Service description - AMS Accelerate User Guide

Service description

AMS Accelerate is a service for managing operations of your AWS infrastructure.

AMS Accelerate features

AMS Accelerate offers the following features:

Incident management

AMS Accelerate proactively detects and responds to incidents and assists your team in resolving issues. You can reach out to AMS Accelerate operations engineers 24x7 using AWS Support Center, with response time SLAs depending on the level of response you selected for your account.

Monitoring

Accounts enrolled in AMS Accelerate are configured with a baseline deployment of CloudWatch events and alarms that have been optimized to reduce noise and to identify a possible upcoming incident. After receiving the alerts, the AMS team uses automated remediations, people, and processes, to bring the resources back to a healthy state and engage with your teams when appropriate to provide insights into learnings on the behavior and how to prevent it. If remediation fails, AMS starts the incident management process. You can change the baselines by updating the default configuration file.

Security management

In addition, AMS Accelerate leverages Amazon GuardDuty to identify potentially unauthorized or malicious activity in your AWS environment. GuardDuty findings are monitored 24x7 by AMS. AMS collaborates with you to understand the impact of the findings and remediations based on best practice recommendations. AMS also supports Amazon Macie to protect your sensitive data such as personal health information (PHI), personally identifiable information (PII), and financial data.

Patch management

For an AWS account with the patch add-on, AWS Managed Services applies and installs vendor updates to EC2 instances for supported operating systems during your chosen maintenance windows. AMS creates a snapshot of the instance prior to patching, monitors the patch installation, and notifies you of the outcome. If the patch fails, AMS investigates the failure, tries to remediate it, or restores the instance as needed. AMS provides reports of patch compliance coverage and advises you of the recommended course of action for your business.

Backup management

AWS Managed Services creates, monitors, and stores snapshots for AWS services supported by AWS Backup. You define the backup schedules, frequency, and retention period by creating AWS Backup plans while onboarding accounts and applications. You associate the plans to resources. AMS tracks all backup jobs, and, when a backup job fails, alerts our team to run a remediation. AMS leverages your snapshots to perform restoration actions during incidents, if needed. AMS provides you with a backup coverage report and a backup status report.

Designated experts

AMS Accelerate also designates a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA) to partner with your organization and drive operational and security excellence. Your CSDM and CA provide you guidance during and after configuration and onboarding AMS Accelerate, deliver a monthly report of your operational metrics, and work with you to identify potential cost savings using tools such as AWS Cost Explorer, Cost and Usage Reports, and Trusted Advisor.

Operations tools

AMS Accelerate can provide ongoing operations for your workload's infrastructure in AWS. Our patch, backup, monitoring, and incident management services depend on having resources tagged, and the AWS Systems Manager (SSM) and CloudWatch agents installed and configured on your EC2 instances with an IAM instance profile that authorizes them to interact with the SSM and CloudWatch services. AMS Accelerate provides tools like Resource Tagger to help you tag your resources based on rules, and automated instance configuration to install the required agents in your EC2 instances. If you're following immutable infrastructure practices, you can complete the prerequisites directly in the console or infrastructure-as-code templates.

All AMS Accelerate customers start with incident management, monitoring, security monitoring, log recording, prerequisite tools, backup management, and reporting capabilities. You can add AMS Patch add-on at an additional price.

Logging and Reporting

AWS Managed Services aggregates and stores logs generated as a result of operations in CloudWatch, CloudTrail, and VPC Flow Logs. Logging from AMS helps in faster incident resolution and system audits. AMS Accelerate also provides you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS cloud service delivery manager (CSDM) designated to you.

Supported configurations

AMS Accelerate supports the following configurations:

  • Language: English.

  • Regions: See the AWS Regions supported by AWS Managed Services in the AWS Regional Services webpage.

  • Operating system architecture (x86-64 or ARM64): any supported by both SSM and Cloudwatch.

  • Supported operating systems:

    • Amazon Linux 2

    • CentOS 7.x

    • Oracle Linux 7.5 and later minor versions

    • Red Hat Enterprise Linux (RHEL) 8.x, 7.x

    • SUSE Linux Enterprise Server 15 SP0, SP1 and SAP specific versions, SUSE Linux Enterprise Server 12 SP4, SP5 and SAP specific versions.

    • Microsoft Windows Server 2019, 2016, 2012 R2, 2012

  • Supported End of Support (EOS) operating systems:

    • Amazon Linux (expected AMS support end date July 1, 2023)

    • CentOS 6.5-6.10 (expected AMS support end date Feb 1, 2023)

    • RedHat Enterprise Linux (RHEL) 6.5-6.10 (expected AMS support end date Feb 1, 2023)

    Note

    End of Support (EOS) operating systems are outside of the general support period of the operating system manufacturer and have increased security risk. EOS operating systems are considered supported configurations only if AMS-required agents support the operating system and

    1. you have extended support with the operating system vendor that allows you to receive updates, or

    2. any instances using an EOS OS follow the security controls as specified by AMS in the Accelerate User Guide, or

    3. you comply with any other compensating security controls required by AMS.

