Access in AMS - AMS Advanced User Guide

Access in AMS

Learn how to access resources by using SSH, or remote desktop protocol (RDP), and how to use bastions.

The AWS Managed Services (AMS) access management system is configured during onboarding. Only users with the AMS IAM user role, federated through AMS, can access AMS resources in the account.

In addition to the federated trust, described next, AMS security groups are an important element in private and public application access. For information about AMS security groups and how to change them, see Security groups.

What is Access Management?

Access management is how AMS protects your resources by allowing only authorized and authenticated access. AMS uses a default IAM user role and instance profile, as well as multi-factor authentication, security groups, DNS-friendly bastion names, and more to keep your resources protected.

AMS focuses on three types of access that require management:

  • Console access: Leveraging federation, users in the account’s Active Directory can access the console using single sign-on (SSO). If you have multi-factor authentication configured for these accounts, you can continue to require MFA to gain access to the console.

  • Instance access with RDP or SSH: Leveraging an Active Directory trust, users in the account’s existing Active Directory can request access to an instance, and then successfully authenticate to a bastion and the instance by using their existing corporate credentials. If you have multi-factor authentication configured for those accounts, you can continue to require MFA to request access to an instance. AMS uses an MFA solution of its own to restrict AMS engineer access to instances.

  • Application access: Varies by use case.

Why and When AMS Accesses Your Account

AWS Managed Services (AMS) manages your AWS infrastructure and sometimes, for specific reasons, AMS operators and administrators access your account. These access events are documented in your AWS CloudTrail (CloudTrail) logs.

Why, when, and how AMS accesses your account is explained in the following topics.

AMS Customer account access triggers

AMS customer account access activity is driven by triggers. The triggers today are the AWS tickets created in our issues management system in response to Amazon CloudWatch (CloudWatch) alarms and events, and incident reports or service requests that you submit. Multiple service calls and host-level activities might be performed for each access.

Access justification, the triggers, and the initiator of the trigger are listed in the following table.

Access Triggers
Access Initiator Trigger



Patch issue

Infrastructure deployments


Deployment issue

Internal problem investigation


Problem issue (an issue that has been identified as systemic)

Alert investigation and remediation


AWS Systems Manager operational work items (SSM OpsItems)

Manual RFC execution


Request for Change (RFC) issue. (Non-automated RFCs may require AMS access to your resources)

Incident investigation and remediation


Inbound support case (an incident or service request you submit)

Inbound service request fulfillment


AMS customer account access IAM roles

When triggered, AMS accesses customer accounts using AWS Identity and Access Management (IAM) roles. Like all activity in your account, the roles and their usage are logged in CloudTrail.

The following are the IAM roles that AMS uses to access your account.

  • The role aws_ams_admin is used by AMS for some automated infrastructure deployments.

  • A new role, ams-application-infra-operations, is used for SALZ and MALZ Application/Tools-Application.

Requesting instance access

To access a resource, you must first submit a request for change (RFC) for that access. There are two types of access that you can request: admin (read/write permissions) and read-only (standard user access). Access lasts for eight hours, by default. This information is required:

  • Stack ID, or set of stack IDs, for the instance or instances you want to access.

  • The fully qualified domain name of your AMS-trusted domain.

  • The Active Directory username of the person who wants access.

  • The ID of the VPC where the stacks are that you want access to.

Once you've been granted access, you can update the request as needed.

For examples of how to request access, see Requesting Admin Access or Requesting Read-only Access.

Accessing the AWS Management console and the AMS console

During onboarding, you're provided a login to the AWS Management console (with limited privileges: you can write to the AMS console, and some fields in your customer information page). You can access the AMS console by selecting the Managed Services link in the AWS Management console. Either federated access or shared credentials (user name/password) are prepared as agreed with your IT administration team. For further account or group creation, submit a service request to AMS.

For information about getting access to the AWS Management console, see Working with the AWS Management console.

For some tips on using the AMS console, see Using the AMS console.

Temporary AMS console access

If you haven't yet set up an identity provider (for instance, SAML) to authenticate to AMS, you can get temporary access to the AMS console. Contact your CSDM to have a Deployment | Advanced stack components | Identity and Access Management (IAM) | Create entity or policy change request (ct-3dpd8mdd9jn1r) submitted on your behalf with these values:

  • UserName: A name for the IAM user entity that you're creating

  • AccessType: "Console access"

  • UserPermissions: "Temporary AMS console access for USERNAME (the person that you want to have temporary access)"

  • Email notifications: Your email address, so you can approve the request when AMS requests you to


This RFC for temporary AMS Console access requires a security review and acceptance by both your internal security team and AMS Global Security.

After this request has been completed, and you're able to log in, you're required to approve the RFC that was created, to track the approval and allow the AMS team to close out the work. To approve the RFC, find it in the RFC's list page (there will be a Pending Approval flag next to it), select it to open the RFC details page for that RFC, and then choose Approve. Note that you won't be able to use AMS until the RFC is approved.

When the RFC successfully completes, AMS operations provides you with the new IAM user and a password. Then follow these steps:

  1. Go to the AWS Management console and log in with provided user name and password. You'll be asked to create a new password. You must also, upon login, set up multi-factor authentication (MFA); to learn more about doing that, see Using Multi-Factor Authentication (MFA) in AWS.

  2. In the AWS Management console, change to the provided IAM role (customer_CustomerCode_readonly_user_role).

  3. Open the AMS Managed Services Console.


Temporary access defaults to sixty days; however, you can request a thirty-day extension by contacting your CSDM.