AMS Advanced features

AMS Advanced offers the following features for supported AWS services:

Logging, Monitoring, Guardrails, and Event Management

AMS Advanced configures and monitors your managed environment for logging activity and defines alerts based on a variety of health checks. Alerts are investigated by AMS for applicable AWS services, and those that negatively impact your usage of those services result in the creation of incidents. AMS Advanced is designed to aggregate and store all logs generated as a result of all operations in CloudWatch, CloudTrail, and system logs in S3. Upon request, you can ask for additional alerts to be put in place. In addition to AMS’ preventative controls, AMS Advanced deploys configuration guardrails and detective controls to provide ongoing protection for you from misconfigurations that could reduce the operational and security integrity of the managed accounts, to enforce your controls such as tagging and compliance. When a monitored control is detected an alarm is generated that results in notification, modification, or termination of resources based on pre-defined AMS defaults that can be modified by you. 

Continuity management (Backup and Restore)

AMS Advanced provides backups of resources on a scheduled interval determined by you. Restore actions from specific snapshots can be performed by AMS Advanced with your RFC. Data changes that occur between snapshot intervals are the responsibility of you to backup. You can submit an RFC for backup or snapshot requests outside of scheduled intervals. In the case of Availability Zone (AZ) unavailability in an AWS Region, with your permission, AMS Advanced is designed to restore the managed environment by recreating new stack(s) based on templates and available EBS snapshots of the impacted Stacks.

Security and access management

AMS Advanced provides security management services such as configuring anti-virus and anti-malware protection. AMS Advanced also configures default AWS security capabilities that are approved by you during onboarding, to monitor and respond to security issues. You manage your users through an approved directory service provided by you. 

AMS Advanced includes management of your endpoint security (EPS). Security groups are defined per stack template and are modified at launch depending on the visibility of the application (public/private) security groups. 

Access to systems is requested through change management requests for change (RFCs). Access management provides access to distinct resources, such as Amazon EC2 instances, the AWS Management Console, and APIs. After establishing a one-way trust with an AMS Microsoft Active Directory deployment during onboarding and federating to AWS, you can use your existing corporate credentials for all interactions.  

Patch management

AMS Advanced is designed to apply and install updates to EC2 instances for supported operating systems (OSs) and software pre-installed with supported operating systems. 

 

AMS Advanced manages two models for patching:

  • AMS standard patch for traditional account-based patching, and 
  • AMS Patch Orchestrator, for tag-based patching.

 

In AMS standard patch, a monthly maintenance window is chosen by you for AMS to perform most patching activities. AMS Advanced applies critical security updates outside of the selected maintenance window (with appropriate customer notifications) and important updates during the selected maintenance window. AMS Advanced additionally applies updates to infrastructure management tools during the selected maintenance window. AMS Advanced notifies you in advance with the details of the upcoming updates. You can exclude stacks from patch management or reject updates, if you want. With AMS Patch Orchestrator, a default maintenance window per account, is defined by you for AMS to perform patching activities. You can schedule additional custom maintenance windows for AMS to patch a specific set of instances defined by you with tags. AMS Advanced applies all available updates, but you can filter or reject updates by creating a custom patch baseline. For both models, if you approve or reject an update provided under patch management but later change your mind, you are responsible for initiating the update via an RFC. AMS Advanced tracks the patch status of resources and highlights systems that aren’t current in the monthly business review. Patch management is limited to stacks in the managed environment, including all AMS managed applications and supported AWS services with patching capabilities (for example, RDS). In order to support all types of infrastructure configurations when an update is released, AMS a) updates the EC2 instance and b) provides an updated AMS AMI for you to use. It is your responsibility to install, configure, patch, and monitor any additional applications not specifically covered above. 

Change management

AMS Advanced offers Change Management, which is the mechanism for you to get access to, or affect any changes in, your managed environment. You create a request for change (RFC) using the AMS Advanced interface. AMS Advanced creates RFCs to access your resources or make changes, when needed. All RFCs follow a defined change management process. Access to your resources within a managed production environment is authorized through RFCs, while access to your resources in a managed non-production environment is authorized through RFC and, optionally, through a specialized customer-developer IAM role ("Developer Mode"), upon request. AMS approves and executes RFCs that can be executed using the features or functionalities of AWS services. You can designate a start time for the requested change to be performed through the RFC process. You can also use change management to configure AWS Service offerings in your managed environment. 

