Self-Service Provisioning mode - AMS Advanced User Guide

Self-Service Provisioning mode

AWS Managed Services (AMS) Self-Service Provisioning (SSP) mode provides full access to native AWS service and API Capabilities in AMS managed accounts. You access services through standardized, scoped down, IAM roles. AMS provides service requests and incident management. Alerting, monitoring, logging, patch, back up, and change management are your responsibility. In many cases, Self-Service Provisioning services (SSPS) are self-managed, or serverless, and don’t require management of certain operational tasks like patching. You benefit from using these services within the environment boundary defined by AMS guardrails and any IAM changes (including service linked roles, service roles, cross-account roles, or policy updates) need to be approved by AMS Operations to maintain the baseline security of the platform. You can leverage CloudFormation templates to automate deployment of these services but this is not supported for all SSP services currently.


Use SSP mode in your AWS Managed Services (AMS) accounts to access and employ AWS services, with restrictions as noted.

There are some AWS services that you can use without AMS management, in your AMS account. The Self-Service Provisioning mode services, or SSPS for short, how to add them into your AMS account and FAQs for each, are described here.

Self-service provisioning services are offered as is, and you're responsible for managing them. AMS provides no alerts, monitoring, logging, or patching for the resources associated with those services. AMS provides IAM roles that enable you to use the service in your AMS account safely. AMS SLAs do not apply. To add a self-service provisioning service, use the Management | AWS service | Self-provisioned service | Add change type (CT).

Self-service provisioning is one of the AMS modes for multi-account landing zone (MALZ) that you can employ. For more information, see Modes overview.

To provide self-service provisioning capabilities, AMS has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. The roles do not prevent all changes and you are responsible to adhere to your internal controls and compliance policies, and to validate that all AWS services being used meet the required certifications. We call this the self-service provisioning mode. For details on AWS compliance requirements, see AWS Compliance.

For resources that you provision through self-service, AMS provides incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), security and access, and technical support through service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS change management system.


To request that AMS provide an additional self-service provisioning service, file a service request.

Currently, these are the self-service provisioning service (SSPS) options, you can choose from those listed.