# Application onboarding
Welcome to AWS Managed Services (AMS) AMS operations plan. The purpose of this document is to describe the various methods you can use when onboarding your applications to AMS once initial networking and access management has been set up, and the issues you should consider when choosing those methods.
This document is intended for system integrators and application developers to assist in determining and crafting application processes for new AMS customers.
## What is application onboarding?
AMS application onboarding refers to the deployment of resources and applications, as needed, into your AMS infrastructure. Architecting applications and infrastructure on the AMS platform is very similar to doing so on native AWS. Following AWS application and infrastructure design best practices while considering the capabilities that are provided by AMS will yield capable and operable applications hosted in the AMS environment.
**Note**
US East (Virginia)
US West (N. California)
US West (Oregon)
US East (Ohio)
Canada (Central)
South America (São Paulo)
EU (Ireland)
EU (Frankfurt)
EU (London)
EU West (Paris)
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
New Regions are added frequently. To learn more, see [AWS Regions and Availability Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).
# What we do, what we do not do
AMS gives you a standardized approach to deploying AWS infrastructure and provides the necessary ongoing operational management. For a full description of roles, responsibilities, and supported services, see [Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
**Note**
To request that AMS provide an additional AWS service, file a service request. For more information, see [Making Service Requests](https://docs.aws.amazon.com/managedservices/latest/userguide/mk-service-requests.html).
+ **What we do**:
After you complete onboarding, the AMS environment is available to receive requests for change (RFCs), incidents, and service requests. Your interaction with the AMS service revolves around the lifecycle of an application stack. New stacks are ordered from a preconfigured list of templates, launched into specific virtual private cloud (VPC) subnets, modified during their operational life through requests for change (RFCs), and monitored for events and incidents 24/7.
Active application stacks are monitored and maintained by AMS, including patching, and require no further action for the life of the stack unless a change is required or the stack is decommissioned. Incidents detected by AMS that affect the health and function of the stack generate a notification and may or may not need your action to resolve or verify. How-to questions and other inquiries can be made by submitting a service request.
Additionally, AMS allows you to enable compatible AWS services that are not managed by AMS. For information about AWS-AMS compatible services, see [Self-service provisioning mode](https://docs.aws.amazon.com/managedservices/latest/userguide/setting-up-compatible.html).
+ **What we DON'T do**:
While AMS simplifies application deployment by providing a number of manual and automated options, you're responsible for the development, testing, updating, and management of your application. AMS provides troubleshooting assistance for infrastructure issues that impact applications, but AMS can't access or validate your application configurations.
# AMS Amazon Machine Images (AMIs)
AMS produces updated Amazon Machine Images (AMIs) every month for AMS supported operating systems. In addition, AMS also produces security enhanced images (AMIs) based on CIS Level 1 benchmark for a subset of [AMS's supported operating systems](https://docs.aws.amazon.com/managedservices/latest/userguide/supported-configs.html). To find out which operating systems have a security enhanced image available, see the AMS Security User Guide, which is available through AWS Artifact -> Reports page (find the **Reports** option in the left navigation pane) filtered for AWS Managed Services. To access AWS Artifact, can contact your CSDM for instructions or go to [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started).
To receive alerts when new AMS AMIs are released, you can subscribe to an Amazon Simple Notification Service (Amazon SNS) notification topic called "AMS AMI". For details, see [AMS AMI notifications with SNS](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-ami-notifications.html).
The AMS AMI naming convention is: `customer-ams-- - `. (for example, `customer-ams-rhel6-2018.11-3`)
Only use AMS AMIs that start with `customer`.
AMS recommends always using the most recent AMI. You can find the most recent AMIs by either:
+ Looking in the AMS console, on the **AMIs** page.
+ Viewing the latest AMS AMI CSV file, available from your CSDM or through this ZIP file: [AMS 11.2024 AMI contents and CSV file in a ZIP](https://docs.aws.amazon.com/managedservices/latest/userguide/samples/AMIs.csv-and-notes.11.2024.zip).
For past AMI ZIP files, see the [Doc History](https://docs.aws.amazon.com/managedservices/latest/userguide/doc-history-ug.html).
