Service description - AMS Accelerate Operations Plan

Service description

AMS Accelerate is a service for managing operations of your AWS infrastructure.

AMS Accelerate features

AMS Accelerate offers the following features:

Incident management

AMS Accelerate proactively detects and responds to incidents and assists your team in resolving issues. You can reach out to AMS Accelerate operations engineers 24x7 using AWS Support Center, with response time SLAs depending on the level of response you selected for your account.

Monitoring

Accounts enrolled in AMS Accelerate are configured with a baseline deployment of CloudWatch events and alarms that have been optimized to reduce noise and to identify a possible upcoming incident. After receiving the alerts, the AMS team uses automated remediations, people, and processes, to bring the resources back to a healthy state and engage with your teams when appropriate to provide insights into learnings on the behavior and how to prevent it. If remediation fails, AMS starts the incident management process. You can change the baselines by updating the default configuration file.

Security management

AWS Managed Services protects your information assets and helps keep your AWS infrastructure secure by using multiple controls. AMS deploys a collection of AWS Config rules aligned with the National Institute of Standards and Technology Cloud Security (Framework NIST CSF) and the Center for Internet Security AWS Foundations (CIS) security frameworks. These rules continuously check that your existing and new resources are conformant with those security frameworks.

In addition, AMS leverages Amazon GuardDuty to identify potentially unauthorized or malicious activity in your AWS environment. GuardDuty findings are monitored 24x7 by AMS. AMS collaborates with you to understand the impact of the findings and remediations based on best practice recommendations. AMS also supports Amazon Macie to protect your sensitive data such as personal health information (PHI), personally identifiable information (PII), and financial data.

Patch management

For an AWS account with the patch add-on, AWS Managed Services applies and installs vendor updates to EC2 instances for supported operating systems during your chosen maintenance windows. AMS creates a snapshot of the instance prior to patching, monitors the patch installation, and notifies you of the outcome. If the patch fails, AMS investigates the failure, tries to remediate it, or restores the instance as needed. AMS provides reports of patch compliance coverage and advises you of the recommended course of action for your business.

Backup management

AWS Managed Services creates, monitors, and stores snapshots for AWS services supported by AWS Backup. You define the backup schedules, frequency, and retention period by creating AWS Backup plans while onboarding accounts and applications. You associate the plans to resources. AMS tracks all backup jobs, and, when a backup job fails, alerts our team to run a remediation. AMS leverages your snapshots to perform restoration actions during incidents, if needed. AMS provides you with a backup coverage report and a backup status report.

Designated experts

AMS Accelerate also designates a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA) to partner with your organization and drive operational and security excellence. Your CSDM and CA provide you guidance during and after configuration and onboarding AMS Accelerate, deliver a monthly report of your operational metrics, and work with you to identify potential cost savings using tools such as AWS Cost Explorer, Cost and Usage Reports, and Trusted Advisor.

Operations tools

AMS Accelerate can provide ongoing operations for your workload's infrastructure in AWS. Our patch, backup, monitoring, and incident management services depend on having resources tagged, and the AWS Systems Manager (SSM) and CloudWatch agents installed and configured on your EC2 instances with an IAM instance profile that authorizes them to interact with the SSM and CloudWatch services. AMS Accelerate provides tools like Resource Tagger to help you tag your resources based on rules, and automated instance configuration to install the required agents in your EC2 instances. If you're following immutable infrastructure practices, you can complete the prerequisites directly in the console or infrastructure-as-code templates.

All AMS Accelerate customers start with incident management, monitoring, security monitoring, log recording, prerequisite tools, backup management, and reporting capabilities. You can add AMS Patch add-on at an additional price.

Logging and Reporting

AWS Managed Services aggregates and stores logs generated as a result of operations in CloudWatch, CloudTrail, and VPC Flow Logs. Logging from AMS helps in faster incident resolution and system audits. AMS Accelerate also provides you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS cloud service delivery manager (CSDM) designated to you.

Supported configurations

These are the configurations AMS Accelerate supports:

  • Supported language: English.

  • Supported AWS Regions: See the AWS Regions supported by AWS Managed Services in the AWS Regional Services webpage

  • Supported AWS operating systems:

    • Amazon Linux 2 and Amazon Linux

    • CentOS 7.x, CentOS 6.5-6.10

    • Oracle Linux 7.5 and later minor versions

    • Red Hat Enterprise Linux (RHEL) 8.x, 7.x, 6.5-6.10

    • SUSE Linux Enterprise Server 15 SP0, SP1 and SAP specific versions, SUSE Linux Enterprise Server 12 SP4, SP5 and SAP specific versions.

