Operations On Demand - AMS Advanced User Guide

Operations On Demand

Operations on Demand (OOD) is an AWS Managed Services (AMS) feature that extends the standard scope of your AMS operations plan by providing operational services that are not currently offered natively by the AMS operations plans or AWS.  Once selected, the catalog offering is delivered by a combination of automation and highly skilled AMS resources. There are no long term commitments or additional contracts, allowing you to extend your existing AMS and AWS operations and capabilities as needed. You agree to purchase blocks of hours (OOD blocks), 20 hours per block, on a monthly basis.

You can select from the catalog of standardized offerings and initiate a new OOD engagement through a service request. Examples of OOD offerings include assisting with the maintenance of Amazon EKS, operations of AWS Control Tower, and management of SAP clusters. New catalog offerings are added regularly based on demand and the operational use cases we see most often.

OOD is available for both AMS Advanced and AMS Accelerate operations plans and is available in all AWS Regions where AMS is available.

AMS performs Customer Security Risk Management (CSRM) while implementing your requested changes. To learn more about the CSRM process, see Change request security reviews.

Operations on Demand catalog of offerings

Operations on Demand (OOD) offers you the services described in the following table.

Note

For definitions of key terms refer to the AWS Managed Services documentation Key Terms.

Operations Plan Title Description Expected Outcomes
AMS Accelerate Amazon EKS cluster maintenance

AMS frees your container developers by handling the ongoing maintenance of your Amazon Elastic Kubernetes Service (Amazon EKS) deployments. AMS performs the end-to-end procedures necessary to update a cluster addressing the components of control plane, add-ons, and nodes. AMS performs the updating to managed node types as well as a curated set of Amazon EKS and Kubernetes add-ons.

Customer teams assisted with the underlying operations work of updating Amazon EKS clusters.
AMS Accelerate AMI Building and Vending

AMS provides ongoing management of AMI building and vending for customers.

Our engineers perform a monthly release of subscribed AMIs, release on-demand AMIs for emergent patching activities, manage changes using runbooks, and monitor AMI builds using CloudWatch Monitoring. We also provide troubleshooting assistance and detailed reporting for all AMIs used in designated accounts. This offering requires AMI build Pipelines to be deployed via EC2 Image builder. AMS does not support any other automation or service that interacts with EC2 Image builder.

Customer security posture improved and customer time spent on building and vending AMIs reduced.

AMS Accelerate Curated change execution Work with our skilled operations engineers to translate your business requirements into validated change requests that can be executed safely within your AWS environment. Take advantage of our unique approach to automation and knowledge of operational best practices (for example, impact assessment, roll backs, two-person rule), whether it is a simple change at scale or a complex action with downstream impacts. Customers assisted with defining, creating, and executing custom change requests. Changes can be manual or automated (CloudFormation, SSM). Includes consultation with AWS Support for configuration guidance when necessary. Not intended for changes to application code, application installation/deployment, data migration, or OS configuration changes.
AMS Accelerate AWS Network Firewall Operations AMS collaborates with you to onboard your firewall and implement and manage the policies and rules for ongoing firewall operations. Our engineers do this by leveraging our operational best practices and automation to configure standardized policies and rules, and by enabling monitoring to detect changes made outside of the automation process. AMS quickly notifies you of unwanted changes and provides options to include them, if requested, or restore the account to a previous configuration to ensure the overall stability of your systems. Customer teams assisted with reducing management overhead by quickly detecting unintentional network firewall changes, resulting in improved incident resolution and reduced root cause analysis time for both expected and unexpected issues.
AMS Accelerate AWS Control Tower operations Ongoing operations and management of your AWS Control Tower landing zone, including AWS Transit Gateway and AWS Organizations - providing a comprehensive landing zone solution. We handle account vending, SCP and OU management, drift remediation, SSO user management, and AWS Control Tower upgrades with our library of custom controls and guardrails. Customer teams assisted with some of the underlying operations work of managing AWS Control Tower, AWS Transit Gateway, and AWS Organizations.
AMS Accelerate AWS landing zone Accelerate operations

AMS provides ongoing operations of AWS landing zones deployed through AWS Landing Zone Accelerator (LZA).

Our engineers handle configuration file changes, AWS Control Tower (CT) environment management (account vending, OU creation, CT guardrails), service contol policy (SCP) management, CT drift detection and remediation, network configuration management, and updates to CT and the LZA framework. AWS LZA provides a means to set up and govern a secure, multi-account AWS environment using operational best practices and services such as AWS Control Tower.

Customer teams assisted with ongoing operations and management of the AWS Landing Zone Accelerator solution.

AMS Accelerate SAP Cluster Assist Dedicated alarming, monitoring, cluster patching, backup, and incident remediation for your SAP clusters. This catalog item allows you to offload some of the ongoing operational work from your SAP operations team so that they can focus on capacity management and performance tuning. Customer or partner SAP teams assisted with some of the underlying operations work. Still requires the customer to provide other SAP capabilities such as capacity management, performance tuning, DBA, and SAP basis administration.
AMS Accelerate SQL Server on EC2 Operations

AMS collaborates with you to onboard, implement, and manage the ongoing operations of your SQL Server databases deployed on EC2 instances.

