# IAM user role in AMS
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and can't do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
Currently there is one AMS default user role, `Customer_ReadOnly_Role`, for standard AMS accounts and an additional role, `customer_managed_ad_user_role` for AMS accounts with Managed Active Directory.
The role policies set permissions for CloudWatch and Amazon S3 log actions, AMS console access, read-only restrictions on most AWS services, restricted access to account S3 console, and AMS change-type access.
Additionally, the `Customer_ReadOnly_Role` has mutative, reserved-instances permissions that allow you to reserve instances. It has some cost-saving values, so, if you know that you're going to need a certain number of Amazon EC2 instances for a long period of time, you can call those APIs. To learn more, see [Amazon EC2 Reserved Instances](https://aws.amazon.com/ec2/pricing/reserved-instances/).
**Note**
The AMS service level objective (SLO) for creating custom IAM policies for IAM users is four business days, unless an existing policy is going to be reused. If you want to modify the existing IAM user role, or add a new one, submit an [IAM: Update Entity](https://docs.aws.amazon.com/managedservices/latest/ctref/management-advanced-identity-and-access-management-iam-update-entity-or-policy-review-required.html) or [IAM: Create Entity](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-identity-and-access-management-iam-create-entity-or-policy.html) RFC, respectively.
If you're unfamiliar with Amazon IAM roles, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) for important information.
**Multi-Account Landing Zone (MALZ)**: To see the AMS multi-account landing zone default, un-customized, user role policies, see [MALZ: Default IAM User Roles](#json-default-role-malz), next.
## MALZ: Default IAM User Roles
JSON policy statements for the default multi-account AMS multi-account landing zone user roles.
**Note**
The user roles are customizable and may differ on a per-account basis. Instructions on finding your role are provided.
These are examples of the default MALZ user roles. To make sure that you have the policies set that you need, run the AWS command [https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) or sign in to the AWS Management -> [IAM console](https://console.aws.amazon.com/iam/) and choose **Roles** in the navigation pane.
### Core OU account roles
A core account is an MALZ-managed infrastructure account. AMS multi-account landing zone Core accounts include a management account and a networking account.
**Core OU account: Common roles and policies**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/defaults-user-role.html)
**Core OU account: Management account roles and policies**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/defaults-user-role.html)
**Core OU Account: Networking account roles and policies**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/defaults-user-role.html)
### Application Account Roles
Application account roles are applied to your application-specific accounts.
**Application account: Roles and policies**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/defaults-user-role.html)
### Policy Examples
Examples are provided for most policies used. To view the ReadOnlyAccess policy (which is pages long as it provides read-only access to all AWS services), you can use this link, if you have an active AWS account: [ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary). Also, a condensed version is included here.
#### AMSBillingPolicy
`AMSBillingPolicy`
The new Billing role can be used by your accounting department to view and change billing information or account settings in the Management account. To access information such as Alternate Contacts, view the account resources usage, or keep a tab of your billing or even modify your payment methods, you use this role. This new role comprises of all the permissions listed in the [ AWS Billing IAM actions web page](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#example-billing-deny-modifyaccount).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ModifyBilling"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToBilling"
},
{
"Action": [
"aws-portal:ViewAccount",
"aws-portal:ModifyAccount"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountSettings"
},
{
"Action": [
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountBudget"
},
{
"Action": [
"aws-portal:ViewPaymentMethods",
"aws-portal:ModifyPaymentMethods"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPaymentMethods"
},
{
"Action": [
"aws-portal:ViewUsage"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToUsage"
},
{
"Action": [
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"cur:DeleteReportDefinition",
"cur:ModifyReportDefinition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostAndUsageReport"
},
{
"Action": [
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPricing"
},
{
"Action": [
"ce:*",
"compute-optimizer:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostExplorerComputeOptimizer"
},
{
"Action": [
"purchase-orders:ViewPurchaseOrders",
"purchase-orders:ModifyPurchaseOrders"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPurchaseOrders"
},
{
"Action": [
"redshift:AcceptReservedNodeExchange",
"redshift:PurchaseReservedNodeOffering"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToRedshiftAction"
},
{
"Action": "savingsplans:*",
"Resource": "*",
"Effect": "Allow",
"Sid": "AWSSavingsPlansFullAccess"
}
]
}
```
------
#### AMSChangeManagementReadOnlyPolicy
`AMSChangeManagementReadOnlyPolicy`
Permissions to see all AMS change types, and the history of requested change types.