    • Microsoft Windows Server 2019, 2016, 2012 R2, 2012

    Note

    Operating systems (OSs) that are outside of the general support period of the operating system manufacturer ("end of support" (EOS)) have an increased security risk and are considered as supported configuration, only if 1) you have extended support with the OS vendor that allows you to receive updates, or 2) any instances using EOS OS follow the security controls as specified by AMS in the user guide, or 3) you comply with any other compensating security controls required by AMS.

Supported services

AWS Managed Services provides operational management support services for the following AWS services. Each AWS service is distinct and as a result, AMS's level of operational management support varies depending on the nature and characteristics of the underlying AWS service. If you request that AWS Managed Services provide services for any software or service that is not expressly identified as supported in the following list, any AWS Managed Services provided for such customer-requested configurations will be treated as a "Beta Service" under the Service Terms.

  • Incidents: All AWS services

  • Service request: All AWS services

  • Patching: EC2

  • Backups and Restoration: EC2, RDS, EBS, Storage Gateway, Dynamo DB, Aurora, EFS

  • Monitoring: EC2, RDS, Aurora, RedShift, ElasticSearch, NAT gateway (a Network Address Translation (NAT) service), Elastic Load Balancer, Application Load Balancer, Personal Health Dashboard. To learn more about what AMS Accelerate is monitoring as part of a service, see Alerts from baseline monitoring in AMS

  • Security controls: AWS Account, GuardDuty, Macie, API Gateway, Certificate Manager (ACM), Config, CloudTrail, CloudWatch, CodeBuild, Database Migration Service, DynamoDB, EC2, Elastic Block Store (EBS), Elastic File System (EFS), Elastic Load Balancing, ElastiCache, ElasticSearch, EMR, Identity and Access Management (IAM), Key Management Service, KMS), Lambda, Redshift, Relational Database Service (RDS), S3, SageMaker, Secrets Manager, Simple Notification Service (SNS), Systems Manager Agent (SSM), VPC (Security group, Volume, Elastic IP, VPN connection, Internet gateways), VPC Flow Logs.

Roles and responsibilities

AMS Accelerate manages your AWS infrastructure. The following table provides an overview of the roles and responsibilities for you and AMS Accelerate for activities in the lifecycle of an application running within the managed environment.

  • R stands for Responsible party that does the work to achieve the task.

  • C stands for Consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.

  • I stands for Informed; a party who is informed on progress, often only on completion of the task.

Activity

Customer

Accelerate

Application lifecycle

Application development

R

I

Application infrastructure requirements, analysis, and design

R

I

Application deployment

R

I

AWS resource deployment

R

I

Application monitoring

R

I

Application testing/optimization

R

I

Troubleshoot and resolve application issues

R

I

Troubleshoot and resolve problems

R

I

AWS infrastructure monitoring

C

R

Incident response for AWS network issues

C

R

Incident response for AWS resource issues

C

R

Managed Account onboarding

Grant access to the AWS Managed Account for the AMS team and tools

R

C

Implement changes in the account or environment to allow the deployment of tools in the account. For example, changes in Service Control Policies (SCPs)

R

C

Install SSM agents in EC2 instances

R

C

Install and configure tooling required to provide AMS services. For example, CloudWatch agents, scripts for patching, alarms, logs, and others

I

R

Manage access and identity lifecycle for AMS engineers

I

R

Collect all required inputs to configure AMS services. For example, patch maintenance windows duration, schedule and targets

R

I

Request the configuration of AMS services and provide all required inputs

R

I

Request the configuration of AMS services and provide all required inputs

R

I

Configure AMS services as requested by the customer. For example, patch maintenance windows, resource tagger, and alarm manager

C

R

Manage the lifecycle of users and their permissions, for local directory services, used to access AWS accounts and instances

R

I

Recommend reserved instances optimization

I

R

Patch management

Configure maintenance windows and other parameters (for example maintenance window duration) for patching

R

I

Tag instances to associate them with custom maintenance windows and patch baselines

R

I

Define custom patch baselines to filter and exclude specific patches

R

I

Monitor for applicable updates to supported OS and software preinstalled with supported OS for EC2 instances

I

R

Report for missing updates to supported OS and maintenance window coverage

I

R

Take snapshots of instances before applying updates

I

R

Apply updates to EC2 instances per customer configuration

I

R

Investigate failed updates to EC2 instances

C

R

Update AMIs and stacks for Auto-Scaling groups (ASGs)

R

C

Patch development software (.NET, PHP, Perl, Python)

R

I

Patch and monitor middleware applications (for example, BizTalk, JBoss, WebSphere).

