Identity and Access Management - AMS Accelerate Operations Plan

Identity and Access Management

AWS Identity and Access Management is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. During AMS Accelerate onboarding, you are responsible for creating cross-account IAM administrator roles within each of your managed accounts.

With AMS Accelerate, you're responsible for managing access to your AWS accounts and their underlying resources, such as access management solutions, access policies, and related processes. This means that you manage your user lifecycle, permissions in directory services, and federated authentication system, to access the AWS console or AWS APIs. In order to help you manage your access solution, AMS Accelerate deploys AWS Config rules that detect common IAM misconfigurations, and then deliver remediation notifications. For more information, see AWS Config Managed Rules.

Authenticating with identities

AMS uses IAM roles, which is a type of IAM identity. An IAM role is very similar to a user, in that it is an identity with permissions policies that determine what the identity can and cannot do in AWS. However, a role doesn't have credentials associated with it and, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task.

Access roles are controlled by internal group membership, which is administered and periodically reviewed by Operations Management. AMS uses the following IAM roles:

Role name

Description

Used by (entity): AMS Access Service only

ams-access-management

Deployed manually by you during onboarding. Assumed only by AMS access to deploy or update access roles. Remains in your account after onboarding for any future updates to the access roles.

Used by (entity): AMS Operations

ams-access-operations

This AMS operations role has full privileges to operate in your AMS account, with the exception of IAM write permissions.

ams-access-read-only

This AMS read-only role is limited to read-only permissions in your AMS account.

Used by (entity): AMS Operations and AMS Services

ams-access-admin

This AMS admin role has full permissions to operate in accounts without restrictions. Only AMS internal services (with a scoped-down session policy) and only a very few select AMS individuals can assume the admin role.

customer_ssm_automation_role

Assumed by AWS Systems Manager to execute SSM Automation documents within your account.

ams_ssm_automation_role

Used by (entity): AWS Services

ams-opscenter-eventbridge-role

Assumed by Amazon EventBridge to create AWS System Manager OpsItems as a part of AMS-specific AWS Config Rules remediation workflow.

AMSOSConfigurationCustomerInstanceRole

This IAM role is applied to your Amazon EC2 instances when AMS OS-Configuration service discovers that the required IAM policies are missing. It allows your Amazon EC2 instances to interact with AWS Systems Manager, Amazon CloudWatch, and Amazon EventBridge services. It also has attached the AMS custom-managed policy to enable RDP access to your Windows instances.

mc-patch-glue-service-role

Assumed by AWS Glue ETL workflow to perform data transformation and prepare it for AMS Patch report generator.

Used by (entity): AMS Service

ams-alarm-manager-AWSManagedServicesAlarmManagerDe-<8-digit hash>

Assumed by AMS alarm manager infrastructure within your AMS account to perform AWS Config Rules evaluation for a new AWS AppConfig deployment.

ams-alarm-manager-AWSManagedServicesAlarmManagerRe-<8-digit hash>

Assumed by AMS alarm manager remediation infrastructure within your AMS account to allow the creation or deletion of alarms for remediation.

ams-alarm-manager-AWSManagedServicesAlarmManagerSS-<8-digit hash>

Assumed by AWS Systems Manager to invoke the AMS alarm manager remediation service within your AMS account.

ams-alarm-manager-AWSManagedServicesAlarmManagerTr-<8-digit hash>

Assumed by AMS alarm manager infrastructure within your AWS account to conduct periodic AMS AWS Config Rules evaluation.

ams-alarm-manager-AWSManagedServicesAlarmManagerVa-<8-digit hash>

Assumed by AMS alarm manager infrastructure within your AMS account to ensure that the required alarms exists in the AWS account.

ams-backup-config-rule-st-amsBackupAlertConfigRule-<8-digit hash>

Assumed by AMS backup infrastructure in your AMS account to evaluate the AWS Config Rules 'amsBackupAlertEval' rule.

ams-backup-config-rule-st-amsBackupPlanConfigRuleH-<8-digit hash>

Assumed by AMS backup infrastructure in your AMS account to execute the AWS Config Rules 'amsBackupPlanEval' rule.

ams-backup-iam-role

This role is used to run AWS Backup within your accounts.

ams-detective-controls-co-CustomCDKBucketDeploymen-<8-digit hash>

Auto-generated by AWS Cloud Development Kit (CDK) to manage deployment AWS S3 Bucket (see more in the documentation). Assumed during AWS Config Conformance Pack templates deployment.

ams-log-management-AWSManagedServicesCloudTrailLog-<8-digit hash>

Assumed by AWS CloudTrail to write logs into AMS-specific Amazon CloudWatch Logs groups.

ams-monitoring-AWSManagedServicesLogGroupLimitLamb-<8-digit hash>

Assumed by AMS Logging & Monitoring infrastructure in your AMS account to evaluate Amazon CloudWatch Logs groups limit and compare with the service quotas.

