Once the tools account is created, AMS provides you with an account ID. Your next step is to configure access to the new account. Follow these steps.
Update the appropriate Active Directory groups to the appropriate account IDs.
New AMS-created accounts are provisioned with the ReadOnly role policy as well as a role to allow users to file RFCs.
The Tools account also has an additional IAM role and user available:
IAM role:
AWSManagedServicesMigrationRoleIAM user:
customer_cloud_endure_user
Request policies and roles to allow service integration team members to set up the next level of tools.
Navigate to the AMS console and file the following RFCs:
Create KMS key. Use either Create KMS Key (auto) or Create KMS Key (review required).
As you use KMS to encrypt ingested resources, using a single KMS key that is shared with the rest of the Multi-Account Landing Zone application accounts, provides security for ingested images where they can be decrypted in the destination account.
Share the KMS key.
Use the Management | Other | Other | Create (ct-1e1xtak34nx76) change type to request that the new KMS key be shared with your application accounts where ingested AMIs will reside.
Example graphic of a final account setup:
