The AWS Managed Services (AMS) Advanced operational plan includes preventative controls through a change management system within an AWS managed landing zone. It provides a full operational solution and trades some flexibility for increased operational rigor to protect your critical business applications.
Service desk
AMS offers unlimited incidents and service request interactions with responses within 15 minutes and incident restorations within 4 hours, depending on the Service Level Agreements (SLAs). You have 24/7 access to our team of cloud experts through web case, phone, or chat.
AMS helps protect your organization's information, as well as its infrastructure, with our incident response and resolution capabilities. AMS proactively detects security and availability issues, and it offers unlimited incident response across AWS. Our team of cloud experts is here to investigate, remediate, and restore your infrastructure.
Create unlimited service requests for information on how to use AMS, troubleshoot operational issues that are not an incident, and receive guidance on operational integration for your workloads. Contact our team of cloud experts through web case, phone, or chat.
AWS Incident Detection and Response is an add-on to Enterprise Support that offers 24/7 proactive monitoring and incident management for subscribed or onboarded workloads. AWS Incident Detection and Response is available at no additional charge in eligible AWS Regions for AMS direct customers with AWS Enterprise Support.
Operational monitoring
AMS monitors the logs and metrics of your AWS resources 24/7 to detect performance and availability issues. After receiving an alert, AMS combines automated remediations, cloud experts, and processes to bring the resources back to a healthy state. It engages with your teams to convert insights into learnings on how to prevent this behavior in the future.
AMS monitors the performance and the availability of AWS services, Regions, and accounts using AWS Health. We work with you to prepare for planned activities and to respond to events in progress.
Backup management
AMS helps you back up critical information on a regular basis and assists with a timely recovery using a proven methodology. You define the backup schedules, frequency, and retention period while AMS initiates and monitors all backup jobs.
Cost optimization
Your AMS Cloud Service Delivery Manager (CSDM) provides monthly recommendations to optimize your AWS usage and cost. Our team of cloud experts will make the changes to your infrastructure based on the recommendations to ensure that you get the most out of our AWS investment.
Logging
AMS aggregates and stores all logs generated as a result of all operations in Amazon CloudWatch, AWS CloudTrail, and system logs. Consistent log handling prevents tampering and makes it faster and easier for us and customers to audit, detect, and resolve issues.
Reporting
AMS provides customers with a monthly service report that summarizes key AMS performance metrics. This report includes an executive summary and insights, operational metrics, AMS SLA adherence, and financial metrics around spend, savings, and cost optimization. Reports are delivered by an AMS CSDM designated to the customer.
Service delivery
AMS offers two tiers of service levels—Plus and Premium—to meet the operational requirements for different types of workloads. The Plus service level is targeted at non-production and non-critical workloads, and the higher service levels of the Premium tier are targeted at the needs of business critical applications. Credits are provided for non-conformance to SLAs for each tier, and customers have the flexibility to choose between the tiers per account on a monthly basis.
AMS designates a CSDM who provides visibility, recommendations, escalation channel, and reporting through all phases of the operations lifecycle, including onboarding and migration. CSDMs conduct monthly business reviews and provide insights like financial spending, cost-saving recommendations, service utilization, and risk reporting.
AMS designates a Cloud Architect (CA) who provides technical expertise to navigate the operational challenges of cloud computing. They help identify candidate workloads from the application pipeline, onboard accounts, lead game days, perform disaster recovery testing, and provide problem management and architectural guidance.
Planned event management engagements are conducted with customers in preparation for launch including game days, workshops, security, operational readiness, and technical reviews.
Patching
AMS applies and installs updates to Amazon Elastic Compute Cloud (Amazon EC2) instances for supported operating systems during your chosen maintenance windows. AMS creates a snapshot of the instance before patching, monitors the patch installation, and notifies you of the outcome. In case of patching failures, AMS investigates the failure and tries to remediate it or rolls back the instance if needed.
AMS produces updated Amazon Machine Images (AMIs) every month for each of our supported operating systems. Based on updated AMIs that are modified for AMS, they're hardened following Center for Internet Security (CIS) guidelines.
Landing zone and account operations
AMS provides a standard security-tested and conformant architecture to start your cloud journey. Our managed landing zone is preconfigured with the infrastructure to facilitate authentication, security, networking, and logging. Therefore, you can quickly migrate your AWS workloads while we handle ongoing landing zone management.
Provisioning and change management
The AMS change system protects your workloads by preventing the execution of risky changes to your AWS infrastructure or unauthorized access. Customers request changes from a library of automated changes previously vetted by our security and operations teams or request manual changes that will be reviewed and executed by our operations team if they are deemed safe.
You can provision resources in several ways, including AWS Managed Services Change Management, security-hardened AMIs, CloudFormation templates, AWS Service Catalog, IT service management (ITSM) integration, and self-service provisioning.
Create and record unlimited changes through a secure and controlled mechanism in the AMS environment, with automated and manual changes that can be scheduled at your convenience. Change control allows you to restrict access and ensure that only authorized changes are made in your environment.
Access management
AMS provides a Microsoft Active Directory (AD) based access model for Amazon EC2 instances that is secure and integrates with the customer's AD. AMS operates the AD while giving the customer control of their authentication model. We handle the creation, coordination, and management of the AD while customers focus on user administration.
The AMS security team reviews customer-proposed IAM roles and security groups, evaluating proposed policies against a known standard, to ensure properly scoped-down roles across AMS managed accounts. The AMS security team regularly interacts with the customers' security team to ensure that access controls meet the customers' expectations.
Security management
AMS protects your resources with AWS security tools optimized to reduce noise and identify indications of an upcoming security incident. AMS uses Amazon GuardDuty to identify potentially unauthorized or malicious activity in your AWS environment. AMS uses Amazon Macie to protect your sensitive data, such as personal health information (PHI), personally identifiable information (PII), and financial data.
All access to Amazon EC2 instances inside AMS managed accounts, for both customers and AMS, is gated by the use of bastions. AMS maintains both Linux and Windows RDP bastions for instances that are accessible over customers' private connection (VPN or DX). In addition to a firewall to prevent inbound traffic, bastions are regularly reprovisioned on a fixed schedule.
AMS Managed Firewall extends AWS networking and security capabilities with a fully managed firewall appliance, combining industry-leading firewall technology with day-to-day infrastructure management, security incident response, and event remediation capabilities within a compliant operating environment. The Managed Firewall creates a single, highly available connection point to the internet, reduces the attack surface for data breaches, blocks egressing of sensitive data from customer accounts, and meets the compliance requirements for regulated industries.
ITSM integration
AMS provides bidirectional integration with the customer's ITSM solution, including productized connector with ServiceNow, to enable the creation, update, and sync of incidents, service requests, and change requests.