IAM user role in AMS
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and can't do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
Currently there is one AMS default user role, Customer_ReadOnly_Role, for standard AMS accounts and an
additional role, customer_managed_ad_user_role for AMS accounts with Managed Active Directory.
The role policies set permissions for CloudWatch and Amazon S3 log actions, AMS console access, read-only restrictions on most AWS services, restricted access to account S3 console, and AMS change-type access.
Additionally, the Customer_ReadOnly_Role has mutative, reserved-instances
permissions that allow you to reserve instances. It has some cost-saving values, so, if you
know that you're going to need a certain number of Amazon EC2 instances for a long period of time,
you can call those APIs. To learn more, see
Amazon EC2 Reserved Instances
Note
The AMS service level objective (SLO) for creating custom IAM policies for IAM users is four business days, unless an existing policy is going to be reused. If you want to modify the existing IAM user role, or add a new one, submit an IAM: Update Entity or IAM: Create Entity RFC, respectively.
If you're unfamiliar with Amazon IAM roles, see IAM Roles for important information.
Multi-Account Landing Zone (MALZ): To see the AMS multi-account landing zone default, un-customized, user role policies, see MALZ: Default IAM User Roles, next.
MALZ: Default IAM User Roles
JSON policy statements for the default multi-account AMS multi-account landing zone user roles.
Note
The user roles are customizable and may differ on a per-account basis. Instructions on finding your role are provided.
These are examples of the default MALZ user roles. To make sure that you have the
policies set that you need, run the AWS command
get-role
or sign in to the AWS Management ->
IAM console
Core OU account roles
A core account is an MALZ-managed infrastructure account. AMS multi-account landing zone Core accounts include a management account and a networking account.
| Role | Policy or policies |
|---|---|
AWSManagedServicesReadOnlyRole |
ReadOnlyAccess (Public AWS Managed Policy). |
AWSManagedServicesCaseRole |
|
AWSSupportAccess (Public AWS Managed Policy). | |
AWSManagedServicesChangeManagementRole (Core account version) |
|
| Role | Policy or policies |
|---|---|
AWSManagedServicesBillingRole |
AMSBillingPolicy (AMSBillingPolicy). |
AWSManagedServicesReadOnlyRole |
ReadOnlyAccess (Public AWS Managed Policy). |
AWSManagedServicesCaseRole |
|
AWSSupportAccess (Public AWS Managed Policy). | |
AWSManagedServicesChangeManagementRole (Management account version) |
|
AMSMasterAccountSpecificChangeManagementInfrastructurePolicy |
| Role | Policy or policies |
|---|---|
AWSManagedServicesReadOnlyRole |
ReadOnlyAccess (Public AWS Managed Policy). |
AWSManagedServicesCaseRole |
|
AWSSupportAccess (Public AWS Managed Policy). | |
AWSManagedServicesChangeManagementRole (Networking account version) |
|
AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy |
Application Account Roles
Application account roles are applied to your application-specific accounts.
| Role | Policy or policies |
|---|---|
AWSManagedServicesReadOnlyRole |
ReadOnlyAccess (Public AWS Managed Policy). |
AWSManagedServicesCaseRole |
|
AWSSupportAccess (Public AWS Managed Policy). This policy provides access to all support operations and resources. For information, see Getting Started with AWS Support. | |
AWSManagedServicesSecurityOpsRole |
|
AWSSupportAccess Example This policy provides access to all support operations and resources. | |
| |
| |
AWSManagedServicesChangeManagementRole (Application account version) |
|
AWSSupportAccess (Public AWS Managed Policy). This policy provides access to all support operations and resources. For information, see Getting Started with AWS Support. | |
AWSManagedServicesAdminRole |
|
Policy Examples
Examples are provided for most policies used. To view the ReadOnlyAccess policy
(which is pages long as it provides read-only
access to all AWS services), you can use this link, if you have an active AWS account:
ReadOnlyAccess
AMSBillingPolicy
AMSBillingPolicy
The new Billing role can be used by your accounting department to view and change billing information or account settings in the Management account. To access information such as Alternate Contacts, view the account resources usage, or keep a tab of your billing or even modify your payment methods, you use this role. This new role comprises of all the permissions listed in the AWS Billing IAM actions web page.
AMSChangeManagementReadOnlyPolicy
AMSChangeManagementReadOnlyPolicy
Permissions to see all AMS change types, and the history of requested change types.
AMSMasterAccountSpecificChangeManagementInfrastructurePolicy
AMSMasterAccountSpecificChangeManagementInfrastructurePolicy
Permissions to request the Deployment | Managed landing zone | Management account | Create application account (with VPC) change type.
AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy
AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy
Permissions to request the Deployment | Managed landing zone | Networking account | Create application route table change type.
AMSChangeManagementInfrastructurePolicy
AMSChangeManagementInfrastructurePolicy (for Management | Other | Other CTs)
Permissions to request the Management | Other | Other | Create, and Management | Other | Other | Update change types.
AMSSecretsManagerSharedPolicy
AMSSecretsManagerSharedPolicy
Permissions to view secret passwords/hashes shared by AMS through AWS Secrets Manager (e.g. passwords to infrastructure for auditing).
Permissions to create secret password/hashes to share with AMS. (for example, license keys for products that need to be deployed).
AMSChangeManagementPolicy
AMSChangeManagementPolicy
Permissions to request and view all AMS change types, and the history of requested change types.
