AMS Accelerate operator console access - AMS Accelerate Operations Plan

AMS Accelerate operator console access

Various AMS Accelerate personnel, such as operations engineers and cloud architects (CAs), occasionally require access to your accounts to respond to service requests or reported incidents. AMS Accelerate access is governed by an internal AMS Accelerate access service that enforces controls on access. These controls include, business justification (current supported business justifications include: service requests, OpsItems, support cases). Access defaults to read only, and access is tracked and recorded. Access roles are controlled by internal group membership, which is controlled by AMS Accelerate Operations management and periodically reviewed. The following IAM roles are used:

  • ams-access-admin: The AMS Accelerate admin role has full permissions to operate in your account without restrictions. AMS Accelerate feature services (with scoped down session policy), and only a few select individuals can assume the admin role.

  • ams-access-operations: The AMS Accelerate operations role has full permissions to operate in your account with the exception of IAM write permissions. Individuals with certain group membership can assume this role.

  • ams-access-read-only: The AMS Accelerate read-only role has read-only permissions in your account and is available to AMS Accelerate Operations and AMS Accelerate cloud architects (CAs).

AMS Accelerate personnel can assume one of the previously mentioned AMS Accelerate IAM roles deployed in your account:

  • Through direct federation into the AWS Management Console to perform manual, browser-based work, such as host access through SSM session manager to an Amazon EC2 instance or apply SSM documents from the SSM console or OpsCenter.

  • By obtaining session credentials, with scoped down session policy, to programmatically (with AWS APIs) interact with the account and the resources within such as applying AWS SSM documents or deploying AWS resources.