AMS responsibility matrix (RACI)
Note
In order to fulfill its obligations in a timely manner, AWS Managed Services (AMS) may require inputs from you for deciding an appropriate course of action. AMS will contact the designated customer contact for all such clarifications and inputs. AMS will expect a response to such queries within 24 business hours. In case there is no reply within 24 business hours, AMS may choose an action on your behalf.
The AMS responsible, accountable, consulted, and informed, or RACI, matrix assigns primary responsibility either to the customer or AMS for a variety of activities.
AMS manages your AWS infrastructure. The following table provides an overview of the responsibilities of customer and AMS for activities in the lifecycle of an application running within an AMS managed environment.
AMS is not responsible for any of the following activities for Customer Managed accounts or the infrastructure running within them; therefore this RACI is not applicable.
R stands for responsible party that does the work to achieve the task.
C stands for consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
I stands for informed; a party which is informed on progress, often only on completion of the task or deliverable.
Self-service Provisioning refers to resources that are provisioned by the customer with self-service through the AWS API or Console, including Developer Mode and Self-Service Provisioned Services.
Note
Some sections contain 'R' for both AMS and Customers. This is because, in the AWS Shared Responsibility model, both AMS and the customers take joint ownership to respond to infrastructure and application issues.
To provide self-service provisioning capabilities, AMS has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. Roles do not prevent all changes and you are responsible to adhere to your internal controls, compliance, and to validate that all AWS services being used meet the required certifications. We call this the Self-Service Provisioning mode. For details on AWS compliance requirements, see AWS Compliance
. For resources that you provision through self-service, AMS provides incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), Security & access, and technical support through service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS change management system.
| Activity | Customer |
AWS Managed Services (AMS) |
|---|---|---|
Application lifecycle | ||
Application development |
R |
I |
Application infrastructure requirements analysis and design |
R |
C |
Design and optimization for non-standard AMS stacks |
R |
C |
Design and optimization of AMS standard stack |
I |
R |
Application deployment |
R |
C |
AWS Infrastructure deployment |
C |
R |
Application monitoring |
R |
I |
Application testing/optimization |
R |
I |
AWS infrastructure optimization guidance |
I |
R |
AWS infrastructure monitoring |
I |
R |
Troubleshoot and resolve application issues |
R |
C |
Troubleshoot and resolve AWS network issues |
C |
R |
Troubleshoot and resolve operating system and infrastructure issues Self-Service Provisioning |
C |
R |
R |
C | |
Application and ITSM Integration | ||
Application integration with AWS Service Offerings |
R |
C |
ITSM integration with the AWS Managed Services Interface |
R |
C |
Networking | ||
Managed Environment VPC and VPC set-up and configuration |
C |
R |
Allocate private address space for VPCs (e.g. /16) |
R |
C |
Configure & Operate non-AWS Managed Services, Customer managed Firewalls/Proxy/Bastions/HOSTs |
R |
C |
Configure & Operate AWS Security Groups/NAT/Customer Bastions/NACL inside the Managed Environment |
I |
R |
Networking (e.g. DirectConnect) configuration and implementation within customer network |
R |
C |
Networking configuration and implementation within the Managed Environment |
C |
R |
Managed environment configuration | ||
Define default Auto Scaling settings for baseline Stack templates |
I |
R |
Recommend RI optimization |
C |
R |
Purchase RI and PIOP capacity |
R |
C |
Remove capacity when capacity is over provisioned (when supported by customer application) |
C |
R |
Create/update AWS customer specific information for AWS Managed Services |
C |
R |
S3 configuration Self-service provisioning |
C |
R |
R |
C | |
Glacier configuration |
C |
R |
Define archival policy |
R |
C |
Archival policy configuration |
C |
R |
Selecting customer maintenance window |
R |
I |
AWS RDS Management | ||
Monitor source/replica/RO replication health |
I |
R |
Identify RCA of source failover |
I |
R |
Automated snapshot (backup) configuration Self-service provisioning |
C |
R |
R |
C | |
Coordinate and schedule DB engine patch management Self-service provisioning |
C |
R |
R |
C | |
Recommend DB storage and PIOP capacity Self-service provisioning |
C |
R |
R |
C | |
Recommend instance sizing for running databases Self-service provisioning |
C |
R |
R |
C | |
Recommend RI optimization for Managed Environment Self-service provisioning |
C |
R |
R |
C | |
RDS performance monitoring (CloudWatch) Self-service provisioning |
