Infrastructure security - AMS Accelerate Operations Plan

Infrastructure security

During onboarding, AMS Accelerate deploys the following AWS Config baseline infrastructure and set of rules that AMS Accelerate uses to monitor your accounts:

  • AWS Config service-linked role: AMS Accelerate deploys the service-linked role named AWSServiceRoleForConfig, which is used by AWS Config to query the status of other AWS services. The AWSServiceRoleForConfig service-linked role trusts the AWS Config service to assume the role. The permissions policy for the AWSServiceRoleForConfig role contains read-only and write-only permissions on AWS Config resources and read-only permissions for resources in other services that AWS Config supports. If you already have a role configured with AWS Config Recorder, AMS Accelerate validates that the existing role has an AWS Config managed-policy attached. If not, AMS Accelerate replaces the role with the service-linked role AWSServiceRoleForConfig.

  • AWS Config recorder and delivery channel: AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. AMS Accelerate deploys the configuration recorder in all service AWS Regions, with recording of all resources. AMS Accelerate also creates the config delivery channel, an Amazon S3 bucket, which is used to record changes that occur in your AWS resources; it updates configuration states through the delivery channel. The config recorder and delivery channel are required for AWS Config to work. AMS Accelerate creates the recorder in all AWS Regions, and a delivery channel in a single AWS Region. If you already have a recorder and delivery channel in an AWS Region, AMS Accelerate does not delete the existing AWS Config resources, instead AMS Accelerate utilizes your existing recorder and delivery channel after validating that they are properly configured.

  • Conformance packs: A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity within an account. AMS Accelerate combines the NIST-CSF and Centers for Internet Security (CIS) conformance pack into an AMS Accelerate conformance pack with a unique set of AWS Config Rules to your accounts as baseline security checks.

  • AWS Config aggregator authorization: An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and multiple Regions. AMS Accelerate onboards your account to a config aggregator from which AMS Accelerate aggregates your account's resource configuration information and config compliance data and generates the compliance report. If there are existing aggregators configured in the AMS-owned account, AMS Accelerate deploys an additional aggregator and the existing aggregator is not modified.

    Note

    The Config aggregator is not set up in your accounts; rather, it is set up in AMS-owned accounts and your account(s) are onboarded to it.

To learn more about AWS Config, see:

For information on reports, see AWS Config reporting.