+ Running this AMS `SKMS` command (AMS SKMS SDK required):
```
aws amsskms list-amis --vpc-id VPC_ID --query "Amis.sort_by(@,&Name)[? starts_with(Name,'customer')].[Name,AmiId,CreationTime]" --output table
```
**AMS AMI content added to base AWS AMIs, by operating system (OS)**
+ Linux AMIs:
+ [AWS CLI Tools](https://aws.amazon.com/cli/)
+ [NTP](http://www.ntp.org/documentation.html)
+ [Trend Micro Endpoint Protection Service Agent](https://www.trendmicro.com/en_us/business.html)
+ [Code Deploy](https://github.com/aws/aws-codedeploy-agent)
+ [PBIS Enterprise / Beyond Trust AD Bridge](https://www.beyondtrust.com/products/active-directory-bridge)
**Note**
As of June 2022, BeyondTrust no longer supports PBIS Open. You can't use PBIS Open on AMIs that AMS supports after June 2022. If AMS supported your AMI before June 2022, you can continue to use PBIS Open at your own discretion.
+ [SSM Agent](https://github.com/aws/amazon-ssm-agent)
+ Yum Upgrade for critical patches
+ AMS custom scripts / management software (controlling boot, AD join, monitoring, security, and logging)
+ Windows Server AMIs:
+ [Microsoft .NET Framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653)
+ [ PowerShell 5.1](https://docs.microsoft.com/en-us/skypeforbusiness/set-up-your-computer-for-windows-powershell/download-and-install-windows-powershell-5-1)
+ [AWS Tools for Windows PowerShell](https://aws.amazon.com/powershell/)
+ AMS PowerShell Modules controlling boot, AD join, monitoring, security, and logging
+ [Trend Micro Endpoint Protection Service Agent](https://www.trendmicro.com/en_us/business.html)
+ [SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html)
+ [CloudWatch Agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html)
+ EC2Config service (through Windows Server 2012 R2)
+ EC2Launch (Windows Server 2016 and Windows Server 2019)
+ EC2LaunchV2 (Windows Server 2022 and later)
**Linux-based AMIs**:
+ Amazon Linux 2023 (Latest Minor Release) (Minimal AMI not supported)
+ Amazon Linux 2 (Latest Minor Release)
+ Amazon Linux 2 (ARM64)
+ Red Hat Enterprise 8 (Latest Minor Release)
+ Red Hat Enterprise 9 (Latest Minor Release)
+ SUSE Linux Enterprise Server 15 SP6
+ Ubuntu Linux 20.04
+ Ubuntu Linux 22.04
+ Ubuntu Linux 24.04
+ Amazon Linux: For product overview, pricing information, usage information, and support information, see [Amazon Linux 2](https://aws.amazon.com/amazon-linux-2/).
For more information, see [Amazon Linux 2 FAQs](https://aws.amazon.com/amazon-linux-2/faqs/).
+ SUSE Linux Enterprise Server for SAP applications 15 SP6:
+ Run the following steps once per account:
1. Navigate to the **AWS Marketplace**.
1. Search for the SUSE 15 SAP product.
1. Choose **Continue to subscribe**.
1. Choose **Accept terms**.
+ Complete the following steps **every time** you need to launch a new **SUSE Linux Enterprise Server for SAP Applications 15 SP6** instance:
1. Note the AMI ID for the subscribed **SUSE Linux Enterprise Server for SAP Applications 15** AMI.
1. Create a Deployment \$1 Advanced stack components \$1 EC2 stack \$1 Create change type ct-14027q0sjyt1h RFC. Replace *InstanceAmiId* with the AWS Marketplace AMI ID that you subscribed to.
**Windows-based AMIs**:
Microsoft Windows Server (2016, 2019, 2022, and 2025), based on latest Windows AMIs.
For examples of creating AMIs, see [Create AMI](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-ami-create-col.html).
**Offboarding AMS AMIs**:
AMS does not unshare any AMIs from you during offboarding to avoid impact for any of your depedencies. If you want to remove AMS AMIs from your account, you can use the `cancel-image-launch-permission` API to hide specific AMIs. For example, you can use the script below to hide all of the AMS AMIs that were shared with your account earlier:
```
for ami in $(aws ec2 describe-images --executable-users self --owners 027415890775 --query 'Images[].ImageId' --output text) ;
do
aws ec2 cancel-image-launch-permission --image-id $ami ;
done
```
You must have the AWS CLI v2 installed for the script to execute without any errors. For AWS CLI installation steps, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). For details on the `cancel-image-launch-permission` command, see [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/cancel-image-launch-permission.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/cancel-image-launch-permission.html).