    In the event AMS is no longer able to support an EOS OS, AMS issues a Critical Recommendation to upgrade the operating system.

    AMS-required agents may include but are not limited to: AWS Systems Manager, Amazon CloudWatch, Endpoint Security (EPS) agent, and Active Directory (AD) Bridge (linux only).

Supported services

AWS Managed Services provides operational management support services for the following AWS services. Each AWS service is distinct and as a result, AMS's level of operational management support varies depending on the nature and characteristics of the underlying AWS service. If you request that AWS Managed Services provide services for any software or service that is not expressly identified as supported in the following list, any AWS Managed Services provided for such customer-requested configurations will be treated as a "Beta Service" under the Service Terms.

  • Incidents: All AWS services

  • Service request: All AWS services

  • Patching: EC2

  • Backups and Restoration: Amazon EC2, Relational Database Service (Amazon RDS), EBS, Storage Gateway, Dynamo DB, Aurora, EFS

  • Services monitored by CloudWatch alarms: Amazon EC2, Relational Database Service (Amazon RDS), Aurora, RedShift, ElasticSearch, NAT gateway (a Network Address Translation (NAT) service), Site-to-Site VPN, Elastic Load Balancer, Application Load Balancer, Personal Health Dashboard. To learn more about what AMS Accelerate is monitoring as part of a service, see Alerts from baseline monitoring in AMS

  • Services monitored by security Config Rules: AWS Account, GuardDuty, Macie, API Gateway, Certificate Manager (ACM), Config, CloudTrail, CloudWatch, CodeBuild, Database Migration Service, DynamoDB, Amazon EC2, Elastic Block Store (Amazon EBS), Elastic File System (Amazon EFS), Elastic Load Balancing, ElastiCache, ElasticSearch, Amazon EMR, Identity and Access Management (IAM), Key Management Service, (KMS), Lambda, Redshift, Relational Database Service (Amazon RDS), Amazon S3, SageMaker, Secrets Manager, Simple Notification Service (Amazon SNS), Systems Manager Agent (SSM), VPC (Security group, Volume, Elastic IP, VPN connection, Internet gateways), VPC Flow Logs. For more details, see Compliance and conformance and Data protection. You can find additional AMS security information in our private Security Guide that can be accessed through AWS Artifact, on the Reports tab, for Managed Services.

Roles and responsibilities

AMS Accelerate manages your AWS infrastructure. The following table provides an overview of the roles and responsibilities for you and AMS Accelerate for activities in the lifecycle of an application running within the managed environment.

  • R stands for Responsible party that does the work to achieve the task.

  • C stands for Consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.

  • I stands for Informed; a party who is informed on progress, often only on completion of the task.

Activity

Customer

Accelerate

Application lifecycle

Application development

R

I

Application infrastructure requirements, analysis, and design

R

I

Application deployment

R

I

AWS resource deployment

R

I

Application monitoring

R

I

Application testing/optimization

R

I

Troubleshoot and resolve application issues

R

I

Troubleshoot and resolve problems

R

I

AWS infrastructure monitoring

C

R

Incident response for AWS network issues

C

R

Incident response for AWS resource issues

C

R

Managed Account onboarding

Grant access to the AWS Managed Account for the AMS team and tools

R

C

Implement changes in the account or environment to allow the deployment of tools in the account. For example, changes in Service Control Policies (SCPs)

R

C

Install SSM agents in EC2 instances

R

C

Install and configure tooling required to provide AMS services. For example, CloudWatch agents, scripts for patching, alarms, logs, and others

I

R

Manage access and identity lifecycle for AMS engineers

I

R

Collect all required inputs to configure AMS services. For example, patch maintenance windows duration, schedule and targets

R

I

Request the configuration of AMS services and provide all required inputs

R

I

Configure AMS services as requested by the customer. For example, patch maintenance windows, resource tagger, and alarm manager

C

R

Manage the lifecycle of users and their permissions, for local directory services, used to access AWS accounts and instances

R

I

Recommend reserved instances optimization

I

R

Patch management

Collect all required inputs to configure patch maintenance windows, patch baselines, and target

R

I

Request the configuration of patch maintenance windows and baselines, and provide all required inputs

R

I

Configure patch maintenance windows, patch baselines, and targets as requested by the customer

C

R

Monitor for applicable updates to supported OS and software preinstalled with supported OS for EC2 instances

I

R

Report for missing updates to supported OS and maintenance window coverage

I

R

Take snapshots of instances before applying updates

I

R

Apply updates to EC2 instances per customer configuration

I

R

Investigate failed updates to EC2 instances

C

R

Update AMIs and stacks for Auto-Scaling groups (ASGs)

R

C

Patch development software (.NET, PHP, Perl, Python)

R

I

Patch and monitor middleware applications (for example, BizTalk, JBoss, WebSphere).

