Using Amazon EventBridge Managed Rules in AMS - AMS Accelerate User Guide

Using Amazon EventBridge Managed Rules in AMS

AMS Accelerate uses Amazon EventBridge Managed Rules. A Managed Rule is a unique type of rule that is directly linked to AMS. These rules match incoming events and send them to targets for processing. Managed Rules are predefined by AMS and include event patterns that are required by the service to manage customer accounts, and unless defined otherwise, only the owning service can utilize these Managed Rules.

AMS Accelerate Managed Rules are linked to events.managedservices.amazonaws.com service principal. These Managed Rules are managed through the AWSServiceRoleForManagedServices_Events service-linked role. To delete these rules a special confirmation by the customer is required. For more information see Deleting Managed Rules for AMS.

For more information about rules, see Rules in the Amazon EventBridge User Guide.

Amazon EventBridge Managed Rules deployed by AMS

Amazon EventBridge Managed Rules
Rule Name Description Definition

AmsAccessRolesRule

This rule listens for modifications in specific AMS Accelerate roles and policies.

{ "source": ["aws.iam"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventName": [ "DeleteRole", "DeletePolicy", "CreatePolicyVersion", "AttachRolePolicy", "DetachRolePolicy" ], "requestParameters": { "$or": [ { "roleName": [ "ams-access-admin", "ams-access-admin-operations", "ams-access-operations", "ams-access-read-only", "ams-access-security-analyst", "ams-access-security-analyst-read-only" ] }, { "policyArn": [ "arn:*:iam::*:policy/ams-access-allow-pass-role", "arn:*:iam::*:policy/ams-access-deny-cloudshell-policy", "arn:*:iam::*:policy/ams-access-deny-operations-policy", "arn:*:iam::*:policy/ams-access-deny-update-iam-policy", "arn:*:iam::*:policy/ams-access-ssr-policy", "arn:*:iam::*:policy/ams-access-security-analyst-read-only-policy", "arn:*:iam::*:policy/ams-access-security-analyst-policy", "arn:*:iam::*:policy/ams-access-security-analyst-extended-policy", "arn:*:iam::*:policy/ams-access-admin-policy", "arn:*:iam::*:policy/ams-access-admin-operations-policy" ] }, ] }, }, }

AMSCoreRule

This rule forwards AWS Config and Amazon CloudWatch events to AMS Config remediation and AMS monitoring services respectfully. The AWS Config events create and resolve AWS Systems Manager OpsItems. The Amazon CloudWatch events monitor CloudWatch Alarms.

{ { "source": ["aws.config", "aws.cloudwatch"], "detail-type": ["Config Rules Compliance Change", "CloudWatch Alarm State Change"], } }

Creating Managed Rules for AMS

You don’t need to manually create Amazon EventBridge Managed Rules. When you onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS creates them for you.

Editing Managed Rules for AMS

AMS doesn't allow you to edit the Managed Rules. Name and event pattern for each Managed Rule are predefined by AMS.

Deleting Managed Rules for AMS

You don’t need to manually delete the Managed Rules. When you offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS cleans up the resources and deletes all Managed Rules owned by AMS for you.

In the event AMS fails to remove the Managed Rules during offboarding, you can also use the Amazon EventBridge console, the AWS CLI or the AWS API to manually delete the Managed Rules. To do this, you must first offboard from AMS and conduct a force delete of the Managed Rules.