# Security enhanced AMIs
AMS provides security enhanced images (AMIs) based on CIS Level 1 benchmark for a subset of AMS's supported operating systems. To find which operating systems have a security enhanced image available, see the *AWS Managed Services (AMS) Customer Security Guide*. To access this guide, open AWS Artifact, select **Reports** in the left navigation pane, and then filter for AWS Managed Services. For instructions on how to access AWS Artifact, contact your CSDM or see [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started) for more information.
# AMS key terms
+ *AMS Advanced*: The services described in the "Service Description" section of the AMS Advanced Documentation. See [Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
+ *AMS Advanced Accounts*: AWS accounts that at all times meet all requirements in the AMS Advanced Onboarding Requirements. For information on AMS Advanced benefits, case studies, and to contact a sales person, see [AWS Managed Services](https://aws.amazon.com/managed-services/).
+ *AMS Accelerate Accounts*: AWS accounts that at all times meet all requirements in the AMS Accelerate Onboarding Requirements. See [Getting Started with AMS Accelerate](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/getting-started-acc.html).
+ *AWS Managed Services*: AMS and or AMS Accelerate.
+ *AWS Managed Services accounts*: The AMS accounts and or AMS Accelerate accounts.
+ *Critical Recommendation*: A recommendation issued by AWS through a service request informing you that your action is required to protect against potential risks or disruptions to your resources or the AWS services. If you decide not to follow a Critical Recommendation by the specified date, you are solely responsible for any harm resulting from your decision.
+ *Customer-Requested Configuration*: Any software, services or other configurations that are not identified in:
+ Accelerate: [Supported Configurations](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html#supported-configs) or [AMS Accelerate; Service Description](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html).
+ AMS Advanced: [Supported Configurations](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html#supported-configs) or [AMS Advanced; Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).
+ *Incident communication*: AMS communicates an Incident to you or you request an Incident with AMS via an Incident created in Support Center for AMS Accelerate and in the AMS Console for AMS. The AMS Accelerate Console provides a summary of Incidents and Service Requests on the Dashboard and links to Support Center for details.
+ *Managed Environment*: The AMS Advanced accounts and or the AMS Accelerate accounts operated by AMS.
For AMS Advanced, these include multi-account landing zone (MALZ) and single-account landing zone (SALZ) accounts.
+ *Billing start date*: The next business day after AWS receives the your information requested in the AWS Managed Services Onboarding Email. The AWS Managed Services Onboarding Email refers to the email sent by AWS to the you to collect the information needed to activate AWS Managed Services on the your accounts.
For accounts subsequently enrolled by you, the billing start date is the next day after AWS Managed Services sends an AWS Managed Services Activation Notification for the enrolled account. An AWS Managed Services Activation Notification occurs when:
1. You grants access to a compatible AWS account and hand it over to AWS Managed Services.
1. AWS Managed Services designs and builds the AWS Managed Services Account.
+ *Service Termination*: You can terminate the AWS Managed Services for all AWS Managed Services accounts, or for a specified AWS Managed Services account for any reason by providing AWS at least 30 days notice through a service request. On the Service Termination Date, either:
1. AWS hands over the controls of all AWS Managed Services accounts or the specified AWS Managed Services accounts as applicable, to you, or
1. The parties remove the AWS Identity and Access Management roles that give AWS access from all AWS Managed Services accounts or the specified AWS Managed Services accounts, as applicable.
+ *Service termination date*: The service termination date is the last day of the calendar month following the end of the 30 days requisite termination notice period. If the end of the requisite termination notice period falls after the 20th day of the calendar month, then the service termination date is the last day of the following calendar month. The following are example scenarios for termination dates.
+ If the termination notice is provided on April 12, then the 30 days notice ends on May 12. The service termination date is May 31.
+ If a termination notice is provided on April 29, then the 30 days notice ends on May 29. The service termination date is June 30.
