Request ReadOnly access - AMS Advanced Change Management User Guide

Request ReadOnly access

How to request ReadOnly access to a stand-alone EC2 stack instance or to instances that are part of an EC2 Auto Scaling group (ASG) stack using the AMS console or the AMS API/CLI.

For a walkthrough on requesting Admin access, see Admin Access: requesting.

Classification: Management | Access | Stack read-only access | Grant

Change type ID: ct-199h35t7uz6jl

Version: 2.0

The only AMS-managed resources that you can request access to are EC2 standalone instances and instances that are part of ASG stacks. S3 buckets you can add and remove objects from using the S3 console or API. All other resource changes you accomplish through an RFC to AMS.


You can submit an update to your access request before it expires. For details, see Accessing, Read Only, Update.

To log into an instance that is part of an EC2 Auto Scaling group (ASG), you request access to the ASG stack, which gives you access to all associated instances.

Required data:

  • Subject: This value displays on the RFC dashboard.

  • DomainFQDN: Provide the Fully Qualified Domain Name (FQDM) of your AMS-trusted domain. If you’re unsure what it is, you can use the AWS Management Console for Directory Services (under Security and Identity) Directory Name tab.

  • StackIds: An array of stack identifiers that you want to access. You can find stack IDs by looking on the Stacks dashboard of the AMS console or by running the ListStackSummaries operation of the SKMS API (list-stack-summaries in the CLI).

  • Username: The Active Directory user name of the person who wants access.

  • VpcId: The ID of the VPC where the stacks are that you want access to. You can find this by looking on the VPCs dashboard of the AMS console or by running the ListVpcSummaries operation of the SKMS API (list-vpc-summaries in the CLI).

Optional data:

  • TimeRequestedInHours: The amount of time, in hours, requested for access to the instance. Access is ended after this time.

The following shows this change type in the AMS console.

How it works:

  1. Navigate to the Choose change type page: RFCs -> Create RFC.

  2. Choose a change type from the drop-down lists. Optionally, open the Additional configuration area to select a change type version. After your selections are complete, a Change type: details area opens. Choose Next.

  3. Configure the request for change. A Subject is required. Optionally, open the Additional configuration area to add information about the RFC. Choose Next.

  4. Choose the execution parameters. At the top, in the RFC configuration area, enter values for the change type required parameters. These vary by change type. Open the Additional configuration area to add Tags or additional settings. Some change types also provide a Parameters area where only the required settings are visible. In that case, open the Additional configuration area to view optional parameters.

  5. When finished, choose Create. If there are no errors, the RFC successfully created page displays with the submitted RFC details, and the initial Execution output.

  6. Open the Execution parameters area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page.

How it works:

  1. Use either the Inline Create (you issue a create-rfc command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the create-rfc command with the two files as input. Both methods are described here.

  2. Submit the RFC: aws amscm submit-rfc --rfc-id ID command with the returned RFC ID.

    Monitor the RFC: aws amscm get-rfc --rfc-id ID command.

To check the change type version, use this command:

aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID

You can use any CreateRfc parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, --notification "{\"Email\": {\"EmailRecipients\" : [\"\"]}}" to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the AMS Change Management API Reference.


Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this:

aws --profile saml amscm create-rfc --change-type-id "ct-199h35t7uz6jl" --change-type-version "2.0" --title "Stack-RO-Access-QC" --execution-parameters "{\"DomainFQDN\":\"\",\"StackIds\":[\"stack-01234567890abcdef\"],\"TimeRequestedInHours\":1,\"Username\":\"TEST\",\"VpcId\":\"VPC_ID\"}"


  1. Output the execution parameters JSON schema for this change type to a file; this example names it GrantReadOnlyAccessParams.json:

    aws amscm get-change-type-version --change-type-id "ct-199h35t7uz6jl" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > GrantReadOnlyAccessParams.json

    Modify and save the GrantReadOnlyAccessParams file. For example, you can replace the contents with something like this:

    { "DomainFQDN": "", "StackIds": [STACK_ID, STACK_ID], "TimeRequestedInHours": 8, "Username": "USERNAME", "VpcId": "VPC_ID" }

    Note that the TimeRequestedInHours option defaults to one hour. You can request up to eight hours.

  2. Output the RFC template to a file in your current folder; this example names it GrantReadOnlyAccessRfc.json:

    aws amscm create-rfc --generate-cli-skeleton > GrantReadOnlyAccessRfc.json
  3. Modify and save the GrantReadOnlyAccessRfc.json file. For example, you can replace the contents with something like this:

    { "ChangeTypeId": "ct-199h35t7uz6jl", "ChangeTypeVersion": "2.0", "Title": "Request-ReadOnly-Access-to-EC2-RFC" }
  4. Create the RFC, specifying the GrantReadOnlyAccessRfc file and the GrantReadOnlyAcessParams file:

    aws amscm create-rfc --cli-input-json file://GrantReadOnlyAccessRfc.json --execution-parameters file://GrantReadOnlyAccessParams.json

    You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start.

    To log in to the instance through a bastion, follow the next procedure, Instance access examples.