ams-monitoring-AWSManagedServicesRDSMonitoringRDSE-<8-digit hash>

Assumed by AMS Logging & Monitoring infrastructure in your AMS account to forward Amazon RDS events to Amazon CloudWatch Events.

ams-monitoring-AWSManagedServicesRedshiftMonitorin-<8-digit hash>

Assumed by AMS Logging & Monitoring infrastructure in your AMS account to forward Amazon Redshift events (CreateCluster and DeleteCuster) to Amazon CloudWatch Events.

ams-monitoring-infrastruc-AWSManagedServicesMonito-<8-digit hash>

Assumed by AMS Logging & Monitoring infrastructure in your AMS account to publish messages to Amazon Simple Notification Service to validate that the account is reporting all necessary data.

ams-opscenter-role

Assumed by AMS Notification Management system in your AMS account to manage AWS System Manager OpsItems related to alerts in your account.

ams-opsitem-autoexecution-role

Assumed by AMS Notification Management system to handle automated remediation using SSM documents for monitoring alerts related to resources in your account.

ams-patch-infrastructure-amspatchconfigruleroleC1-<8-digit hash>

Assumed by AWS Config to evaluate AMS patch resources and detect drift in its AWS CloudFormation stacks.

ams-patch-infrastructure-amspatchcwruleopsitemams-<8-digit hash>

Assumed by Amazon EventBridge to create AWS System Manager OpsItems for patching failures.

ams-patch-infrastructure-amspatchservicebusamspat-<8-digit hash>

Assumed by Amazon EventBridge to send an event to the AMS Patch orchestrator event bus for AWS Systems Manager Maintenance Windows state change notifications.

ams-patch-reporting-infra-amspatchreportingconfigr-<8-digit hash>

Assumed by AWS Config to evaluate AMS Patch reporting resources and detect drift in its AWS CloudFormation stacks.

ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>

Assumed by AMS Resource Tagger infrastructure within your AMS account to perform AWS Config Rules evaluation upon new AWS AppConfig deployment.

ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>

Assumed by AMS Resource Tagger infrastructure within your AMS account to validate that required AWS tags exist for the managed resources.

ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>

Assumed by AWS Systems Manager to invoke AMS Resource Tagger remediation workflow in your AMS account.

ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>

Assumed by AMS Resource Tagger remediation infrastructure within your AMS account to create or delete AWS tags for the managed resources.

ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>

Assumed by AMS Resource Tagger infrastructure within your AWS account to conduct periodic AMS Config Rule evaluation.

ams_os_configuration_event_rule_role-<AWS Region>

Assumed by Amazon EventBridge to forward events from your account to AMS OS-Configuration service EventBus in the correct Region.

mc-patch-reporting-service

Assumed by AMS patch data aggregator and report generator.

To learn more about AWS Cloud Development Kit (CDK) identifiers, including hashes, see UniqueIDs.

AMS Accelerate feature services assume the ams-accelerate-admin role for programmatic access to the account, but with a session policy scoped down for the respective feature service (for example, patch, backup, monitoring, and so forth).

AMS Accelerate follows industry best practices to meet and maintain compliance eligibility. AMS Accelerate access to your account is recorded in CloudTrail and also available for your review through change tracking. For information about queries that you can use to get this information, see Tracking changes in your AMS Accelerate accounts.

Managing access using policies

Various AMS Accelerate support teams such as Operations Engineers, Cloud Architects, and Cloud Service Delivery Managers (CSDMs), sometimes require access to your accounts in order to respond to service requests and incidents. Their access is governed by an internal AMS access service that enforces controls, such as business justification, service requests, operations items, and support cases. The default access is read-only, and all access is tracked and recorded; see also Tracking changes in your AMS Accelerate accounts.

Validation of IAM resources

The AMS Accelerate access system periodically assumes roles in your accounts (at least every 24 hours) and validates that all of our IAM resources are as expected.

In order to ensure uninterrupted access into your accounts, AMS Accelerate has a "canary" that monitors and alarms on the presence and status of the IAM roles, as well as their attached policies, mentioned above. Periodically, the canary assumes the ams-accelerate-read-only role and initiates CloudFormation and IAM API calls against your accounts. The canary evaluates the status of the AMS Accelerate access roles to make sure they are always unmodified and up-to-date. This activity creates CloudTrail logs in the account.

The AWS Security Token Service (AWS STS) session name of the canary is AMS-Access-Roles-Auditor-{uuid4()} as seen in CloudTrail and the following API calls occur:

  • Cloud Formation API Calls: describe_stacks()

  • IAM API Calls:

    • get_role()

    • list_attached_role_policies()

    • list_role_policies()

    • get_policy()

    • get_policy_version()

    • get_role_policy()