Document history

Update change type walkthroughs

Management | Managed landing zone | Application account | Confirm offboarding and Management | Managed landing zone | Management account | Offboard application account  Note added: After confirming the offboarding you have 48 hours to run the offboarding change type. If not run in 48 hours, the confirmation is dropped and the process must be restarted.

February 20, 2025

Update change type walkthrough

Management | Custom Stack | Stack from CloudFormation Template | Remediate drift  The list of resources supported for this CT was added.

February 20, 2025

New change type

Management | Host security | Trend Micro DSM | Update agent status (review required).

February 20, 2025

New change type

Management | Host security | Trend Micro | Add User (review required).

February 20, 2025

Updated change type: Deployment | Standalone resources | EC2 instance | Create for WIGS (Review Required)

A note was added that, in order to use the AWS Marketplace AMI you must subscribe to the AMI from that account, and then agree to the terms of the AMI. AMS can not perform these actions for you because as a buyer you perform these actions yourself.

January 23, 2025

New change type: Management | Monitoring and notification | SNS | Update (Review Required)

Change type for requesting that AMS update an SNS topic in your account for you. Use this when you need extra help or communications about the SNS topic to update.

January 23, 2025

New change type: Management | Advanced stack components | EBS snapshot | Delete (Review Required)

Change type for requesting that AMS delete EBS snapshots for you. Use this when you need extra help or communications about the snapshots to delete.

January 23, 2025

New change type: Deployment | Advanced stack components | S3 access point | Create

Change type for creating an S3 access point.

January 23, 2025

New change type parameter

Deployment | Advanced stack components | S3 storage | Create and Management | Advanced stack components | S3 storage | Update  Change types for creating and updating S3 storage, new parameter for tags.

January 23, 2025

Updated change type: Deployment | Advanced stack components | RDS database stack | Create DB subnet group

"pattern" is removed from the Keys and Tags sections of the CT schema.

December 19, 2024

Updated change type: Deployment | AMS Resource Scheduler | Solution | Deploy

Parameters MemorySize and SchedulerFrequency added to the CT schemas. Default values are 512MB and 10 mins, respectively.

December 19, 2024

Updated change type: Management | Advanced stack components | Target group | Detach instances

A new version of this change type is now available.

November 21, 2024

Updated change type: Management | Advanced stack components | S3 storage | Update

A new version of this change type is now available.

November 21, 2024

Updated change type: Deployment | Advanced stack components | S3 storage | Create

A new version of this change type is now available.

November 21, 2024

Updated change type

The ExpectedExecutionDurationInMinutes was updated from 60 to 240 for the following 35 change types:

November 21, 2024

Updated change type

Change Type description is updated to reflect that this CT is used to update read-only access.

October 24, 2024

Updated change type

Change Type description is updated to reflect that this CT is used to update stack admin access.

October 24, 2024

Updated change type

The restriction to delete snapshots creates less than 60 days ago is changed to less than 30 days ago. Added an optional parameter for S3 URI of a bucket that belongs to the same AWS account. The invalid snapshots report is uploaded to this bucket.

October 24, 2024

New change type

New change type to create a custom RDS parameter group and optionally attach it to an existing RDS instance.

August 30, 2024

Updated change type

Updated the change type description.

August 9, 2024

Update change type

Version two of this change type is now available.

May 22, 2024

New change type

New change type to add an event notification to the specified S3 bucket through direct API calls.

May 22, 2024

Deprecated change type

Deployment | Advanced stack components | AWS Identity and Access Management (IAM) | Create Entity or Policy (Read Permissions)

April 8, 2024

Management | Managed account | Automated IAM provisioning with read-write permissions | Update custom deny list (review required).

New CT.

Management | Managed landing zone | Management account | Offboard application account.

Updated CT.

Management | Managed Account | DNS | Migrate to Route 53.

New CT.

Management | Advanced Stack Components | EBS Volume | Delete.

Updated CT.

Deployment | Managed landing zone | Networking account | Add static route.

Updated Additional Information section.

Deployment | Advanced Stack Components | Identity and Access Management (IAM) | Create Service-Linked role.

Added CustomSuffix input parameter.

Deployment | Managed Landing Zone | Management Account | Create Custom SCP (review required).

Added a note in the Tips section.

Management | Advanced Stack Components | Route 53 Resolver | Disassociate resolver rules from VPC.

New CT.

Management | Patching | Patch window | Update.

Updated CT.

Management | Advanced Stack Components | RDS database stack | Update deletion protection.

Updated CT.

Management | Advanced Stack Components | RDS database stack | Update enhanced monitoring.

New CT.

Deployment | Directory Service | DNS | Create Group Managed Service Account.

Updated CT.

Management | AWS Backup | Backup plan | Update.

Updated CT.

Management | Advanced Stack Components | RDS database stack | Update master password.

Updated CT.

Deployment | Advanced Stack Components | ACM | Create private certificate.

