Accessing your logs - AMS Advanced User Guide

Accessing your logs


Provides five default IAM roles, each of which allow access to all logs within your account (all are prefaced with AWSManagedServices):

  • AdminRole

  • CaseRole

  • ChangeManagementRole

  • ReadOnlyRole

  • SecurityOpsRole

Access to these roles is configured via federation, with each role being mapped to a group within your Active Directory domain.

To learn more about these roles, see IAM User Role.


The default Customer_ReadOnly_Role for AMS single-account landing zone allows your access to all logs within your account. Access to the logs is controlled using AWS Identity and Access Management (IAM) roles mapped to Active Directory groups.