Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Managed Services (AMS) Self-Service Reporting (SSR) and AWS Organizations

Focus mode
AWS Managed Services (AMS) Self-Service Reporting (SSR) and AWS Organizations - AWS Organizations

AWS Managed Services (AMS) Self-Service Reporting (SSR) collects data from various native AWS services and provides access to reports on major AMS offerings. SSR provides the information that you can use to support operations, configuration management, asset management, security management, and compliance.

After you integrate with AWS Organizations, you can enable Aggregated self-service reporting (SSR). This is an AMS feature that allows Advanced and Accelerate customers to view their existing Self-service reports aggregated at the organization level, cross-account. This gives you visibility into key operational metrics such as patch compliance, backup coverage, and incidents across all AMS-managed accounts within AWS Organizations.

Use the following information to help you integrate AWS Managed Services (AMS) Self-Service Reporting (SSR) with AWS Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows AMS to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between AMS and Organizations, or if you remove the member account from the organization.

  • AWSServiceRoleForManagedServices_SelfServiceReporting

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AMS grant access to the following service principals:

  • selfservicereporting.managedservices.amazonaws.com

Enabling trusted access with AMS

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.

AWS CLI, AWS API
To enable trusted service access using the Organizations CLI/SDK

Use the following AWS CLI commands or API operations to enable trusted service access:

  • AWS CLI: enable-aws-service-access

    Run the following command to enable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \ --service-principal selfservicereporting.managedservices.amazonaws.com

    This command produces no output when successful.

  • AWS API: EnableAWSServiceAccess

To enable trusted service access using the Organizations CLI/SDK

Use the following AWS CLI commands or API operations to enable trusted service access:

  • AWS CLI: enable-aws-service-access

    Run the following command to enable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \ --service-principal selfservicereporting.managedservices.amazonaws.com

    This command produces no output when successful.

  • AWS API: EnableAWSServiceAccess

Disabling trusted access with AMS

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can only disable trusted access using the Organizations tools.

You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.

AWS CLI, AWS API
To disable trusted service access using the Organizations CLI/SDK

Use the following AWS CLI commands or API operations to disable trusted service access:

  • AWS CLI: disable-aws-service-access

    Run the following command to disable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.

    $ aws organizations disable-aws-service-access \ --service-principal selfservicereporting.managedservices.amazonaws.com

    This command produces no output when successful.

  • AWS API: DisableAWSServiceAccess

To disable trusted service access using the Organizations CLI/SDK

Use the following AWS CLI commands or API operations to disable trusted service access:

  • AWS CLI: disable-aws-service-access

    Run the following command to disable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.

    $ aws organizations disable-aws-service-access \ --service-principal selfservicereporting.managedservices.amazonaws.com

    This command produces no output when successful.

  • AWS API: DisableAWSServiceAccess

Enabling a delegated administrator account for AMS

Delegated administrator accounts can view AMS reports (such as patch and backup) across all the accounts in a single aggregated view in the AMS console.

You can add a delegated administrator using either the AMS console or API, or by using the Organizations RegisterDelegatedAdministrator CLI or SDK operation.

Disabling a delegated administrator for AMS

Only an administrator in the organization management account can configure a delegated administrator for AMS.

You can remove the delegated administrator using either the AMS console or API, or by using the Organizations DeregisterDelegatedAdministrator CLI or SDK operation.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.