Account-Level onboarding - AMS Accelerate Operations Plan

Account-Level onboarding

The Account-level onboarding stage starts by accepting the terms and conditions and selecting the AWS Regions, add-ons, and Service Level Agreement (SLA) you need for the account. Your CSDM guides you through the acceptance process.

After you have accepted the AMS Terms and Conditions, you need to grant access to the account for the AMS team and tools. You first need to grant access to your Cloud Architect by creating an IAM role for AMS to use; to learn how, see Creating an IAM role for AMS to use, in this section. Your Cloud Architect then creates additional roles so the AMS team and tools can access your account. For more details see Access management in AMS Accelerate.

Your Cloud Architect also looks for possible configurations in the account, like Service Control Policies (SCPs), and security findings that might prevent AMS from deploying the tools and resources AMS needs to provide its service. Your Cloud Architect works with you to help you remediate findings and remove the blockers to the deployment of AMS tools and resources.

The AMS team starts deploying tools and AWS resources to provide the different services of AMS Accelerate. After it's completed, AMS has built the AWS Managed Services account and AMS notifies you that the service is active, which is the last prerequisite for the billing start date.

The Account-level onboarding stage enables you to continue with the rest of the onboarding process and the following tasks:

The next two sections describe onboarding your EC2 instances and configuring Monitoring, Backup, Config Remediation, and Patch (if applicable, AMS Patch Orchestrator is an add-on that you must specifically request) according to your preferences.

Creating an IAM role for AMS to use

For AMS Accelerate, this is a sub-section of the account-level onboarding steps.

  1. Your AMS Cloud Architect provides you with a JSON or YAML file that contains the IAM role AMS uses for creating infrastructure.

    Or you can use this to create the file yourself:

    { "AWSTemplateFormatVersion": "2010-09-09", "Description": "AMS Onboarding Role stack (for Prod)", "Parameters": {}, "Conditions": {}, "Resources": { "OnboardingRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "aws_managedservices_onboarding_role", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": ["328792436863"] } }] } } } } }
  2. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  3. Choose Create Stack. You see the following page.

  4. Choose Upload a template file, upload the JSON or YAML file of the IAM role, and then choose Next. You see the following page.

  5. Enter ams-onboarding-role into the Stack name section and continue scrolling down and selecting next until you reach this page.

  6. Make sure the check box is selected and then select Create Stack.

  7. Make sure the stack was created successfully.

Work with your Cloud Architect (CA) to complete the account-level onboarding steps. After AMS Accelerate completes the account-level onboarding, you're ready to onboard your instances.