R

I

Patch and monitor custom and third-party applications

R

I

Backup

Specify backup schedules and target resources

R

I

Perform backups per plan

I

R

Investigate failed backup jobs

I

R

Report for backup jobs status and backup coverage

I

R

Validate backups

R

I

Request backup restoration for resources supported AWS services resources as part of incident management

R

I

Perform backup restoration activities for resources of supported AWS services

I

R

Restore affected custom or third-party applications

R

I

Networking

Provisioning and configuration of Managed Account VPCs, IGWs, Direct connect, and other AWS networking Services

R

I

Configure and operate AWS Security Groups/NAT/NACL inside the Managed account

R

I

Networking configuration and implementation within customer network (for example DirectConnect)

R

I

Networking configuration and implementation within AWS network

R

I

Monitor defined by AMS for network security, including security groups

I

R

Network-level logging configuration and management (VPC flow logs, ELB access log, and others)

I

R

Logging

Record all application change logs

R

I

Record AWS infrastructure change logs

I

R

Enable and aggregate AWS audit trail

I

R

Aggregate logs from AWS resources

I

R

Monitoring and Remediation

Configure monitored resources

R

I

Configure alarm manager and alarm thresholds

R

C

Deploy AMS CloudWatch baseline metrics and alarms per customer configuration

I

R

Monitor supported AWS resources using baseline CloudWatch metrics and alarms

I

R

Investigate alerts from AWS resources

C

R

Remediate alerts based on defined configuration, or create an incident

I

R

Define, monitor, and investigate customer-specific monitors

R

I

Investigate alerts from application monitoring

R

C

Security Architecture

Review AMS resources and code for security issues and potential threats

I

R

Implement security controls in AMS resources and code to mitigate security risks

I

R

Enable supported AWS services for security management of the account and its AWS resources

I

R

Manage privileged credentials for account and OS access for AMS engineers

I

R

Security Risk Management

Monitor supported AWS services for security management, like GuardDuty and Macie

I

R

Define and create AMS-defined Config Rules to detect if AWS resources comply with Center for Internet Security (CIS) and NIST security best practices.

I

R

Monitor AMS-defined Config Rules

I

R

Report conformance status of Config Rules

I

R

Define a list of required Config Rules and remediate them

I

R

Evaluate the impact of remediating AMS-defined Config Rules

R

I

Request remediation of AMS-defined Config Rules in the AWS account

R

I

Track resources exempted from AMS-defined Config Rules

R

I

Remediate supported AMS-defined Config Rules in the AWS account

C

R

Remediate non-supported AMS-defined Config Rules in the AWS account

R

I

Define, monitor, and investigate customer-specific Config Rules

R

I

Security monitoring and response

Configure supported security management AWS services for alerting, alerts correlation, noise reduction, and additional rules

I

R

Monitor supported AWS services for security alerts

I

R

Install, update, and maintain endpoint security tools

R

I

Monitor for malware on instances using endpoint security

R

I

Incident Management

Notify about incidents detected by AMS in AWS resources

I

R

Notify about incidents in AWS resources

R

I

Notify about incidents for AWS resources based on monitoring

I

R

Handle application performance issues and outages

R

I

Categorize incident priority

I

R

Provide incident response

I

R

Provide incident resolution or infrastructure restore for resources with available backups

C

R

Problem Management

Correlate incidents to identify problems

I

R

Perform root cause analysis (RCA) for problems

I

R

Remediate problems

I

R

Identify and remediate application problems

R

I

Service Management

Request information using service requests

R

I

Reply to service requests

I

R

Provide cost-optimization recommendations

I

R

Prepare and deliver monthly service report

I

R

Change Management

Change management processes and tooling for provisioning and updating resources in the managed environment

R

I

Maintenance of application change calendar

R

I

Notice of upcoming maintenance Window

R

I

Record changes made by AMS Operations

I

R