+ *Provision of AWS Managed Services*: AWS makes available to you and you can access and use AWS Managed Services for each AWS Managed Services account from the service commencement date.
+ *Termination for specified AWS Managed Services accounts*: You can terminate the AWS Managed Services for a specified AWS Managed Services account for any reason by providing AWS notice through a service request ("AMS Account Termination Request").
**Incident management terms**:
+ *Event*: A change in your AMS environment.
+ *Alert*: Whenever an event from a supported AWS service exceeds a threshold and triggers an alarm, an alert is created and notice is sent to your contacts list. Additionally, an incident is created in your Incident list.
+ *Incident*: An unplanned interruption or performance degradation of your AMS environment or AWS Managed Services that results in an impact as reported by AWS Managed Services or you.
+ *Problem*: A shared underlying root cause of one or more incidents.
+ *Incident Resolution* or *Resolve an Incident*:
+ AMS has restored all unavailable AMS services or resources pertaining to that incident to an available state, or
+ AMS has determined that unavailable stacks or resources cannot be restored to an available state, or
+ AMS has initiated an infrastructure restore authorized by you.
+ *Incident Response Time*: The difference in time between when you create an incident, and when AMS provides an initial response by way of the console, email, service center, or telephone.
+ *Incident Resolution Time*: The difference in time between when either AMS or you creates an incident, and when the incident is resolved.
+ *Incident Priority*: How incidents are prioritized by AMS, or by you, as either Low, Medium, or High.
+ *Low*: A non-critical problem with your AMS service.
+ *Medium*: An AWS service within your managed environment is available but is not performing as intended (per the applicable service description).
+ *High*: Either (1) the AMS Console, or one or more AMS APIs within your managed environment are unavailable; or (2) one or more AMS stacks or resources within your managed environment are unavailable and the unavailability prevents your application from performing its function.
AMS may re-categorize incidents in accordance with the above guidelines.
+ *Infrastructure Restore*: Re-deploying existing stacks, based on templates of impacted stacks, and initiating a data restore based on the last known restore point, unless otherwise specified by you, when incident resolution is not possible.
**Infrastructure terms**:
+ *Managed production environment*: A customer account where the customer’s production applications reside.
+ *Managed non-production environment*: A customer account that only contains non-production applications, such as applications for development and testing.
+ *AMS stack*: A group of one or more AWS resources that are managed by AMS as a single unit.
+ *Immutable infrastructure*: An infrastructure maintenance model typical for Amazon EC2 Auto Scaling groups (ASGs) where updated infrastructure components, (in AWS, the AMI) are replaced for every deployment, rather than being updated in-place. The advantages to immutable infrastructure is that all components stay in a synchronous state since they are always generated from the same base. Immutability is independent of any tool or workflow for building the AMI.
+ *Mutable infrastructure*: An infrastructure maintenance model typical for stacks that are not Amazon EC2 Auto Scaling groups and contain a single instance or just a few instances. This model most closely represents traditional, hardware-based, system deployment where a system is deployed at the beginning of its life cycle and then updates are layered onto that system over time. Any updates to the system are applied to the instances individually, and may incur system downtime (depending on the stack configuration) due to application or system restarts.
+ *Security groups*: Virtual firewalls for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could have a different set of security groups assigned to it.
+ *Service Level Agreements (SLAs)*: Part of AMS contracts with you that define the level of expected service.
+ SLA *Unavailable* and *Unavailability*:
+ An API request submitted by you that results in an error.
+ A Console request submitted by you that results in a 5xx HTTP response (the server is incapable of performing the request).
+ Any of the AWS service offerings that constitute stacks or resources in your AMS-managed infrastructure are in a state of "Service Disruption" as shown in the [Service Health Dashboard](https://status.aws.amazon.com/).
+ Unavailability resulting directly or indirectly from an AMS exclusion is not considered in determining eligibility for service credits. Services are considered available unless they meet the criteria for being unavailable.
+ *Service Level Objectives (SLOs)*: Part of AMS contracts with you that define specific service goals for AMS services.
**Patching terms**:
+ *Mandatory patches*: Critical security updates to address issues that could compromise the security state of your environment or account. A "Critical Security update" is a security update rated as "Critical" by the vendor of an AMS-supported operating system.