Updated CT.

Deployment | Advanced Stack Components | EC2 stack | Create (with additional volumes).

Updated Tips section.

Deployment | Advanced Stack Components | Database Migration Service (DMS) | Create Source Endpoint.

Updated Tips section.

Management | Advanced Stack Components | Route 53 Resolver | Associate VPC with Resolver Rule.

New CT

Management | Advanced Stack Components | KMS key | Update.

New CT

Management | Advanced Stack Components | Security group | Associate.

New CT

Management | Advanced Stack Components | Security group | Disassociate.

New CT

Management | Advanced Stack Components | S3 storage | Update policy (review required).

New CT

Management | Advanced Stack Components | RDS database stack | Rotate DB certificate.

New CT

Management | Advanced Stack Components | Tag | Update (review required).

New CT

Management | Advanced stack components | KMS key | Share (review required).

New CT

Management | Advanced stack components | KMS key | Update (review required).

New version

Management | Directory Service | Directory | Create AD trust.

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create access key.

Version 2.

Deployment | Advanced stack components | Redshift | Create (cluster subnet group).

New required parameterSubnetGroupDescription.

Deployment | Advanced stack components | EC2 Stack | Create.

Deployment | Ingestion | Stack from migration partner migrated instance | Create.

New optional parameter EnforceIMDSv2.

Management | Managed account | Stack access duration | Override (review required).

Deployment | Advanced Stack Components | Identity and Access Management (IAM) | Create entity or policy (read-write permissions).

Management | Advanced Stack Components | Identity and Access Management (IAM) | Update entity or policy (read-write permissions).

Management | Advanced Stack Components | Identity and Access Management (IAM) | Delete entity or policy (read-write permissions).

Management | Managed account | Automated IAM provisioning with read-write permissions | Enable (review required)

Deployment | Managed landing zone | Management account | Create stacksets stack, ct-16pknsfa8lul7.

Management | Managed landing zone | Management account | Delete stacksets stack, ct-1yqy4frl5s8y8.

Management | Managed landing zone | Management account | Update stacksets stack, ct-1v9g9n30woc8h.

Management | Access | Stack admin access | Grant, ct-1dmlg9g1l91h6.

Version 3.0 adds support for a custom maximum stack access time. Submit an RFC with the Management | Other | Other | Update (review required) (ct-0xdawir96cy7k) change type in the SALZ account or MALZ Shared Services account to customize this value.

Management | Access | Stack admin access | Update, ct-0ikpop8zqhkxg.

Version 3.0 adds support for a custom maximum stack access time. Submit an RFC with the Management | Other | Other | Update (review required) (ct-0xdawir96cy7k) change type in the SALZ account or MALZ Shared Services account to customize this value.

Management | Access | Stack read-only access | Grant, ct-199h35t7uz6jl.

Version 3.0 adds support for a custom maximum stack access time. Submit an RFC with the Management | Other | Other | Update (review required) (ct-0xdawir96cy7k) change type in the SALZ account or MALZ Shared Services account to customize this value.

Management | Access | Stack read-only access | Update, ct-3kh1wiizlne1i.

Version 3.0 adds support for a custom maximum stack access time. Submit an RFC with the Management | Other | Other | Update (review required) (ct-0xdawir96cy7k) change type in the SALZ account or MALZ Shared Services account to customize this value.

Management | Access | Stack admin access | Grant, ct-1dmlg9g1l91h6.

Version 3.0 is the default version, adding support for multiple usernames and access times up to 12 hours (previously 8).

Management | Access | Stack admin access | Update, ct-0ikpop8zqhkxg.

Version 3.0 is the default version, adding support for multiple usernames and access times up to 12 hours (previously 8).

Management | Access | Stack read-only access | Grant, ct-199h35t7uz6jl.

Version 3.0 is the default version, adding support for multiple usernames and access times up to 12 hours (previously 8).

Management | Access | Stack read-only access | Update, ct-3kh1wiizlne1i.

Version 3.0 is the default version, adding support for multiple usernames and access times up to 12 hours (previously 8).

Management | Advanced stack components | Bastions | Update bastion instance size (review required), ct-0tmpmp1wpgkr9.

Management | Advanced stack components | Bastions | Update bastion instance or session counts (review required) ct-1962s5oczal9z.

Management | Advanced stack components | Bastions | Add CIDR Ingress (review required) ct-36zubwzxp44a4.

Management | Advanced stack components | EC2 instance stack | Associate private ip addresses (review required), ct-1pvlhug439gl2.

Management | Advanced stack components | EC2 instance stack | Update instance detailed monitoring, ct-0tmpmp1wpgkr9.

Deployment | Advanced stack components | VPC | Add static route (review required), ct-06bwg93ukgg8t.

Management | Advanced stack components | AMI | Deregister (multiple), ct-26vhhlj9jmlpf

Version 2.0 supports deregistering multiple AMIs in one request.