C |
R |
R |
C | |
RDS event subscription configuration (SNS) Self-service provisioning |
C |
R |
R |
C | |
RDS security group configuration Self-service provisioning |
C |
R |
R |
C | |
RDS engine parameter/option configuration |
R |
C |
DB table design |
R |
I |
DB indexing |
R |
I |
DB log analysis |
R |
I |
AMS Change Management | ||
| Creating customer RFCs (e.g. access to resources creating/updating/deleting managed stacks, deploying/updating applications, changes to configuration of AWS Service Offerings) | R |
I |
| Approving Customer RFCs | I |
R |
| Creating AWS Managed Services RFCs (e.g. access to resources, creating resources on customer’s behalf, applying updates to OS as part of Patch Management) | I |
R |
| Approving non-automated RFCs | R |
I |
| Submitting request for new Change Types | R |
C |
| Creating new Change Types | I |
R |
| Maintenance of application change calendar |
R |
C |
| Notice of upcoming Maintenance Window |
I |
R |
AWS Service Catalog | ||
| Create portfolios and products |
R |
I |
| Distribute products to end users |
R |
I |
| Create tags and tag option library |
R |
C |
| Sharing portfolios and products with end users |
R |
I |
| Revise / update portfolios and products |
R |
I |
| Create and assign constraints to portfolios and products |
R |
C |
| Associate Service Actions to products |
R |
C |
| Update provisioned resources with new version of product |
R |
I |
Provisioning | ||
| Customer specific additions to AWS Managed Services baseline AMI | R |
C |
| Configure additional approved Change Types used to provision Stack templates | C |
R |
Launch managed Stacks and associated AWS resources submitted through AMS change management process or AWS Service Catalog. Self-service provisioning |
I |
R |
R |
I | |
| Install/Update custom and 3rd party applications on Instances provisioned through AMS change management process or AWS Service Catalog. |
R |
I |
Provisioning - Stack Architecture | ||
Providing OS licenses (including usage fees for the applicable AWS services – e.g. EC2 and RDS) Self-Service Provisioning |
I |
R |
R |
I | |
Define baseline infrastructure templates (Stacks) for application deployment through AMS change management system. Self-Service Provisioning |
I |
R |
R |
I | |
| Creating baseline approved AMIs8 | I |
R |
| Evaluate customer application inventory and determine fit with available infrastructure templates (Stacks) | R |
C |
| Define unique Stacks that are in addition to the baseline template offerings |
R |
C |
Logging, Monitoring and Event Management | ||
| Recording AWS infrastructure change logs | I |
R |
| Recording all application change logs | R |
C |
Installation and configuration of agents and scripts for patching, security, monitoring, etc. of AWS infrastructure provisioned through the AMS change management process. Self-Service Provisioning |
I |
R |
R |
C | |
| Define customer specific monitoring and incident requirements | R |
C |
| Configuring alerts for Managed Environment | I |
R |
Monitoring all AMS configured alerts Self-Service Provisioning |
I |
R |
R |
C | |
Investigating infrastructure Alerts for Incident notification Self-Service Provisioning |
I |
R |
R |
C | |
| Investigating application alarms | R |
C |
Incident Management | ||
Proactively notify Incidents on AWS infrastructure based on monitoring Self-Service Provisioning |
I |
R |
R |
C | |
| Handle application performance issues and outages | R |
I |
| Categorize Incident priority | I |
R |
| Provide Incident response | I |
R |
Provide Incident resolution / infrastructure restore
NoteSLAs do not apply to instance-based resources provisioned outside AMS change management, including those provisioned using self-service provisioning and developer mode. |
C |
R |
Problem Management | ||
| Identify Problems in Managed Environment | C |
R |
| Perform RCA for Problems in Managed Environment | C |
R |
| Remediation of Problems in Managed Environment | C |
R |
| Identify and remediate application problems | R |
I |
Security Management | ||
Customer infrastructure security and/or establishing baseline for security compliance process as determined and agreed to during customer onboarding. Self-Service Provisioning |
C |
R |
R |
C | |
| Maintaining valid licenses for Managed EPS | R |
C |
Configure Managed EPS Self-Service Provisioning |
I |
R |
R |
C | |
Update Managed EPS Self-Service Provisioning |
I |
R |
R |
C | |
Monitoring malware on instances provisioned through the AMS CM process. Self-Service Provisioning |
I |
R |
R |
C | |
Maintaining and updating virus signatures. Self-Service Provisioning |
I |
R |
R |
C | |
Remediating instances infected with malware. Self-Service Provisioning |
C |
R |
R |
C | |
| Security event management | C |
R |
Security - Access Management | ||
| Manage the lifecycle of users, and their permissions for local directory services, which are used to access AWS Managed Services | R |
I |
| Operate federated authentication system(s) for customer access to AWS console/APIs | R |