AMSReservedInstancesPolicy
AMSReservedInstancesPolicy
Permissions to manage Amazon EC2 reserved instances; for pricing information, see
Amazon EC2 Reserved Instances
AMSS3Policy
AMSS3Policy
Permissions to create and delete files from existing Amazon S3 buckets.
Note
These permissions do not grant the ability to create S3 buckets; that must be done with the Deployment | Advanced stack components | S3 storage | Create change type.
AWSSupportAccess
AWSSupportAccess
Full access to Support. For information, see
Getting Started with Support. For
Premium Support information, see Support
AWSMarketplaceManageSubscriptions
AWSMarketplaceManageSubscriptions (Public AWSManaged Policy)
Permissions to subscribe, unsubscribe, and view AWS Marketplace subscriptions.
AWSCertificateManagerFullAccess
AWSCertificateManagerFullAccess
Full access to AWS Certificate Manager. For more information, see
AWS Certificate Manager
AWSCertificateManagerFullAccess information,
(Public AWS Managed Policy).
AWSWAFFullAccess
AWSWAFFullAccess
Full access to AWS WAF. For more information, see AWS WAF - Web Application Firewall
AWSWAFFullAccess
information, (Public AWS Managed policy).
This policy grants full access to AWS WAF resources.
ReadOnlyAccess
ReadOnlyAccess
Read-only access to all AWS services and resources on the AWS console. When AWS launches a new service, AMS updates the ReadOnlyAccess policy to add read-only permissions for the new service. The updated permissions are applied to all principal entities that the policy is attached to.
This doesn't grant the ability to log into EC2 hosts or database hosts.
If you have an active AWS account, then you can use this link ReadOnlyAccess
Single-Account Landing Zone (SALZ): To see the AMS single-account landing zone default, uncustomized, user role policies, see SALZ: Default IAM User Role, next.
SALZ: Default IAM User Role
JSON policy statements for the default AMS single-account landing zone user role.
Note
The SALZ default user role is customizable and might differ on a per-account basis. Instructions on finding your role are provided.
The following is an example of the default SALZ user role. To make sure that you have the
policies set for you, run the
get-role command. Or,
sign in to the AWS Identity and Access Management console at https://console.aws.amazon.com/iam/
The customer read-only role is a combination of multiple policies. A breakdown of the role (JSON) follows.
Managed Services Audit Policy:
Managed Services IAM ReadOnly Policy
Managed Services User Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCustomerToListTheLogBucketLogs", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringLike": { "s3:prefix": [ "aws/*", "app/*", "encrypted", "encrypted/", "encrypted/app/*" ] } } }, { "Sid": "BasicAccessRequiredByS3Console", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllowCustomerToGetLogs", "Effect": "Allow", "Action": [ "s3:GetObject*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/aws/*", "arn:aws:s3:::mc-a*-logs-*/encrypted/app/*" ] }, { "Sid": "AllowAccessToOtherObjects", "Effect": "Allow", "Action": [ "s3:DeleteObject*", "s3:Get*", "s3:List*", "s3:PutObject*" ], "Resource": [ "*" ] }, { "Sid": "AllowCustomerToListTheLogBucketRoot", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "/" ] } } }, { "Sid": "AllowCustomerCWLConsole", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Sid": "AllowCustomerCWLAccessLogs", "Effect": "Allow", "Action": [ "logs:FilterLogEvents", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/*", "arn:aws:logs:*:*:log-group:/infra/*", "arn:aws:logs:*:*:log-group:/app/*", "arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*" ] }, { "Sid": "AWSManagedServicesFullAccess", "Effect": "Allow", "Action": [ "amscm:*", "amsskms:*" ], "Resource": [ "*" ] }, { "Sid": "ModifyAWSBillingPortal", "Effect": "Allow", "Action": [ "aws-portal:Modify*" ], "Resource": [ "*" ] }, { "Sid": "DenyDeleteCWL", "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Sid": "DenyMCCWL", "Effect": "Deny", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/mc/*" ] }, { "Sid": "DenyS3MCNamespace", "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*", "arn:aws:s3:::mc-a*-logs-*/mc/*", "arn:aws:s3:::mc-a*-logs-*-audit/*", "arn:aws:s3:::mc-a*-internal-*/*", "arn:aws:s3:::mc-a*-internal-*" ] }, { "Sid": "ExplicitDenyS3CfnBucket", "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::cf-templates-*" ] }, { "Sid": "DenyListBucketS3LogsMC", "Action": [ "s3:ListBucket" ], "Effect": "Deny", "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringLike": { "s3:prefix": [ "auditlog/*", "encrypted/mc/*", "mc/*" ] } } }, { "Sid": "DenyS3LogsDelete", "Effect": "Deny", "Action": [ "s3:Delete*", "s3:Put*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/*" ] }, { "Sid": "DenyAccessToKmsKeysStartingWithMC", "Effect": "Deny", "Action": [ "kms:*" ], "Resource": [ "arn:aws:kms::*:key/mc-*", "arn:aws:kms::*:alias/mc-*" ] }, { "Sid": "DenyListingOfStacksStartingWithMC", "Effect": "Deny", "Action": [ "cloudformation:*" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/mc-*" ] }, { "Sid": "AllowCreateCWMetricsAndManageDashboards", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": [ "*" ] }, { "Sid": "AllowCreateandDeleteCWDashboards", "Effect": "Allow", "Action": [ "cloudwatch:DeleteDashboards", "cloudwatch:PutDashboard" ], "Resource": [ "*" ] } ] }
Customer Secrets Manager Shared Policy
Customer Marketplace Subscribe Policy