Management | Advanced stack components | Security group | Authorize ingress rule, ct-3j2zstluz6dxq.

Updated to version 3.0.

Management | Advanced stack components | Security group | Revoke ingress rule, ct-1vjbacfr4ufdv.

Updated to version 3.0.

Deployment | AMS Resource Scheduler | Solution | Deploy, ct-0ywnhc8e5k9z5.

Version 2 requires the Action (deploy or update) parameter.

Management | AMS Resource Scheduler | Solution | Update, ct-2c7ve50jost1v.

Version 2 requires the Action (deploy or update) parameter.

Deployment | Advanced stack components | Auto Scaling group | Create, ct-2tylseo8rxfsc.

New optional parameter EnforceIMDSv2.

Deployment | Standard stacks | High availability two-tier stack | Create, ct-06mjngx5flwto.

New optional parameter EnforceIMDSv2.

Management | Directory Service | Directory | Share Directory, ct-369odosk0pd9w.

Management | Directory Service | Directory | Unshare Directory, ct-2xd2anlb5hbzo.

Management | Host security | Trend Micro DSM | Add login (read-only) , ct-0wspy4o646g9p.

Version 2 has new parameters and examples. It does not require a review.

Management | Advanced stack components | AMI | Deregister, ct-26vhhlj9jmlpf.

Version 2 supports deleting or deregistering multiple AMIs.

Deployment | Directory Service | DNS | Create conditional forwarder, ct-3nba0wtdugnan.

Conditional forwarder now supports up to 5 IP addresses.

Management | Directory Service | DNS | Update conditional forwarder, ct-2fqmbyud166z9.

Conditional forwarder now supports up to 5 IP addresses.

Management | Advanced stack components | EC2 instance stack | Change hostname (Linux), ct-2781aqd6f6svs.

Version 2 does not require a review.

Deployment | Advanced stack components | Auto Scaling group | Create, ct-2tylseo8rxfsc.

Version 3 has new parameter descriptions.

Management | Managed landing zone | Application account | Confirm offboarding, ct-2wlfo2jxj2rkj.

Added tips.

Management | Advanced stack components | DNS (private) | Update, ct-1d55pi44ff21u and Deployment | Advanced stack components | DNS (private) | Create, ct-0c38gftq56zj6.

Added tips about 500 limit on RRs.

Deployment | Advanced stack components | VPCEndpoint (Interface) | Create, ct-3oafsdbzjtuqp.

Deployment | Advanced stack components | S3 storage | Update encryption, ct-128svy9nn2yj8.

Deployment | Advanced stack components | S3 storage | Update versioning, ct-2hh93eyzmwbkd.

Deployment | Advanced stack components | RDS database stack | Update instance type, ct-13swbwdxg106z.

Deployment | Advanced stack components | RDS database stack | Update MultiAZ setting, ct-36jq7gvwyty8h.

Deployment | Advanced stack components | RDS database stack | Update storage, ct-0loed9dzig1ze.

Deployment | Advanced stack components | RDS snapshot | Copy, ct-1c0jrxd3su5oe.

Added support for multi-region (MRK) KMS keys.

Management | Advanced stack components | EC2 instance stack | Replace instance profile, ct-37kcp2v1mriu6.

Updated to version 2.0 with new parameters.

Deployment | Advanced stack components | EC2 stack | Create (with additional volumes), ct-1aqsjf86w6vxg.

Added support for specifying core count and threads per core.

Deployment | Advanced stack components | KMS key | Create, ct-1d84keiri1jhg.

Added guidance for deleting a key, and a warning that deletion does not occur automatically.

Deployment | Advanced stack components | Tag | Create, ct-3cx7we852p3af.

Updated parameters, description, and console screenshot.

Management | Advanced stack components | Tag | Update, ct-0xqwmtn1hfh8u.

Updated parameters, description, and console screenshot.

Management | Advanced stack components | Tag | Delete, ct-2zebb2czoxpjd.

Updated parameters, description, and console screenshot.

Management | Standalone resources | EC2 instance | Terminate, ct-3dfubbpesm2v9.

Updated parameters, description, and console screenshot.

Management | Advanced stack components | EC2 instance stack | Update DeleteOnTermination (review required), ct-2aaaqid7asjy6.

Updated description of the DeleteOnTermination parameter.

Management | Advanced stack components | KMS key | Update, ct-3ovo7px2vsa6n.

Updated the description of the KeyRotation parameter.

Management | Advanced stack components | RDS database stack | Update master user password, ct-2052miu12d8fn.

Updated examples and tips with additional guidance for using SSM Parameter Store or AWS Secrets Manager

Management | Advanced stack components | Target group | Detach instances, ct-37bq2l9c8fzxv.

Updated description of InstancesIds parameter.

