aws/amazon-ssm-agent)
+ Yum Upgrade for critical patches
+ AMS custom scripts / management software (controlling boot, AD join, monitoring, security, and logging)
+ Windows Server AMIs:
+ [Microsoft .NET Framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653)
+ [ PowerShell 5.1](https://docs.microsoft.com/en-us/skypeforbusiness/set-up-your-computer-for-windows-powershell/download-and-install-windows-powershell-5-1)
+ [AWS Tools for Windows PowerShell](https://aws.amazon.com/powershell/)
+ AMS PowerShell Modules controlling boot, AD join, monitoring, security, and logging
+ [Trend Micro Endpoint Protection Service Agent](https://www.trendmicro.com/en_us/business.html)
+ [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html)
+ [CloudWatch Agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html)
+ EC2Config service (through Windows Server 2012 R2)
+ EC2Launch (Windows Server 2016 and Windows Server 2019)
+ EC2LaunchV2 (Windows Server 2022 and later)
**Linux-based AMIs**:
+ Amazon Linux 2023 (Latest Minor Release) (Minimal AMI not supported)
+ Amazon Linux 2 (Latest Minor Release)
+ Amazon Linux 2 (ARM64)
+ Red Hat Enterprise 8 (Latest Minor Release)
+ Red Hat Enterprise 9 (Latest Minor Release)
+ SUSE Linux Enterprise Server 15 SP6
+ Ubuntu Linux 20.04
+ Ubuntu Linux 22.04
+ Ubuntu Linux 24.04
+ Amazon Linux: For product overview, pricing information, usage information, and support information, see [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/).
For more information, see [Amazon Linux 2 FAQs](https://aws.amazon.com/amazon-linux-2/faqs/).
+ SUSE Linux Enterprise Server for SAP applications 15 SP6:
+ Run the following steps once per account:
1. Navigate to the **AWS Marketplace**.
1. Search for the SUSE 15 SAP product.
1. Choose **Continue to subscribe**.
1. Choose **Accept terms**.
+ Complete the following steps **every time** you need to launch a new **SUSE Linux Enterprise Server for SAP Applications 15 SP6** instance:
1. Note the AMI ID for the subscribed **SUSE Linux Enterprise Server for SAP Applications 15** AMI.
1. Create a Deployment \$1 Advanced stack components \$1 EC2 stack \$1 Create change type ct-14027q0sjyt1h RFC. Replace *InstanceAmiId* with the AWS Marketplace AMI ID that you subscribed to.
**Windows-based AMIs**:
Microsoft Windows Server (2016, 2019, 2022, and 2025), based on latest Windows AMIs.
For examples of creating AMIs, see [Create AMI](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-ami-create-col.html).
**Offboarding AMS AMIs**:
AMS does not unshare any AMIs from you during offboarding to avoid impact for any of your depedencies. If you want to remove AMS AMIs from your account, you can use the `cancel-image-launch-permission` API to hide specific AMIs. For example, you can use the script below to hide all of the AMS AMIs that were shared with your account earlier:
```
for ami in $(aws ec2 describe-images --executable-users self --owners 027415890775 --query 'Images[].ImageId' --output text) ;
do
aws ec2 cancel-image-launch-permission --image-id $ami ;
done
```
You must have the AWS CLI v2 installed for the script to execute without any errors. For AWS CLI installation steps, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). For details on the `cancel-image-launch-permission` command, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/cancel-image-launch-permission.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/cancel-image-launch-permission.html).
# Security enhanced AMIs
AMS provides security enhanced images (AMIs) based on CIS Level 1 benchmark for a subset of AMS's supported operating systems. To find which operating systems have a security enhanced image available, see the *AWS Managed Services (AMS) Customer Security Guide*. To access this guide, open AWS Artifact, select **Reports** in the left navigation pane, and then filter for AWS Managed Services. For instructions on how to access AWS Artifact, contact your CSDM or see [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started) for more information.
# How integration between AD FS and AMS works
A one-way trust between your on-premises network and the AMS domain is the default means for access to stacks and VPCs. When a VPC and stack are created, access is granted via pre-configured Active Directory security groups. In addition, access to the AWS Management Console can be configured using Active Directory Federation Service (AD FS), or any federation software that supports SAML, for a single sign-on (SSO) to the AWS Management Console.
**Note**
AMS can federate to many federation services, Ping, Okta, and so on. You aren't limited to AD FS; we provide here an example of one federation technology available to you.
