Change management in Developer mode

Change management is the process the AMS Advanced service uses to implement requests for change. A request for change (RFC) is a request created by either you or AMS Advanced through the AMS Advanced interface to make a change to your managed environment and includes a change type (CT) ID for a particular operation. For more information, see Change management modes.

Change management is not enforced in AMS Advanced accounts where Developer mode permissions are granted. Users who have been granted Developer mode permission with the IAM role (AWSManagedServicesDevelopmentRole for MALZ, customer_developer_role for SALZ), can use native AWS API access to provision and make changes to resources in their AMS Advanced accounts. Users who do not have the appropriate role in these accounts must use the AMS Advanced change management process to make changes.

Important

Resources that you create using Developer mode can be managed by AMS Advanced only if they are created using AMS Advanced change management processes. Requests for changes submitted to AMS Advanced for resources created outside of the AMS Advanced change management process are rejected by AMS Advanced because they must be handled by you.

Self-service provisioning services API restrictions

All AMS Advanced self-provisioned services are supported with Developer mode. Access to self-provisioned services are subject to the limitations outlined in the respective user guide sections for each. If a self-provisioned service is not available with your Developer mode role, you can request an updated role through the Developer mode change type.

The following services do not provide full access to service APIs:

Self-Provisioned Services Restricted in Developer mode
Service	Notes
Amazon API Gateway	All Gateway APIs calls are allowed except SetWebACL.
Application Auto Scaling	Can only register or deregister scalable targets, and put or delete a scaling policy.
AWS CloudFormation	Can't access or modify CloudFormation stacks that have a name prefixed with mc-.
AWS CloudTrail	Can't access or modify CloudTrail resources that have a name prefixed with ams- and/or mc-.
Amazon Cognito (User Pools)	Can't associate software tokens. Can't create user pools, user import jobs, resource servers, or identity providers.
AWS Directory Service	Only the following AWS Directory Service actions are required by Connect and WorkSpaces services. All other Directory Service actions are denied by the Developer mode permission boundary policy: ds:AuthorizeApplication ds:CreateAlias ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:GetAuthorizedApplicationDetails ds:ListAuthorizedApplications ds:UnauthorizeApplication In single-account landing zone accounts, the boundary policy explicitly denies access to the AMS Advanced managed directory used by AMS Advanced for maintaining access to dev-mode enabled accounts.
Amazon Elastic Compute Cloud	Can't access Amazon EC2 APIs that contain the string: DhcpOptions, Gateway, Subnet, VPC, and VPN. Can't access or modify Amazon EC2 resources that have a tag prefixed with AMS, mc, ManagementHostASG, and/or sentinel.
Amazon EC2 (Reports)	Only view access is granted (cannot modify). Note: Amazon EC2 Reports is moving. The Reports menu item will be removed from the Amazon EC2 console navigation menu. To view your Amazon EC2 usage reports after it has been removed, use the AWS Billing and Cost Management console.
AWS Identity and Access Management (IAM)	Can't delete existing permission boundaries, or modify IAM user password policies. Can't create or modify IAM resources unless you are using the correct IAM role (AWSManagedServicesDevelopmentRole for MALZ, customer_developer_role for SALZ)). Can't modify IAM resources that are prefixed with: ams, mc, customer_deny_policy, and/or sentinel. When creating a new IAM resource (role, user, or group), the permission boundary (MALZ: AWSManagedServicesDevelopmentRolePermissionsBoundary, SALZ: ams-app-infra-permissions-boundary) must be attached.
AWS Key Management Service (AWS KMS)	Can't access or modify AMS Advanced-managed KMS keys.
AWS Lambda	Can't access or modify AWS Lambda functions that are prefixed with AMS.
CloudWatch Logs	Can't access CloudWatch log streams that a name prefixed with: mc, aws, lambda, and/or AMS.
Amazon Relational Database Service (Amazon RDS)	Can't access or modify Amazon Relational Database Service (Amazon RDS) databases (DBs) that have a name prefixed with: mc-.
AWS Resource Groups	Can only access Get, List, and Search Resource Group API actions.
Amazon Route 53	Can't access or modify Route53 AMS Advanced-maintained resources.
Amazon S3	Can't access Amazon S3 buckets that have a name prefixed with: ams-*, ams, ms-a, or mc-a.
AWS Security Token Service	The only security token service API allowed is DecodeAuthorizationMessage.
Amazon SNS	Can't access SNS topics that have a name prefixed with: AMS-, Energon-Topic, or MMS-Topic.
AWS Systems Manager Manager (SSM)	Can't modify SSM parameters that are prefixed with ams, mc, or svc. Can't use the SSM API SendCommand against Amazon EC2 instances that have a tag prefixed with ams or mc.
AWS Tagging	You only have access to AWS Tagging API actions that are prefixed with Get.
AWS Lake Formation	The following AWS Lake Formation API actions are denied: lakeformation:DescribeResource lakeformation:GetDataLakeSettings lakeformation:DeregisterResource lakeformation:RegisterResource lakeformation:UpdateResource lakeformation:PutDataLakeSettings
Amazon Elastic Inference	You can only call the Elastic Inference API action elastic-inference:Connect. This permission is included in the customer_sagemaker_admin_policy that is attached to the customer_sagemaker_admin_role. This action gives you access to the Elastic Inference accelerator.
AWS Shield	No access to any of this services APIs or console.
Amazon Simple Workflow Service	No access to any of this services APIs or console.