Added support for GP3 storage, and choice of SQL character sets to:

Added support for multi-Region KMS keys (MRK) to:

Deployment | Advanced stack components | OpenSearch | Create domain, ct-0azen3a9anxzj is removed and replaced with Deployment | Advanced stack components | OpenSearch | Create domain, ct-281et7bs9ep4s.

This update included a change to the OpenSearch | Create domain schema.

Management | Managed landing zone | Networking account | Remove TGW static route, ct-0rmgrnr9w8mzh.

Deployment | AMS Resource Scheduler | Solution | Deploy, ct-2c7ve50jost1v.

Management | Advanced stack components | DNS (private) | Create, ct-0c38gftq56zj6.

Management | Advanced stack components | DNS (private) | Update, ct-1d55pi44ff21u.

Management | Advanced stack components | DNS (public) | Create, ct-0vzsr2nyraedl.

Management | Advanced stack components | DNS (public) | Update, ct-1hzofpphabs3i.

Parameters and CLI examples have changed for version 2.0.

Deployment | Advanced stack components | RDS database stack | Create (for Aurora), ct-2jvzjwunghrhy.

Deployment | Advanced stack components | RDS database stack | Create from backup (for Aurora), ct-2wllq61djysxz.

Management | Advanced stack components | RDS database stack | Update (for Aurora), ct-2dphvdy1krpj6.

Updated descriptions, added min/max parameters serverless scaling, and added InstanceType values.

Management | Advanced stack components | EC2 instance stack | Resize, ct-15mazjj88xc69.

Updated description, parameters, and CLI examples for version 2.0.

Management | AMS Resource Scheduler | Solution | Update, ct-2c7ve50jost1v.

Management| AMS Resource Scheduler | Solution | Deploy, ct-0ywnhc8e5k9z5.

Removed SALZ restriction and added Action parameter.

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create access key, ct-2hhqzgxvkcig8.

Management | Advanced stack components | Identity and Access Management (IAM) | Deleate or deactivate access key, ct-37qquo9wbpa8x.

Deployment | Advanced stack components | Application Load Balancer | Create, ct-111r1yayblnw4.

Added parameter TargetGroup to optionally specify a load balancer TargetGroup.

Management | Managed landing zone | Application account | Confirm Offboarding, ct-2wlfo2jxj2rkj.

Added a tip not to use this for Customer Managed application accounts.

Management | Managed landing zone | Management account | Offboard application account, ct-0vdiy51oyrhhm.

Added a tip: when applied to Customer Managed application accounts, there is no confirmation step.

Deployment | Advanced stack components | KMS alias | Create, ct-2svg4k2fqi4ak.

Updated the AliasName pattern to reject names with prohibited prefixes.

The What Are AMS Change Types? file now has a link to a zip file with a current comma-separated value (CSV) file of change types.

Management | Advanced stack components | EBS snapshot | Archive, ct-059ewa92tc2i1.

Management | Advanced stack components | Identity and Access Management (IAM) | Update max session duration, ct-1fzddqrr20c2i.

Deployment | Advanced stack components | RDS snapshot | Create (Cluster), ct-2zqwr34epwzx1.

Management | Standalone resources | RDS instance | Terminate, ct-3glr80c15rp7z.

Management | Advanced stack components | RDS snapshot | Delete, ct-0idxb0xsg1ui6.

Deployment | Managed landing zone | Networking account | Create transit gateway route table, ct-3dscwaeyi6cup.

Management | Advanced stack components | S3 storage | Manage lifecycle configuration, ct-1ax768xtu8c9q.

Deployment | Advanced stack components | EC2 stack | Create, ct-14027q0sjyt1h.

Added a tip not to select instance types that are too small.

Management | Advanced stack components | Application Load Balancer | Update, ct-1a1zzgi2nb83d.

Updated the description of the LoadBalancerSubnetIds parameter.

Deployment | Patching | SSM patch window | Create, ct-0el2j07llrxs7.

Replaced references to Route 53 hosted zones with SSM window creation.

Management | AWS service | Self-provisioned service | Add, ct-1w8z66n899dct.

List of service names updated to include AWS Private Certificate Authority (PCA)

Management | AWS service | Self-provisioned service | Add (review required), ct-3qe6io8t6jtny.

List of service names updated to include AWS Private Certificate Authority (PCA)

Management | Patching | On demand patching | Run, ct-3oy53m1qzl2s5.

Added a note regarding the StartInactiveInstances parameter. Inactive instances return to their inactive state after patching.

Management | Advanced stack components | Tag | Bulk update, ct-3047c34zuvswh.

Added Supported Resources section and a link to Tag bulk update notes.

Management | Advanced stack components | Tag | Bulk update (review required), ct-0k4b96aatyqgl.

Added Supported Resources section and a link to Tag bulk update notes.

Deployment | Advanced stack components | RDS snapshot | Copy (for Aurora), ct-19fdy7np55xiu.

Management | Advanced stack components | RDS database stack | Start Aurora Cluster, ct-02ocqy2i0jx3t.

