# Service description
<a name="ams-sd"></a>

AMS Advanced (AMS) is an operation plan of the AWS Managed Services service for managing operations of your AWS infrastructure. AMS Advanced provides routine infrastructure operations such as patch, continuity management, security management, and IT management processes such as incident, change and service request management. For a list of supported services, see [Supported AWS services](supported-services.md).

**YouTube Video**: [How can AMS help me achieve operational excellence in the cloud?](https://youtu.be/wpfPthp3tw8)

**Topics**
+ [AWS Managed Services (AMS) AMS Advanced operation plan features](features.md)
+ [What we do, what we do not do](ams-do-not-do.md)
+ [AMS responsibility matrix (RACI)](raci-table.md)
+ [AMS environment basic components](basic-components.md)
+ [AMS account limits](account-limits.md)
+ [AMS service level objectives (SLOs)](apx-slo.md)
+ [Supported AWS services](supported-services.md)
+ [Supported configurations](supported-configs.md)
+ [Capabilities for unsupported operating systems in AMS](ams-unsupported-os.md)
+ [AMS Advanced interfaces](ams-interfaces.md)
+ [AMS VPC endpoints](ams-endpoints.md)
+ [AMS protected namespaces](apx-namespaces.md)
+ [AMS reserved prefixes](ams-reserved-prefixes-2.md)
+ [AMS maintenance window](maintenance-win.md)

# AWS Managed Services (AMS) AMS Advanced operation plan features
<a name="features"></a>

AMS Advanced offers the following features for supported AWS services:
+ **Logging, Monitoring, Guardrails, and Event Management**:

  AMS configures and monitors your managed environment for logging activity and defines alerts based on a variety of health checks. Alerts are investigated by AMS for applicable AWS services, and those that negatively impact your usage of those services result in the creation of incidents. AMS aggregates and stores all logs generated as a result of all operations in CloudWatch, CloudTrail, and system logs in Amazon S3. You can ask for additional alerts to be put in place. In addition to AMS’ preventative controls, AMS deploys configuration guardrails and detective controls to provide ongoing protection for you from misconfigurations that could reduce the operational and security integrity of the managed accounts, to enforce your controls such as tagging and compliance. When a monitored control is detected an alarm is generated that results in notification, modification, or termination of resources based on predefined AMS defaults that can be modified by you. 
+ **Continuity management** (Backup and Restore):

  AMS provides backups of resources using standard, existing AWS Backup functionality on a scheduled interval determined by you. Restore actions from specific snapshots can be performed by AMS with your RFC. Data changes that occur between snapshot intervals are the responsibility of you to backup. You can submit an RFC for backup or snapshot requests outside of scheduled intervals. In the case of Availability Zone (AZ) unavailability in an AWS Region, with your permission, AMS restores the managed environment by recreating new stack(s) based on templates and available EBS snapshots of the impacted Stacks.
+ **Security and access management**:

  AMS provides endpoint security (EPS) such as configuring anti-virus and anti-malware protection. You can also use your own EPS tool and processes and not use AMS for EPS using a feature called bring your own EPS (BYOEPS). AMS also configures default AWS security capabilities that are approved by you during onboarding, such as AWS Identity and Access Management (IAM) roles and Amazon EC2 security groups, and uses standard AWS tools (e.g. AWS Security Hub CSPM, Amazon Macie, Amazon GuardDuty) to monitor and respond to security issues. You manage your users through an approved directory service provided by you. For a list of approved directory services, see [Supported configurations](supported-configs.md).

  AMS includes endpoint security (EPS), which is inclusive of antivirus (AV), and anti-malware protection, malware and intrusion detection (Trend Micro). Security groups are defined per stack template and are modified at launch depending on the visibility of the application (public/private) security groups.

  Access to systems is requested through change management requests for change (RFCs). Access management provides access to distinct resources, such as Amazon EC2 instances, the AWS Management Console, and APIs. After establishing a one-way trust with an AMS Microsoft Active Directory deployment during onboarding and federating to AWS, you can use your existing corporate credentials for all interactions.
+ **Patch management**:

  AMS applies and installs updates to EC2 instances for supported operating systems (OSs) and software pre-installed with supported operating systems. For a list of supported operating systems, see [Supported configurations](supported-configs.md).

  AMS offers two models for patching:
  + AMS standard patch for traditional account-based patching, and 
  + AMS Patch Orchestrator, for tag-based patching.

  In AMS standard patch, a monthly maintenance window is chosen by you for AMS to perform most patching activities. AMS applies *critical security updates* outside of the selected maintenance window (with appropriate notifications) and *important updates* during the selected maintenance window. AMS additionally applies updates to infrastructure management tools during the selected maintenance window. You can exclude stacks from patch management or reject updates, if you want.