C |
| Accept and maintain Active Directory (AD) trust from AWS Managed Services AD to customer managed AD | R |
C |
| During onboarding, create cross-account IAM Admin roles within each managed account | R |
C |
| Secure the AWS root credential for each account | I |
R |
| Define IAM resources for Managed Environment | C |
R |
| Manage privileged credentials for OS access for AMS engineers | I |
R |
| Manage privileged credentials for OS access provided to customer by AMS | R |
I |
Security Incident Response - Prepare | ||
Communications | ||
Provide customer security contact details for AMS to use during security events notifications and security escalations |
R |
I |
Store and manage the supplied customer security contact details to use during security events and security escalations |
CI |
R |
Training | ||
Provide customer with documentation to support AMS during incident response process |
I |
R |
Practice shared responsibility during incident response processes through security gamedays |
RI |
RC |
Resource management | ||
Configure supported security management AWS services for alerting, alerts correlation, noise reduction and additional rules |
I |
R |
Maintain asset (AWS resources) inventory, and know the asset value and criticality of assets. This information is helpful during incident containment strategy |
R |
CI |
Employ AWS tags to identify resources and workloads |
R |
CI |
Define and configure log retention and archival |
CI |
R |
Secure baselining of AWS account, configurations, policies and access management |
CI |
RC |
Security Incident Response - Detect | ||
Logging, indicators and monitoring | ||
Configure logging and monitoring to enable event management for instance and accounts |
CI |
R |
Monitor supported AWS services for security alerts |
I |
R |
Deploy and manage endpoint security tools |
CI |
R |
Monitor for malware on instances using AMS supported endpoint security tool |
I |
R |
Notify customer of detected events through outbound messaging |
I |
R |
Route notification and any subsequent updates to the decision makers for specific accounts and workloads to improve incident response time |
R |
CI |
Define, deploy, and maintain AMS standard detection services (for example, Amazon GuardDuty and AWS Config) |
CI |
R |
Record AWS infrastructure change logs |
I |
RC |
Enable and configure logging, monitoring to enable event management for the application |
R |
C |
Implement and maintain an allow-list, deny-list, and custom detections on supported AWS security services (for example, Amazon GuardDuty) |
RCI |
R |
Security event reporting | ||
Notify AMS of a suspicious activity or an active security investigation |
R |
CI |
Notify detected security events and incidents to the customer |
I |
R |
Notify planned event that might trigger Security Incident Response process |
R |
CI |
Security Incident Response - Analyze | ||
Investigation and analysis | ||
Perform initial response for supported security alert generated by a supported detection source |
I |
RC |
Assess false/true positives using the available data |
RI |
RC |
Generate a snapshot of affected instances to be shared with the customer if needed |
I |
R |
Perform forensics tasks such as chain of custody, file system analysis, memory forensics, and binary analysis |
R |
CI |
Collect application logs to aid investigation |
R |
I |
Collect data and logs to aid investigation on security alerts |
RCI |
RC |
Engage SMEs within AWS services on security investigations |
CI |
R |
Engage third-party vendors during investigation (for example, for EPS anti-malware investigation and engaging with TrendMicro support team) |
RCI |
I |
Share investigation logs from supported AWS services to customers during an investigation |
I |
R |
Communication | ||
Send alert and notifications from AMS detection sources for managed resources |
I |
R |
Manage alert and notifications for application security events |
R |
I |
Engage customer security point of contact during a security incident investigation |
R |
I |
Security Incident Response - Contain | ||
Containment strategy and execution | ||
Decide on the execution of the agreed containment strategy and agree with the consequences that might affect the availability of services during the containment window |
R |
CI |
Make a backup of affected systems for further analysis |
CI |
R |
Contain applications and workloads (through application specific configuration or response activity) |
R |
CI |
Define the containment strategy based on the security incident and the affected resource |
CI |
R |
Enable encryption and secure storage of point in time backups of affected systems |
CI |
R |
Execute supported containment actions for AWS resources including EC2 instances, network, and IAM |
CI |
R |
Security Incident Response - Eradicate | ||
Eradication strategy and execution | ||
Define eradication options based on the security incident and the affected resource on customer application workloads |
R |
CI |