Management | Advanced stack components | RDS database stack | Stop Aurora Cluster, ct-37vqa0oggka3q.

Management | AWS service | Self-provisioned service | Add, ct-1w8z66n899dct.

The AWS Codepipeline service was removed from the possible services you could add with this CT.

Deployment | Advanced stack components | AMI | Copy, ct-046aizcwg5idf.

The Region parameter was updated to add: "This must be the account onboarded Region."

Management | Directory Service | DNS | Add A record, ct-2w3rbmnny1qpo

Management | Directory Service | DNS | Add CNAME record, ct-2murl5xzbxoxf

Management | Directory Service | DNS | Remove record, ct-1icrtx8ydvdwe

Improved examples.

ct-2w3rbmnny1qpo

ct-2murl5xzbxoxf

ct-1icrtx8ydvdwe

Deployment | Advanced stack components | RDS database stack | Create from snapshot, ct-20san5sgtwd9e.

Added a note: "You can't restore a DB instance from a DB snapshot that is both shared and encrypted. Instead, you can make a copy of the DB snapshot and restore the DB instance from the copy. To copy the shared snapshot, please use the following CT: RDS Snapshot | Copy".

Deployment/Advanced stack components/Tag/Create, ct-3cx7we852p3af.

Management/Advanced stack components/Tag/Delete, ct-2zebb2czoxpjd.

Management/Advanced stack components/Tag/Update, ct-0xqwmtn1hfh8u.

For all three, the ResourceArns parameter description was updated.

ct-3cx7we852p3af

ct-2zebb2czoxpjd

ct-0xqwmtn1hfh8u

Management | Directory Service | DNS | Add A record, ct-2w3rbmnny1qpo.

Management | Directory Service | DNS | Add CNAME record, ct-2murl5xzbxoxf.

Added a note: "For multi-account landing zone (MALZ), use this change type in the shared services account."

ct-2w3rbmnny1qpo

ct-2murl5xzbxoxf

Updated content

Updated Tips section with information on "Linux Preparation for AMI Create," "Windows Preparation for AMI Create," and "UserData for AMI Create."

AMI | Create.

New content

Example walkthroughs for each change type have been moved here from the retired AMS Advanced Change Management Guide.

All change types with execution mode=manual are now appended with "(review required)" to the Operation name. All change types with execution mode=automated are now appended with nothing (any cases of "(auto)" or "(no review required)" are removed).

Change Types by Classification.

Management | Managed account | Direct Change mode | Enable, CT ID: ct-3rd4781c2nnhp.

Change types that included "Master account" in their classification have all been updated to "Management account."

Removed the space in pattern for parameter: IpProtocol.

Management | Advanced stack components | EC2 instance stack | Change time zone (ct-3g9dbtun44mal)

ct-3g9dbtun44mal

Management | Advanced stack components | RDS database stack | Update deletion protection

ct-2syhk4sr7cvyw

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create service-specific credentials

ct-2ni31oyto1i5k

Management | Advanced stack components | Identity and Access Management (IAM) | Reset service-specific credentials

ct-22cbvc1yujhec

Deployment| Managed landing zone | Management Account | Create custom SCP (review required) (ct-33ste5yc7hprs) and

Deployment| Managed landing zone | Networking account | Create application route table (review required) (ct-1urj94c3hdfu5)

Change classification to include "(review required)" appended to the Operation name.

ct-33ste5yc7hprs and ct-1urj94c3hdfu5

Deployment | Advanced stack components | Database Migration Service (DMS) | Start replication task (ct-1yq7hhqse71yg)

Updated to indicate the DocumentName and Region are required parameters; previously, they were erroneously listed as optional.

ct-1yq7hhqse71yg

Deployment | AWS Backup | Backup plan | Create (ct-2hyozbpa0sx0m)

Added note to warn that not all resources types supported by AWS Backup are enabled by default. Find which services are in Getting Started 1: Service Opt-In. If changes need to be made, open an RFC using CT ct-1e1xtak34nx76.

ct-2hyozbpa0sx0m

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create EC2 instance profile (ct-117rmp64d5mvb) and Deployment | Advanced stack components | Identity and Access Management (IAM) | Create Lambda execution role (ct-1k3oui719dcju)

New Version: 2.0. Updated to make JSON copy-paste easier.

ct-117rmp64d5mvb and ct-1k3oui719dcju

Deployment | Advanced stack components | RDS database stack | Create (ct-2z60dyvto9g6c)

Added a new value for the RDSDBEngine parameter: mariadb.

ct-2z60dyvto9g6c

Deployment | Advanced stack components | RDS database stack | Update (ct-12w49boaiwtzp)

Extended the expected duration time to 360 minutes from 60 minutes.

ct-12w49boaiwtzp

Added an important note about limitations on the resources that can be remediated.

