AWS Managed Services - AMS Accelerate in AWS GovCloud (US)
AMS Accelerate is a service for configuring and managing your AWS infrastructure. For more information, see the service description.
How AMS Accelerate differs for AWS GovCloud (US)
Some services available in other AWS Regions are not available or have limitations in AWS GovCloud (US) Regions.
-
Not supported in AWS GovCloud (US) Regions:
-
Different in AWS GovCloud (US) Regions:
-
Outbound Service notifications are not sent to AWS account primary emails. Reports go to smaller, more targeted lists.
-
Accelerate Compliance and conformance is limited by the AWS Config managed rules available in your AWS Region.
-
-
Differences in other AWS services. Some examples:
-
Not all AWS Config in AWS GovCloud (US) managed rules are available in all Regions. The Developer Guide lists all managed rules, and the applicable Regions for each rule.
-
GuardDuty: For information about the differences in AWS GovCloud (US) Regions, see Amazon GuardDuty in AWS GovCloud (US).
-
AMS Accelerate account discovery
AwsAccountDiscoveryCli is a command line interface run in AWS CloudShell that's used to discover AWS resources in a specified account. You can use AWS CloudShell from your browser at no additional cost.
Important
The AwsAccountDiscoveryCli performs read-only calls and doesn't transmit data to AMS Accelerate during collection. Data is stored locally on the machine that runs the commands. It's a best practice to review the collected data with your security team to determine whether or not you can share it with AMS for further analysis. Then, work with your AMS account team to determine the process for sharing your approved data with AWS Managed Services.
Use the AwsAccountDiscoveryCli with AWS CloudShell:
(Prerequisites) You must have access to the commercial AWS account associated with your GovCloud account.
Use commercial account credentials to authenticate with an AWS CodeArtifact repository. Download and install the package on an Amazon EC2 instance or local machine (Mac or Linux) and flip the profile to GovCloud to perform the discovery.
Configure the AWS Command Line Interface (AWS CLI) to communicate with the commercial AWS account.
Run the following command to create a virtual environment, connect with the CodeArtifact endpoint, and install the CLI on a local machine. The following example assumes that you start the commands from your home directory in a Linux environment. Copy this script as is. Don't replace
domain-owner 354220221581
andregion us-west-2
.python3 -m venv awsdiscovery source ~/awsdiscovery/bin/activate pip install pip --upgrade aws codeartifact login --tool pip \ --repository AwsAccountDiscoveryCli \ - -domain aws-account-discovery-cli \ --domain-owner 354220221581 \ --region us-west-2 pip install awsaccountdiscoverycli
Export the GovCloud user credentials and set them to your local machine session.
To verify that the local AWS session is talking to the GovCloud account, run the following command:
aws sts get-caller-identity —region us-gov-west-1
To verify that the installation completed successfully, run the following command:
awsdiscover --version
To start the collection for the current account, run the following command:
export AWS_DEFAULT_REGION=us-gov-west-1 awsdiscover -p aws-us-gov
After the process is finished, run the following command to compress the output folder to download the report.
Note
The discovery process takes longer on large accounts.
tar -czvf DiscoveryReports.tar.gz /home/cloudshell-user/AwsAccountDiscoveryReports/
Choose Actions in the top right corner, then choose Download file.
For Individual file path, specify the following path and then choose Download:
/home/cloudshell-user/DiscoveryReports.tar.gz
.Verify the output file Final_Report_xxxxxxx.xlsx under the AwsAccountDiscoveryReports folder on your desktop.
Important
If the account you want to discover is part of AWS Organizations, then AwsAccountDiscoveryCli must be called from the Organizations management account or by a member account that's a delegated administrator for an AWS service to collect organization-level information. Otherwise, organization-level information isn't collected. For more information, see AWS Organizations terminology and concepts.
Documentation for AMS Accelerate
For information, see the AMS Accelerate documentation.
Export-controlled content
For AWS Services architected within the AWS GovCloud (US) Regions, the following list explains how certain components of data may leave the AWS GovCloud (US) Regions in the normal course of the service offerings. The list can be used as a guide to help meet applicable customer compliance obligations. Data not included in the following list remains within the AWS GovCloud (US) Regions.
-
Resource names
-
Tags
-
Communications between customers and AMS Accelerate, such as service requests and incident reports.