R

I

Patch and monitor custom and third-party applications

R

I

Backup

Collect all required inputs to configure backup plans and target resources

R

I

Request the configuration of Backup plans and provide all required inputs

R

I

Configure backup plans and targets as requested by the customer

C

R

Specify backup schedules and target resources

R

I

Perform backups per plan

I

R

Investigate failed backup jobs

I

R

Report for backup jobs status and backup coverage

I

R

Validate backups

R

I

Request backup restoration for resources supported AWS services resources as part of incident management

R

I

Perform backup restoration activities for resources of supported AWS services

I

R

Restore affected custom or third-party applications

R

I

Networking

Provisioning and configuration of Managed Account VPCs, IGWs, Direct connect, and other AWS networking Services

R

I

Configure and operate AWS Security Groups/NAT/NACL inside the Managed account

R

I

Networking configuration and implementation within customer network (for example DirectConnect)

R

I

Networking configuration and implementation within AWS network

R

I

Monitor defined by AMS for network security, including security groups

I

R

Network-level logging configuration and management (VPC flow logs, ELB access log, and others)

I

R

Logging

Record all application change logs

R

I

Record AWS infrastructure change logs

I

R

Enable and aggregate AWS audit trail

I

R

Aggregate logs from AWS resources

I

R

Monitoring and Remediation

Collect all required inputs to configure alarm manager, resource tagger, and alarm tresholds

R

I

Request the configuration of alarm manager and provide all required inputs

R

I

Configure alarm manager, resource tagger, and alarm tresholds as requested by the customer.

C

R

Deploy AMS CloudWatch baseline metrics and alarms per customer configuration

I

R

Monitor supported AWS resources using baseline CloudWatch metrics and alarms

I

R

Investigate alerts from AWS resources

C

R

Remediate alerts based on defined configuration, or create an incident

I

R

Define, monitor, and investigate customer-specific monitors

R

I

Investigate alerts from application monitoring

R

C

Security Architecture

Review AMS resources and code for security issues and potential threats

I

R

Implement security controls in AMS resources and code to mitigate security risks

I

R

Enable supported AWS services for security management of the account and its AWS resources

I

R

Manage privileged credentials for account and OS access for AMS engineers

I

R

Security Risk Management

Monitor supported AWS services for security management, like GuardDuty and Macie

I

R

Define and create AMS-defined Config Rules to detect if AWS resources comply with Center for Internet Security (CIS) and NIST security best practices.

I

R

Monitor AMS-defined Config Rules

I

R

Report conformance status of Config Rules

I

R

Define a list of required Config Rules and remediate them

I

R

Evaluate the impact of remediating AMS-defined Config Rules

R

I

Request remediation of AMS-defined Config Rules in the AWS account

R

I

Track resources exempted from AMS-defined Config Rules

R

I

Remediate supported AMS-defined Config Rules in the AWS account

C

R

Remediate non-supported AMS-defined Config Rules in the AWS account

R

I

Define, monitor, and investigate customer-specific Config Rules

R

I

Security monitoring and response

Configure supported security management AWS services for alerting, alerts correlation, noise reduction, and additional rules

I

R

Monitor supported AWS services for security alerts

I

R

Install, update, and maintain endpoint security tools

R

I

Monitor for malware on instances using endpoint security

R

I

Incident Management

Notify about incidents detected by AMS in AWS resources

I

R

Notify about incidents in AWS resources

R

I

Notify about incidents for AWS resources based on monitoring

I

R

Handle application performance issues and outages

R

I

Categorize incident priority

I

R

Provide incident response

I

R

Provide incident resolution or infrastructure restore for resources with available backups

C

R

Problem Management

Correlate incidents to identify problems

I

R

Perform root cause analysis (RCA) for problems

I

R

Remediate problems

I

R

Identify and remediate application problems

R

I

Service Management

Request information using service requests

R

I

Reply to service requests

I

R

Provide cost-optimization recommendations

I

R

Prepare and deliver monthly service report

I

R

Change Management

Change management processes and tooling for provisioning and updating resources in the managed environment

R

I

Maintenance of application change calendar

R

I

Notice of upcoming maintenance Window

R

I

Record changes made by AMS Operations

I

R