AMS uses AWS Identity and Access Management (IAM) to manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access. AMS provides a default IAM user role and a default Amazon EC2 instance profile (which includes a statement allowing the resource access to the default IAM user role).
Requesting a new IAM user role or instance profile
AMS uses an IAM role to set user permissions through your federation service and an IAM instance profile as a container for that IAM role.
You can request, with an AMS service request, or a Management | Other | Other | Create CT, a custom IAM role or instance profile. See the descriptions of each in this section.
Note
AMS has an IAM policy, customer_deny_policy that blocks out dangerous
namespaces and actions. This policy is attached to all AMS customer roles by
default and is rarely a problem for users. Your IAM user and role requests don't
include this policy, but automatic inclusion of the customer_deny_policy in requests for IAM roles helps AMS
deploy new IAM instance profiles more quickly. You can request the exclusion of
the customer_deny_policy policy. However, this request will go
through a weighty security review and is likely to be declined due to security reasons.