Information here is duplicated from this blog post: [ Enabling Federation to AWS Using Windows Active Directory, AD FS, and SAML 2.0](https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/).
![\[There are several steps involved in secure authentication within your enterprise and between your enterprise and the AWS cloud.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/AD1.png)
1. The flow is initiated when a user (let’s call him Bob) browses to the AD FS sample site (https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside his domain. When you install AD FS, you get a new virtual directory named **adfs** for your default website, which includes this page.
1. The sign-on page authenticates Bob against AD. Depending on the browser Bob is using, he might be prompted for his AD username and password.
1. Bob’s browser receives a SAML assertion in the form of an authentication response from AD FS.
1. Bob’s browser posts the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml). Behind the scenes, sign-in uses the [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) API to request temporary security credentials and then constructs a sign-in URL for the AWS Management Console.
1. Bob’s browser receives the sign-in URL and is redirected to the console.
From Bob’s perspective, the process happens transparently. He starts at an internal website and ends up at the AWS Management Console, without ever having to supply any AWS credentials.
**Note**
More information on configuring federation to the AMS console is provided in:
**Multi-Account Landing Zone**: [Configuring Federation to the AMS Console](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/setup-net-federate-console.html)
**Single-Account Landing Zone**: [Configuring Federation to the AMS Console](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/fed-with-console.html)
Additionally, see [Appendix: AD FS claim rule and SAML settings](https://docs.aws.amazon.com/managedservices/latest/userguide/apx-adfs-claim-rule-saml.html). For information about using AWS Microsoft AD to support your Active Directory–aware applications, in the AWS Cloud, that are subject to compliance requirements, see [Manage Microsoft AD Compliance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_compliance.html).
# AMS Managed Active Directory
AMS is now offering a new service called Managed Active Directory (aka Managed AD) that allows AMS to take care of your Active Directory (AD) infrastructure operations, while keeping you in control of your Active Directory administration.
AMS support for Managed AD is similar to AMS support for the Amazon Relational Database Service (Amazon RDS). In both cases, AWS (including AMS) supports the creation and management of the infrastructure running the service, while you perform access control and all administration functions. This model has the following advantages:
+ Limits security risks: AWS and AMS don't need administrative privileges to your domain.
+ Direct integrations: You can use your current authorization model and integrate it with AD without needing to interface with AMS.
**Notes**:
+ Neither AMS nor you will have access to your Managed AD domain controllers, so no software can be installed on the domain controllers. This is important because third-party solutions that require software to be installed on domain controllers is not allowed.
Access works like this:
+ AWS Directory Service team: Has access to domain controllers.
+ AMS: Has access to Directory Service APIs to perform certain actions on the domain. These actions include taking AD snapshots, changing AD schema, and others actions.
+ You: Have access to the domain (AD) for creating users, groups, and so on.
+ We recommend that you perform a proof of concept on Managed AD before migrating your corporate AD, because not all functionality from a traditional AD environment is available in a Managed AD environment.
+ AMS will not manage or provide guidance on your AD management. For example, AMS will not provide guidance on Organizational Unit structure, group policy structure, AD user naming conventions, and so forth.
It works like this:
1. AMS onboards a new AWS account for you, separate from and in addition to your AMS account, and provisions an Active Directory (AD) environment through AWS Directory Service (see also [What Is AWS Directory Service?](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html)).
The following is the information a systems integrator would need to gather from you in order for AMS to on board Managed AD:
+ Account information
+ Account ID of the AWS account that was created for your AMS-Managed AD: AWS account number
+ Region to onboard your Managed AD to: AWS Region
+ Managed Active Directory information:
+ Microsoft AD Edition: Standard/Enterprise. AWS Microsoft AD (Standard Edition) includes 1 GB of directory object storage. This capacity can support up to 5,000 users or 30,000 directory objects, including users, groups, and computers. AWS Microsoft AD (Enterprise Edition) includes 17 GB of directory object storage, which can support up to 100,000 users or 500,000 objects.
For more information, see [AWS Directory Service FAQs](https://aws.amazon.com/directoryservice/faqs/).
+ Domain FQDN: The FQDN for your AMS Managed AD domain.
+ Domain NetBIOS name: The NetBIOS name for your AMS Managed AD domain.
+ Account numbers of AMS-standard accounts you would like Managed AD integration to (AMS configures a one way trust from the AMS-standard account's AD to the Managed AD)
+ Are Active Directory Schema modifications required and if so, what modifications?