ct-34sxfo53yuzah

Management | AWS service | Self-provisioned service | Add Self-Service Provisioning service (no review required)

ct-1w8z66n899dct

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create service-linked role

ct-2eof6j3mlcwhf

Management | Advanced stack components | ACM | Delete certificate

ct-1q8q56cmwqj9m

Management | Managed landing zone | Application account | Confirm offboarding

ct-2wlfo2jxj2rkj

Management | Managed landing zone | Application account | Offboard application account

ct-0vdiy51oyrhhm

Deployment | Managed landing zone | Management account | Create Accelerate account

ct-0vdiy51oyrhhm

Management | AMS Resource Scheduler | Schedule | Add (ct-2bxelbn765ive) and Management | AMS Resource Scheduler | Schedule | Update (ct-3u61cd4edns0x)

The SSMMaintenanceWindow can now take a list of AWS Systems Manager existing maintenence windows.

Deployment | Advanced stack components | Identity and Access Managment (IAM) | Create OpenID Connect provider

ct-30ecvfi3tq4k3

Deployment | Advanced stack components | RDS database stack | Create

This update adds performance insights options.

ct-2z60dyvto9g6c

Many CTs had non-standard "Additional Information" sections without links to the corresponding walkthrough, this has been fixed.

Management | Advanced stack components | Application Load Balancer | Add listener certificate

ct-3g6fq83nxg1a7

Management | Advanced stack components | Application Load Balancer | Remove listener certificate

ct-0tpbr6lfa3zng

Management | Advanced stack components | Load Balancer (ELB) stack | Replace listener certificate

ct-0aqx5t0pgfzbg

Management | Advanced stack components | Network Load Balancer | Add listener certificate

ct-35p977vul06df

Management | Advanced stack components | Network Load Balancer | Remove listener certificate

ct-3929xwf222jri

Management | Managed landing zone | Networking account | Disable TGW propagation

ct-2pxyajek47am2

Management | Managed landing zone | Networking account | Enable TGW propagation

ct-1f9hi4bephqa9

Management | Standalone resources | EC2 instance | Terminate

ct-3dfubbpesm2v9

Management | Advanced stack components | EC2 Instance Stack | Gather log4j information (v2.0)

ct-19f40lfm5umy8

This update provides an option to target all instances in the region.

Management | Advanced stack components | Database Migration Service (DMS) | Start replication task and Management | Advanced stack components | Database Migration Service (DMS) | Stop replication task

ct-1yq7hhqse71yg and ct-1vd3y4ygbqmfk

This change updates the task ARN regular expression to the allow tasks containing the a dash ( - ).

Management | Advanced stack components | EC2 instance stack | Change hostname (Linux)

ct-2781aqd6f6svs

Automated, with additional parameters, and moved to version 2.0.

Management | Advanced stack components | EC2 instance stack | Restore volumes

ct-0ffvihqwjvqj1

This update adds two optional parameters, RootVolumeType and VolumeTypes.

A Priority parameter has been added to all execution mode=manual change types (CTs).

For additional information, see RFC scheduling.

The changed CTs are:

Deployment/Monitoring and notification/GuardDuty IP set/Create
Deployment/Monitoring and notification/GuardDuty threat intel set/Create
Management/Monitoring and notification/GuardDuty IP set/Delete
Management/Monitoring and notification/GuardDuty IP set/Update
Management/Monitoring and notification/GuardDuty threat intel set/Delete
Management/Monitoring and notification/GuardDuty threat intel set/Update
Management/Other/Other/Create
Management/Other/Other/Update
Deployment/Managed landing zone/Management account/Create Custom SCP
Deployment/Managed landing zone/Networking account/Create application route table
Deployment/Advanced stack components/Identity and Access Management (IAM)/Create entity or policy
Deployment/Advanced stack components/KMS key/Create (review required)(1.0 and 2.0)
Deployment/Advanced stack components/S3 storage/Create policy
Deployment/Advanced stack components/Security group/Create (review required)
Deployment/Advanced stack components/Tag/Create (review required)
Management/AWS service/Self-provisioned service/Add
Management/Advanced stack components/EC2 instance stack/Change hostname (Linux)(1.0)
Management/Advanced stack components/Identity and Access Management (IAM)/Delete entity or policy
Management/Advanced stack components/Identity and Access Management (IAM)/Update entity or policy
Management/Advanced stack components/KMS key/Delete(1.0 and 2.0)
Management/Advanced stack components/KMS key/Update(1.0 and 2.0)
Management/Advanced stack components/S3 storage/Delete policy
Management/Advanced stack components/S3 storage/Update policy
Management/Advanced stack components/Security group/Delete
Management/Advanced stack components/Security group/Update
Management/Advanced stack components/Tag/Bulk update (review required)
Management/Advanced stack components/Tag/Delete (review required)
Management/Advanced stack components/Tag/Update (review required)
Management/Managed account/Developer mode/Enable
Management/Standard stacks/Stack/Remediate drift
Management/Applications/IAM instance profile/Create
Management/Host security/Malware full system scan/Disable