Decide on the agreed eradication strategy, timing of eradication execution, and the consequences |
R |
CI |
Define eradication steps based on the security incident and the affected resource on AMS managed workloads |
CI |
R |
Eradicate and harden AWS resources including EC2 instances, network, and IAM eradication |
CI |
R |
Eradicate and harden applications and workloads (through application specific configuration or response activity) |
R |
I |
Security Incident Response - Recover | ||
Recovery preparation and execution | ||
Configure backup plans and targets as requested by the customer |
R |
I |
Review backup plans to restore AMS managed workloads |
CI |
R |
Perform backup restoration activities for resources of supported AWS services |
I |
R |
Backup customer application, APP configuration, and deployment settings, and review backup plans to restore customer applications and workloads post-incident |
R |
I |
Restore applications and customer workloads (through application specific restoration steps) |
R |
I |
Security Incident Response – Post Incident Report | ||
Post incident reporting | ||
Share appropriate lessons learned and action items with customer post incident as required |
I |
R |
Patch Management9 | ||
Monitor for applicable updates to supported OS and software preinstalled with supported OS for EC2 instances. Self-Service Provisioning |
I |
R |
R |
C | |
| Notify customer of upcoming updates (applies to AMS Standard Patch only) | I |
R |
| Exclude certain updates and/or certain Stacks from patching activities | R |
I |
Define default and custom maintenance windows schedules and other parameters (e.g. maintenance window duration) to apply patches (applies to AMS Patch Orchestrator only) |
R |
I |
| Define custom Patch Baselines to filter and exclude specific patches (applies to AMS Patch Orchestrator only) | R |
I |
| Tag instances to associate them with custom maintenance windows and Patch Baselines (applies to AMS Patch Orchestrator only) | R |
I |
Track the patch status of resources and highlight systems that aren’t current in the monthly business review. |
C |
R |
Patch the Windows operating system, and Microsoft packages installed on the operating system which are governed by Windows Update Self-Service Provisioning |
I |
R |
R |
- | |
| Patch installed applications, software, or application dependencies not managed by Windows Update
Self-service provisioning |
R |
I |
R |
- | |
Patch the Linux operating system and any package that is enabled for management by the operating system's native package manager (for example Yum, Apt, Zypper) Self-service provisioning |
I |
R |
R |
- | |
Patch installed applications, software, or application dependencies not managed by the Linux operating system's native package manager Self-service provisioning |
R |
I |
R |
- | |
Continuity Management | ||
| Specify backup schedules | R |
I |
Execute backups per schedule. Self-Service Provisioning |
I |
R |
R |
C | |
| Validate backups | R |
I |
| Request backup restoration activities | R |
I |
Execute backup restoration activities. Self-Service Provisioning |
I |
R |
R |
C | |
Restore affected Stacks and VPCs. Self-Service Provisioning |
I |
R |
R |
C | |
| Restore affected custom/3rd party application | R |
C |
Reporting | ||
Prepare and deliver monthly service report AMS on AWS Outposts |
I |
R |
R |
I | |
Configure and retrieve API audit history on demand (CloudTrail). Self-service provisioning |
I |
R |
R |
I | |
| Provide access to incident history through AWS Managed Services Interface | I |
R |
Provide access to change history through AWS Managed Services Interface. Self-service provisioning |
I |
R |
N/A |
N/A | |
Service Request Management | ||
| Request information using service requests | R |
I |
| Reply to service requests | I |
R |
Managed Firewall | ||
| Request the deployment of AMS-Managed Firewall | R |
I |
| Design and optimization of AMS-Managed Firewall architecture | I |
R |
| Deployment of AWS Infrastructure and AMS-Managed Firewall appliance | I |
R |
| Providing Firewall licenses (including usage fees for the applicable AWS services – e.g. EC2) | R |
I |
| Define default domain allow-list | I |
R |
| Request to add, modify, and delete custom allow-lists and security policies | R |
I |
| Configuring alerts for AMS-Managed Firewall | I |
R |
| Monitoring all AMS-Managed Firewall configured alerts | I |
R |
| Execute Backups of firewall configuration | I |
R |
| Request backup restoration activities | R |
I |
| Update provisioned resources with new version of product | I |
R |
| Recording AMS-Managed Firewall logs | I |
R |
| Forward logs from AMS-Managed Firewall to CloudWatch | I |
R |
| Request configuration changes in the AMS-Managed Firewall | R |
I |
| Approve configuration changes in the AMS-Managed Firewall | I |
R |
| Execute configuration changes in the AMS-Managed Firewall | I |
R |
8AMS provides AMIs for Amazon EC2 only
9AMS is responsible for End of Life OSes only when the customer signs an extended support agreement with OS vendor