+ *Patches announced versus released*: Patches are generally announced and released on a schedule. Emergent patches are announced when the need for the patch has been discovered and, usually soon after, the patch is released.
+ *Patch add-on*: Tag-based patching for AMS instances that leverages AWS Systems Manager (SSM) functionality so you can tag instances and have those instances patched using a baseline and a window that you configure.
+ *Patch methods*:
+ *In-place patching*: Patching that is done by changing existing instances.
+ *AMI replacement patching*: Patching that is done by changing the AMI reference parameter of an existing EC2 Auto Scaling group launch configuration.
+ *Patch provider* (OS vendors, third party): Patches are provided by the vendor or governing body of the application.
+ *Patch Types*:
+ *Critical Security Update (CSU)*: A security update rated as "Critical" by the vendor of a supported operating system.
+ *Important Update (IU)*: A security update rated as "Important" or a non-security update rated as "Critical" by the vendor of a supported operating system.
+ *Other Update (OU)*: An update by the vendor of a supported operating system that is not a CSU or an IU.
+ *Supported patches*: AMS supports operating system level patches. Upgrades are released by the vendor to fix security vulnerabilities or other bugs or to improve performance. For a list of currently supported OSs, see [Support Configurations](https://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sd.html#supported-configs).
**Security terms**:
+ *Detective Controls*: A library of AMS-created or enabled monitors that provide ongoing oversight of customer managed environments and workloads for configurations that do not align with security, operational, or customer controls, and take action by notifying owners, proactively modifying, or terminating resources.
**Service Request terms**:
+ *Service request*: A request by you for an action that you want AMS to take on your behalf.
+ *Alert notification*: A notice posted by AMS to your **Service requests** list page when an AMS alert is triggered. The contact configured for your account is also notified by the configured method (for example, email). If you have contact tags on your instances/resources, and have provided consent to your cloud service delivery manager (CSDM) for tag-based notifications, the contact information (key value) in the tag is also notified for automated AMS alerts.
+ *Service notification*: A notice from AMS that is posted to your **Service request** list page.
**Miscellaneous terms**:
+ *AWS Managed Services Interface*: For AMS: The AWS Managed Services Advanced Console, AMS CM API, and Support API. For AMS Accelerate: The Support Console and Support API.
+ *Customer satisfaction (CSAT)*: AMS CSAT is informed with deep analytics including Case Correspondence Ratings on every case or correspondence when given, quarterly surveys, and so forth.
+ *DevOps*: DevOps is a development methodology that strongly advocates automation and monitoring at all steps. DevOps aims at shorter development cycles, increased deployment frequency, and more dependable releases by bringing together the traditionally-separate functions of development and operations over a foundation of automation. When developers can manage operations, and operations informs development, issues and problems are more quickly discovered and solved, and business objectives are more readily achieved.
+ *ITIL*: Information Technology Infrastructure Library (called ITIL) is an ITSM framework designed to standardize the lifecycle of IT services. ITIL is arranged in five stages that cover the IT service lifecycle: service strategy, service design, service transition, service operation, and service improvement.
+ *IT service management (ITSM)*: A set of practices that align IT services with the needs of your business.
+ *Managed Monitoring Services (MMS)*: AMS operates its own monitoring system, Managed Monitoring Service (MMS), that consumes AWS Health events and aggregates Amazon CloudWatch data, and data from other AWS services, notifying AMS operators (online 24x7) of any alarms created through an Amazon Simple Notification Service (Amazon SNS) topic.
+ *Namespace*: When you create IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS service by using a namespace. You use namespaces when identifying actions and resources.
# What is my operating model?
As an AMS customer, your organization has decided to separate application and infrastructure operations and use AMS for infrastructure operations. AMS will work with your application design and development team along with your infrastructure design team to ensure that your infrastructure operations run smoothly. The following graphic illustrates this concept:
![\[Diagram showing service design and operation phases with roles for application and infrastructure layers.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/Sent-design-ops.png)
AMS takes responsibility for your AWS infrastructure operations while your teams are responsible for your application operations. As the application and infrastructure design teams, you must understand who will be operating the application once it has been deployed to production in the AMS infrastructure. This guide covers common approaches to infrastructure design as it relates to application deployment and maintenance.