#### AMSMasterAccountSpecificChangeManagementInfrastructurePolicy
`AMSMasterAccountSpecificChangeManagementInfrastructurePolicy`
Permissions to request the Deployment \$1 Managed landing zone \$1 Management account \$1 Create application account (with VPC) change type.
#### AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy
`AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy `
Permissions to request the Deployment \$1 Managed landing zone \$1 Networking account \$1 Create application route table change type.
#### AMSChangeManagementInfrastructurePolicy
`AMSChangeManagementInfrastructurePolicy` (for Management \$1 Other \$1 Other CTs)
Permissions to request the Management \$1 Other \$1 Other \$1 Create, and Management \$1 Other \$1 Other \$1 Update change types.
#### AMSSecretsManagerSharedPolicy
`AMSSecretsManagerSharedPolicy`
Permissions to view secret passwords/hashes shared by AMS through AWS Secrets Manager (e.g. passwords to infrastructure for auditing).
Permissions to create secret password/hashes to share with AMS. (for example, license keys for products that need to be deployed).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyGetSecretOnCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowReadAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
#### AMSChangeManagementPolicy
`AMSChangeManagementPolicy`
Permissions to request and view all AMS change types, and the history of requested change types.
#### AMSReservedInstancesPolicy
`AMSReservedInstancesPolicy`
Permissions to manage Amazon EC2 reserved instances; for pricing information, see [Amazon EC2 Reserved Instances](https://aws.amazon.com/ec2/pricing/reserved-instances/).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowReservedInstancesManagement",
"Effect": "Allow",
"Action": [
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering"
],
"Resource": [
"*"
]
}]
}
```
------
#### AMSS3Policy
`AMSS3Policy`
Permissions to create and delete files from existing Amazon S3 buckets.
**Note**
These permissions do not grant the ability to create S3 buckets; that must be done with the Deployment \$1 Advanced stack components \$1 S3 storage \$1 Create change type.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "*"
}
]
}
```
------
#### AWSSupportAccess
`AWSSupportAccess`
Full access to Support. For information, see [Getting Started with Support](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html). For Premium Support information, see [Support](https://aws.amazon.com/premiumsupport/).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
}]
}
```
------
#### AWSMarketplaceManageSubscriptions
`AWSMarketplaceManageSubscriptions` (Public AWSManaged Policy)
Permissions to subscribe, unsubscribe, and view AWS Marketplace subscriptions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### AWSCertificateManagerFullAccess
`AWSCertificateManagerFullAccess`
Full access to AWS Certificate Manager. For more information, see [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/).
[https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy](https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy) information, (Public AWS Managed Policy).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"acm:*"
],
"Resource": "*"
}]
}
```
------
#### AWSWAFFullAccess
`AWSWAFFullAccess`
Full access to AWS WAF. For more information, see [AWS WAF - Web Application Firewall](https://aws.amazon.com/waf/).
[https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html](https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html) information, (Public AWS Managed policy). This policy grants full access to AWS WAF resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"waf:*",
"waf-regional:*",
"elasticloadbalancing:SetWebACL"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### ReadOnlyAccess
`ReadOnlyAccess`
Read-only access to all AWS services and resources on the AWS console. When AWS launches a new service, AMS updates the ReadOnlyAccess policy to add read-only permissions for the new service. The updated permissions are applied to all principal entities that the policy is attached to.
This doesn't grant the ability to log into EC2 hosts or database hosts.