Our engineers leverage our operational best practices and automation to free up your database teams by performing tasks such as backup and patching, extending AMS operational support to SQL Server patching to include cluster-aware rolling updates, backup and restore services aligned with our ransomware defense strategy, and monitoring adherence to customer-provided backup and patching controls.

SQL Server customers assisted with offloading patching and backup database operations to improve resilience, and security posture of their workloads, in addition to optimizing license costs by bringing their own licenses (BYOL) to EC2.
AMS Advanced Amazon EKS Cluster Maintenance

AMS frees your container developers by handling the ongoing maintenance and health of your Amazon Elastic Kubernetes Service (Amazon EKS) deployments. AMS performs the end-to-end procedures necessary to update a cluster addressing the components of control plane, add-ons, and nodes. AMS performs the updating to managed node types as well as a curated set of Amazon EKS and Kubernetes add-ons.

Customer teams assisted with the underlying operations work of updating Amazon EKS clusters.
AMS Advanced Priority RFC Execution

Designated AMS operations engineer capacity to prioritize the execution of your requests for change (RFC). All submissions receive a higher level of response and priority order can be adjusted by interacting directly with engineers through an Amazon Chime meeting room.

Customers receive a response SLO of 8 hours for RFCs.
AMS Advanced and AMS Accelerate Legacy OS Upgrade

Avoid an instance migration by upgrading instances to a supported operating system version. We can perform an in-place upgrade on your selected instances leveraging automation and the upgrade capabilities of the software vendors (for example, Microsoft Windows 2008 R2 to Microsoft Windows 2012 R2). This approach is ideal for legacy applications that cannot be easily re-installed on a new instance and provides additional protection from known and unmitigated security threats on older OS versions.

The following operating systems are supported for in-place upgrades:

  • Microsoft Windows 2012 R2 to Microsoft Windows 2016 and above

  • Microsoft Windows 2016 to Microsoft Windows 2022 and above

  • Red Hat Enterprise Linux 7 to Red Hat Enterprise Linux 8

  • Red Hat Enterprise Linux 8 to Red Hat Enterprise Linux 9

  • Oracle Linux 7 to Oracle Linux 8

This solution is provided for applications that can no longer be re-installed on a new instance (for example, lost source code, ISV out of business, and so on). You can roll failed upgrades back to their original state. From an operational perspective, rolling back is preferred because it puts the instance in a more supportable state with the latest security patches.

Requesting AMS Operations On Demand

AWS Managed Services (AMS) Operations on Demand (OOD) is available for all AWS accounts that have been onboarded to AMS. To take advantage of Operations on Demand, request additional information from your cloud service delivery manager (CSDM), Solutions Architect (SA), account manager, or Cloud Architect (CA). Available OOD offerings are listed in the preceding Operations on Demand catalog of offerings table. After the engagement scoping is completed, submit a service request to AMS Operations to initiate an engagement for OOD.

Each OOD service request must contain the following detailed information pertaining to the engagement:

  • The specific OOD offerings requested, and for each specific OOD offering:

    • The number of blocks (one block is equal to 20 hours of operational resource time in a given calendar month, to be charged at AWS’s then-current standard rate for the applicable Operations on Demand offering) to allocate to the specific OOD offering.

    • The account ID for each AWS Managed Services account for which the specific OOD offering is being requested.

OOD service requests must be submitted by you through either:

  • The AWS Managed Services account that receives the applicable Operations on Demand offerings, or

  • An AWS Managed Services account that is an AWS Organizations Management account in all features mode, on behalf of any of its member accounts that are AWS Managed Services accounts.

After the OOD service request is received, AMS Operations reviews and updates the accounts with their approval, partial approval, or denial.

Once the OOD offerings service request is approved, AMS and you coordinate to begin the engagement. No OOD offerings are initiated until the service request is approved and an engagement start date is agreed on.

AMS uses a monthly subscription allocation of OOD blocks. We allocate the approved number of blocks monthly, starting from the engagement start date, until you request to opt out through a new service request. OOD blocks are valid for a calendar month. Unused blocks, or block portions, are not rolled over or carried forward to future months.

You are billed a minimum of one OOD block each month, regardless of the number of hours actually used. Any additional, allocated, OOD block in which no hours were used, is not billed.

Making changes to Operations on Demand offerings

To request changes to ongoing engagements for Operations on Demand (OOD) offerings, submit a service request containing the following information:

  • The modification(s) being requested, and

  • The requested date for the modifications to become effective.

After receiving the OOD service request, AMS Operations reviews the request and either updates with their approval or requests that the assigned CSDM work with you to determine the scope and implications of the modification. If the modification is determined to require a scoping effort with the CSDM, you are required to submit a second OOD service request to initiate the modified engagement following the completion of the scoping exercise.

Once approved, the most recently modified block allocation becomes and continues to stay active, superseding any prior block allocations, unless agreed otherwise by AWS and you.