Management | Advanced Stack Components | EC2 Instance Stack | Gather log4j information

Single instance scan use v1.0, Multi instance scan use v2.0.

ct-19f40lfm5umy8

Management | Directory service | DNS | Delete conditional forwarder

ct-1icghmq38rnsn

Management | Directory service | DNS | Update conditional forwarder

ct-2fqmbyud166z9

Deployment | Directory service | DNS | Create conditional forwarder

ct-3nba0wtdugnan

Deployment | Directory service | DNS | Create group managed service account

ct-2qhl8j1pjnbgn

Management | Directory service | DNS | Update record permission

ct-1eft8s6vdhz0w

Management | Directory service | DNS | Update cluster permissions

ct-03ytgoevfebjr

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create EC2 instance profile

ct-117rmp64d5mvb

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create Lambda execution role

ct-1k3oui719dcju

Management | Managed landing zone | Management account | Move Account to OU

ct-1vq0f289r36ay

Deployment | AWS Backup | Backup plan | Create

ct-2hyozbpa0sx0m. Additional parameters were for creating backup copies across accounts.

Management | Advanced stack components | EBS snapshot | Delete

ct-30bfiwxjku1nu. The CT description was expanded to mention some cavaets.

Management | Advanced stack components | EC2 instance | Start

ct-03t7kvuwx6rgr. The CT schema was updated so you can start mulitple EC2 instances.

Management | Advanced stack components | EC2 instance | Stop

ct-3mvvt2zkyveqj. The CT schema was updated so you can stop mulitple EC2 instances. There's also a new parameter, ForceStop.

Management | AWS Backup | Recovery point | Delete

ct-1r1vbr8ahr156. The CT schema was updated so you can delete mulitple recovery points.

Deployment | Advanced stack components | Redshift | Create (cluster from snapshot) version 1.0

ct-3jrqmeq7j0wke. A new parameter, NodeType, was added.

Many change type examples were missing, this has been fixed.

Management | Directory Service | Computer object | Remove SPN

ct-1078jhyxq32dp

Deployment | Managed landing zone | Networking account | Disassociate TGW attachment

ct-3jo8yccbin4it

Deployment | Managed landing zone | Networking account | Associate TGW attachment

ct-3nmhh0qr338q6

Deployment | Managed landing zone | Networking account | Add static route

ct-3r2ckznmt0a59

Deployment | Managed landing zone | Management account | Create Developer Mode account (with VPC)

ct-38xcr0q86k9lh

Management | Advanced stack components | Security Group | Delete (no review required)

ct-18r16ldqil6w9

Management | Advanced stack components | Security Group | Disassociate (no review required)

ct-13lk0noacn6ua

Management | Advanced stack components | AMI | Deregister

ct-26vhhlj9jmlpf This CT has a new parameter "DeleteSnapshots" to allow deleting snapshots associated with AMI.

Management | Advanced stack components | AMI | Deregister

ct-2r2bffv9u6q4m A note was added that you cannot use the CT with Aurora MySQL or Aurora PostgreSQL.

Classification (two):

Management | Standard stacks | Stack | Remediate drift (auto)

Management | Custom stack | Stack | Remediate drift (auto)

ct-3kinq0u4l33zf.

Management | AWS Backup | Backup plan | Enable cross account copy (Management account) ct-2yja7ihh30ply.

Management | Advanced stack components | EC2 instance stack | Encrypt instance volumes ct-0hahohe17csnc.

Deployment | Advanced stack components | Database Migration Service (DMS) | Create replication subnet group This CT (ct-2q5azjd8p1ag5) will fail if the 'dms-vpc-role' IAM role doesn't exist in the account. ct-2q5azjd8p1ag5.

Deployment | Advanced stack components | EC2 stack | Create

The note for InstanceType has been updated to this "Any EC2 instance created within AMS environments have pre-configured AMS components and agents like EPS, SSM, Cloudwatch etc., which occupy the resource’s capacity along with the application workload. Therefore AMS does not recommend using the t2.micro/t3.micro and t2.nano/t3.nano instance types as they can impact the performance of the application and AMS tooling running on the instances. For more information, see Choosing the Right EC2 Instance Type for Your Application. ct-14027q0sjyt1h.

Deployment | Advanced stack components | EC2 stack | Create (with additional volumes)

The note for InstanceType has been updated to this "Any EC2 instance created within AMS environments have pre-configured AMS components and agents like EPS, SSM, Cloudwatch etc., which occupy the resource’s capacity along with the application workload. Therefore AMS does not recommend using the t2.micro/t3.micro and t2.nano/t3.nano instance types as they can impact the performance of the application and AMS tooling running on the instances. For more information, see Choosing the Right EC2 Instance Type for Your Application. ct-1aqsjf86w6vxg.