If you have an active AWS account, then you can use this link [ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary) to view the entire ReadOnlyAccess policy. The whole ReadOnlyAccess policy is very long as it provides read-only access to all AWS services. The following is a partial excerpt of the ReadOnlyAccess policy.
**Single-Account Landing Zone (SALZ)**: To see the AMS single-account landing zone default, uncustomized, user role policies, see [SALZ: Default IAM User Role](#json-default-role), next.
## SALZ: Default IAM User Role
JSON policy statements for the default AMS single-account landing zone user role.
**Note**
The SALZ default user role is customizable and might differ on a per-account basis. Instructions on finding your role are provided.
The following is an example of the default SALZ user role. To make sure that you have the policies set for you, run the [https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) command. Or, sign in to the AWS Identity and Access Management console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/), and then choose **Roles**.
The customer read-only role is a combination of multiple policies. A breakdown of the role (JSON) follows.
Managed Services Audit Policy:
Managed Services IAM ReadOnly Policy
Managed Services User Policy
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerToListTheLogBucketLogs",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"aws/*",
"app/*",
"encrypted",
"encrypted/",
"encrypted/app/*"
]
}
}
},
{
"Sid": "BasicAccessRequiredByS3Console",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowCustomerToGetLogs",
"Effect": "Allow",
"Action": [
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/aws/*",
"arn:aws:s3:::mc-a*-logs-*/encrypted/app/*"
]
},
{
"Sid": "AllowAccessToOtherObjects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject*",
"s3:Get*",
"s3:List*",
"s3:PutObject*"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCustomerToListTheLogBucketRoot",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"/"
]
}
}
},
{
"Sid": "AllowCustomerCWLConsole",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "AllowCustomerCWLAccessLogs",
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*",
"arn:aws:logs:*:*:log-group:/infra/*",
"arn:aws:logs:*:*:log-group:/app/*",
"arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*"
]
},
{
"Sid": "AWSManagedServicesFullAccess",
"Effect": "Allow",
"Action": [
"amscm:*",
"amsskms:*"
],
"Resource": [
"*"
]
},
{
"Sid": "ModifyAWSBillingPortal",
"Effect": "Allow",
"Action": [
"aws-portal:Modify*"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyDeleteCWL",
"Effect": "Deny",
"Action": [
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "DenyMCCWL",
"Effect": "Deny",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/mc/*"
]
},
{
"Sid": "DenyS3MCNamespace",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*",
"arn:aws:s3:::mc-a*-logs-*/mc/*",
"arn:aws:s3:::mc-a*-logs-*-audit/*",
"arn:aws:s3:::mc-a*-internal-*/*",
"arn:aws:s3:::mc-a*-internal-*"
]
},
{
"Sid": "ExplicitDenyS3CfnBucket",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::cf-templates-*"
]
},
{
"Sid": "DenyListBucketS3LogsMC",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"auditlog/*",
"encrypted/mc/*",
"mc/*"
]
}
}
},
{
"Sid": "DenyS3LogsDelete",
"Effect": "Deny",
"Action": [
"s3:Delete*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/*"
]
},
{
"Sid": "DenyAccessToKmsKeysStartingWithMC",
"Effect": "Deny",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms::*:key/mc-*",
"arn:aws:kms::*:alias/mc-*"
]
},
{
"Sid": "DenyListingOfStacksStartingWithMC",
"Effect": "Deny",
"Action": [
"cloudformation:*"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/mc-*"
]
},
{
"Sid": "AllowCreateCWMetricsAndManageDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCreateandDeleteCWDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:PutDashboard"
],
"Resource": [
"*"
]
}
]
}
```
Customer Secrets Manager Shared Policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerListSecrets",
"Effect": "Allow",
"Action": "secretsmanager:listSecrets",
"Resource": "*"
},
{
"Sid": "AllowCustomerAdminAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyCustomerGetSecretCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowCustomerReadOnlyAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
Customer Marketplace Subscribe Policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowMarketPlaceSubscriptions",
"Effect": "Allow",
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe"
],
"Resource": [
"*"
]
}
]
}
```
------