All actions on your AMS Advanced resources are coordinated by the AMS change management service and logged in AWS CloudTrail, which records API calls. The AMS system manages requests for change (RFCs), scheduling to prevent overlapping activities, and change approvals. RFCs are classified, and those known to have low risk or impact are run by automated scripts. 

In a multi-account landing zone environment, the degree of change management can differ depending on what AMS mode you are using (modes do not apply to AMS single-account landing zone environments). For more information, see AMS Modes. 

 

  • AMS Managed – Standard Mode
  • AMS Managed – Self Service Provisioning (SSP) Mode
  • AMS Managed – Developer Mode
  • AMS Customer Managed Mode  
Automated and self-service provisioning management

You can provision AWS resources on AMS Advanced in several ways:

 

  • Submit provisioning and configuration change types
  • Deploy AMS-provided security-hardened AMIs inclusive of your application 
  • Deploy full stacks using CloudFormation templates
  • Deploy through your integrated IT service management (ITSM) 
  • Deploy through AWS Service Catalog 
  • Configure AWS services directly using self-service provisioning for select AWS services (see Supported AWS services). 

 

To provide self-service provisioning capabilities, AMS Advanced has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. Roles do not prevent all changes and you are responsible to adhere to your internal controls, compliance, and to validate that all AWS services being used meet the required certifications. We call this the self-service provisioning mode. 

 

For resources that you provision through self-service, AMS Advanced is designed to provide incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), Security & access, and technical support via service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS Advanced change management system. 

Incident management

AMS Advanced notifies you of incidents detected by AMS. AMS responds to both customer-submitted and AMS-generated incidents and resolves incidents based on the incident priority. Unless otherwise instructed by you, incidents that are determined by AMS to be a risk to the security of your managed environment, and incidents relating to the availability of AMS and other AWS services, are forwardly actioned. AMS Advanced takes action on all other incidents once your authorization is received. Recurring incidents are addressed by the problem management process.

Problem management

AMS Advanced is designed to perform trend analysis to identify and investigate problems and to identify the root cause. Problems are remediated either with a workaround or a permanent solution that prevents recurrence of similar future service impact. A post incident report (PIR) may be requested for any "High" incident, upon resolution. The PIR captures the root cause and preventative actions taken, including implementation of preventative measures.  

Reporting

AMS Advanced is designed to provide you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS Advanced service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS Advanced cloud service delivery manager (CSDM) assigned to you. 

Service request management

You can request information about your managed environment, AMS Advanced, or AWS service offerings by submitting service requests using the AMS interface. Service request types also include "How to" questions about AWS services and features, troubleshooting API issues, and technical support cases.

Service Desk

AMS staffs engineering operations with full-time Amazon employees to fulfill non-automated requests including incident management, service request management, and change management. The Service Desk operates 24 x 7 365 days a year.  

Designated resources

Each customer is assigned a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA). 

  • CSDMs can be contacted directly. They perform service reviews, and delivery reporting and insights through all phases of the implementation, migration and operational life cycle. CSDMs conduct monthly business reviews and detail items such as financial spend, cost-saving recommendations, service utilization, and risk reporting. They dive deep into operational performance statistics and provide recommendations of areas of improvements. 
  • CAs can be contacted directly and provide technical expertise to help you optimize your use of the AWS cloud. Example CA activities include, selecting workloads for migration, assisting with the onboarding additional accounts and workloads, acting as the technical lead in operational activities such as game days, disaster recovery testing, problem management, and technical advice to get the most out of AMS and AWS. CAs drive technical discussions at all levels of your organization and assist with incident management, making trade-offs, establishing best practices, and technical risk mitigation. 
Developer mode

This feature enables you to iterate infrastructure designs and deployments in an efficient timeframe within AMS-configured accounts [1] by allowing direct access to AWS service APIs and the AWS console in addition to access to the AMS change management process. Resources provisioned or configured with developer mode permissions outside of the change management process are your responsibility to manage (See "Automated and Self-Service Provisioning Management"). Resources provisioned through the AMS change management process are supported like other change management-provisioned workloads on AMS.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.