Management | Advanced stack components | Security Group | Associate

There is a new version and support for additional resource types. ct-12lyw7otiyr6f.

Deployment | AMS Resource Scheduler | Solution | Deploy ct-0ywnhc8e5k9z5.

Management | AMS Resource Scheduler | State | Enable ct-2wrvu4kca9xky.

Management | AMS Resource Scheduler | State | Disable ct-14v49adibs4db.

Management | Patching | Patch window | Update ct-2utx36abv83pv.

Management | Advanced stack components | KMS key | Enable rotation ct-2lt0jeydeumpe.

Management | Directory Service | Users and groups | Add group to group ct-1i20abktsm05v.

Management | Directory Service | Users and groups | Add user to group ct-24pi85mjtza8k.

Management | Directory Service | Users and groups | Add group ct-3eutt7grkict4.

Management | Directory Service | Users and groups | Remove user from group ct-2019s9y3nfml4.

Management | Directory Service | DNS | Remove record ct-1icrtx8ydvdwe.

Management | Directory Service | DNS | Add CNAME record ct-2murl5xzbxoxf.

Management | Directory Service | DNS | Add A record ct-2w3rbmnny1qpo.

Management | Advanced stack components | EC2 instance stack | Restore volumes The schema is updated with new parameters and the version is now 3.0. ct-2z60dyvto9g6c.

Deployment | Advanced stack components | DNS (private) | Create

The schema is updated with new parameters: AliasTargetDnsName, AliasTargetHostedZoneId, and AliasTargetEvaluatedTargetHealth to support "A" record to route traffic to AWS resource such as CloudFront distribution or an Amazon S3 bucket, by providing the DNSName and HostedZoneID associated with the AWS resource. ct-0c38gftq56zj6 .

Deployment | Advanced stack components | DNS (public) | Create

The schema is updated with new parameters: AliasTargetDnsName, AliasTargetHostedZoneId, and AliasTargetEvaluatedTargetHealth to support "A" record to route traffic to AWS resource such as CloudFront distribution or an Amazon S3 bucket, by providing the DNSName and HostedZoneID associated with the AWS resource. ct-0vzsr2nyraedl .

Management | Advanced stack components | DNS (private) | Update

The schema is updated with new parameters: AliasTargetDnsName, AliasTargetHostedZoneId, and AliasTargetEvaluatedTargetHealth to support "A" record to route traffic to AWS resource such as CloudFront distribution or an Amazon S3 bucket, by providing the DNSName and HostedZoneID associated with the AWS resource. ct-1d55pi44ff21u.

Management | Advanced stack components | DNS (public) | Update

The schema is updated with new parameters: AliasTargetDnsName, AliasTargetHostedZoneId, and AliasTargetEvaluatedTargetHealth to support "A" record to route traffic to AWS resource such as CloudFront distribution or an Amazon S3 bucket, by providing the DNSName and HostedZoneID associated with the AWS resource. ct-1hzofpphabs3i.

Deployment | Advanced stack components | RDS database stack | Create The RDSDBEngine parameter has a new value available: mariadb. ct-2z60dyvto9g6c.

Deployment | Advanced stack components | Identity and Access Management (IAM) | Create SAML identity provider ct-3hox8uwjgze1f.

Management | Advanced stack components | Identity and Access Management (IAM) | Delete SAML identity provider ct-01zl37gmuk4q2.

Management | Advanced stack components | Identity and Access Management (IAM) | Update SAML identity provider ct-379uwo67vbvng.

Deployment | Advanced stack components | VPNGateway | Create ct-0qbikxr9okwvy.

Management | Advanced stack components | AMI | Create from Auto Scaling group ct-3e3prksxmdhw8.

Management | Advanced stack components | EBS Volume | Attach ct-34jldf2qihaic.

Management | Advanced stack components | EBS Volume | Detach ct-2d55p1d7z6w3d.

Managed firewall, Outbound (Palo Alto): Create allow list ct-309eozh6lpkr8.

Managed firewall, Outbound (Palo Alto): Delete allow list ct-2fzh1wckpl7f5.

Managed firewall, Outbound (Palo Alto): Create security policy ct-281dpwh9tqnan.

Managed firewall, Outbound (Palo Alto): Delete security policy ct-1taxucdyi84iy.

Managed firewall, Outbound (Palo Alto): Update security policy ct-0mss4i7neuj7f.

Management | Managed firewall | Outbound (Palo Alto) | Add URLs and Management | Managed firewall | Outbound (Palo Alto) | Remove URLs. New schemas. ct-2b9q8339bj2sa and ct-2mf36chtp1ejh.

Management | AWS service | Self-provisioned service | Add. New parameter, SAMLProviders. ct-3qe6io8t6jtny.

Management | Advanced stack components | AMI | Encrypt. Note warning not to try to encrypt AMIs that are already encrypted. ct-3u9yd8jznb2zd.