+ By default, two domain controllers are provisioned. Do you require more? If so, how many do you require and for what reason?
+ Networking for Managed Active Directory information:
+ Managed AD VPC CIDR for domain controllers (a CIDR in your private subnet range for the Managed AD domain controllers):
+ Subnet CIDR 1 for domain controllers: [your CIDR, needs to be part of AMS Managed AD VPC CIDR]
+ Subnet CIDR 2 for domain controllers: [your CIDR, needs to be part of AMS Managed AD VPC CIDR]
For example:
+ Managed AD VPC CIDR: 192.168.0.0/16
+ CIDR 1 for domain controllers: 192.168.1.0/24
+ CIDR 2 for domain controllers: 192.168.2.0/24
To avoid IP address conflicts, be sure that the Managed AD VPC CIDR you specify does not conflict with any other private subnet CIDR you are using in your corporate network.
+ VPN Technology (optional): [Direct Connect/Direct Connect and VPN]
+ Your gateway's BGP Autonomous System Number (ASN): [Customer-provided ASN]
+ The Internet-routable IP address for your gateway's outside interface, the address must be static: [Customer Provided IP Address]
+ Whether or not your VPN connection requires static routes: [yes/no]
1. AMS provides you with the Admin account password for the AD environment and asks you to reset the password so AMS engineers can no longer access your AD environment.
1. To reset the Admin account password, connect to your Active Directory environment using Active Directory Users and Computers (ADUC). ADUC and other Remote Server Administration Tools (RSAT) should be installed and run on Administrative hosts provisioned by you on non-AMS infrastructure. Microsoft has best practices for securing such administrative hosts. For information, see [ Implementing Secure Administrative Hosts](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-secure-administrative-hosts). You manage your Active Directory environment using these Administrative hosts.
1. In daily operations, AMS manages the AWS account up to the AWS Directory Service side of things; for example, VPC configuration, AD backups, AD trust creation and deletion, and so forth. You use, and manage, your AD environment; for example, user creation, group creation, group policy creation, and so forth.
For the most recent RACI table, see the "Roles and Responsibilities" section in the See [Service description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
# AMS application deployments
Application deployments
*AMS Application Developer's* guide provides detailed descriptions and walkthroughs for the following deployments:
+ The AMS workload ingest CT allows you and an AMS cloud migration partner to easily move your existing workloads into an AMS-managed VPC. Using AMS workload ingest, you can create an AMS AMI by submitting an RFC with the Deployment \$1 Ingestion \$1 Stack from migration partner migrated instance \$1 Create CT (ct-257p9zjk14ija). You must have an instance migrated from your on-premises to AWS by a migration partner, as well as a target AMS VPC and subnet, into which the instance will be ingested.
For details, see the *AMS Application Developer's* guide at [Workload Ingest](https://docs.aws.amazon.com/managedservices/latest/appguide/ams-workload-ingest.html).
+ The CloudFormation ingest change type (ct-36cn2avfrrj9v) feature allows you to easily use an existing CloudFormation template to deploy custom stacks in an AMS-managed VPC.
For details, see the *AMS Application Developer's* guide at [CloudFormation Template Ingest](https://docs.aws.amazon.com/managedservices/latest/appguide/ams-cfn-ingest.html).
+ You can import your on-premises database into a new database to your AMS-managed Amazon S3 bucket or Amazon RDS instance. You do this using a Deployment \$1 Advanced stack components \$1 Database Migration Service (DMS) change types, including Create replication instance (ct-27apldkhqr0ol), Create replication subnet group (ct-2q5azjd8p1ag5), Create replication task (ct-1d2fml15b9eth), Create source endpoint (ct-0attesnjqy2cx) or Create source endpoint (S3) (ct-2oxl37nphsrjz), and Create target endpoint (ct-3gf8dolbo8x9p) or Create target endpoint (S3) (ct-05muqzievnxk5).
For details, see the *AMS Application Developer's* guide at [Database Migration Service](https://docs.aws.amazon.com/managedservices/latest/userguide/ex-create-dms.html).
+ You can import your on-premises MS SQL database into a new database on your AMS-managed RDS SQL instance. You do this using a variety of AMS change types, and the Amazon RDS API, plus AWS consoles.
For details, see the AMS Application Guide at [Database (DB) Import to MS SQL RDS](https://docs.aws.amazon.com/managedservices/latest/appguide/db-to-sql-rds.html).