  With AMS Patch Orchestrator, a default maintenance window per account, is defined by you for AMS to perform patching activities. You can schedule additional custom maintenance windows for AMS to patch a specific set of instances defined by you with tags. AMS applies all available updates, but you can filter or reject updates by creating a custom patch baseline. For both models, if you approve or reject an update provided under patch management but later change your mind, you are responsible for initiating the update via an RFC. AMS tracks the patch status of resources and highlights systems that aren’t current in the monthly business review. Patch management is limited to stacks in the managed environment, including all AMS managed applications and supported AWS services with patching capabilities (for example, RDS). In order to support all types of infrastructure configurations when an update is released, AMS a) updates the EC2 instance and b) provides an updated AMS AMI for you to use. It is your responsibility to install, configure, patch, and monitor any additional applications not specifically covered above. 
+ **Change management**:

  AMS change management is the mechanism for you to control changes in your managed environment. AMS uses a combination of preventative and detective controls to facilitate this process and provides different level of control and associated risk depending on the AMS mode selected.

  All actions in your AMS environment are logged in AWS CloudTrail.

  For more information about AMS Change Management and different modes, see [AMS Change Management guide](https://docs.aws.amazon.com/managedservices/latest/ctref/index.html) and [AMS Modes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-modes-ug.html).
+ **Automated and self-service provisioning management**:

  You can provision AWS resources on AMS Advanced in several ways:
  + Submit provisioning and configuration Requests for Change (RFCs)
  + Deploy through AWS Service Catalog 
  + Deploy through [Direct Change mode](https://docs.aws.amazon.com/managedservices/latest/userguide/direct-change-mode.html) 
  + Deploy through [Developer mode](https://docs.aws.amazon.com/managedservices/latest/userguide/developer-mode.html). Remember that the resources created through the Developer mode are not managed by AMS.
  + Configure AWS services directly using self-service provisioning for select AWS services (see [Supported AWS services](supported-services.md)).
+ **Incident management**:

  AMS proactively notifies you of incidents detected by AMS. AMS responds to both customer-submitted and AMS-generated incidents and resolves incidents based on the incident priority. Unless otherwise instructed by you, incidents that are determined by AMS to be a risk to the security of your managed environment, and incidents relating to the availability of AMS and other AWS services, are proactively actioned. AMS takes action on all other incidents once your authorization is received. Recurring incidents are addressed by the problem management process.
+ **Problem management**:

  AMS performs trend analysis to identify and investigate problems and to identify the root cause. Problems are remediated either with a workaround or a permanent solution that prevents recurrence of similar future service impact. A post incident report (PIR) may be requested for any "High" incident, upon resolution. The PIR captures the root cause and preventative actions taken, including implementation of preventative measures.
+ **Reporting**:

  AMS provides you with a monthly service report that summarizes key performance metrics of AMS, including an executive summary and insights, operational metrics, managed resources, AMS service level agreement (SLA) adherence, and financial metrics around spending, savings, and cost optimization. Reports are delivered by the AMS cloud service delivery manager (CSDM) assigned to you.
+ **Service request management **:

  To request information about your managed environment, AMS, or AWS service offerings, submit service requests using the AMS console. You can submit a service request for "How to" questions about AWS services and features or to request additional AMS services.
+ **Service Desk **:

  AMS staffs engineering operations with full-time Amazon employees to fulfill non-automated requests including incident management, service request management, and change management. The Service Desk operates 24 x 7 365 days a year.
+ **Designated resources**:

  Each customer is assigned a Cloud Service Delivery Manager (CSDM) and a Cloud Architect (CA).
  + CSDMs can be contacted directly. They perform service reviews, and delivery reporting and insights through all phases of the implementation, migration and operational life cycle. CSDMs conduct monthly business reviews and detail items such as financial spend, cost-saving recommendations, service utilization, and risk reporting. They dive deep into operational performance statistics and provide recommendations of areas of improvements.
  + CAs can be contacted directly and provide technical expertise to help you optimize your use of the AWS cloud. Example CA activities include, selecting workloads for migration, assisting with the onboarding additional accounts and workloads, acting as the technical lead in operational activities such as game days, disaster recovery testing, problem management, and technical advice to get the most out of AMS and AWS. CAs drive technical discussions at all levels of your organization and assist with incident management, making trade-offs, establishing best practices, and technical risk mitigation.
+ **Developer mode **:

  This feature enables you to iterate infrastructure designs and deployments quickly within AMS-configured accounts[1] by allowing direct access to AWS service APIs and the AWS console in addition to access to the AMS change management process. Resources provisioned or configured with developer mode permissions outside of the change management process are your responsibility to manage (See "Automated and Self-Service Provisioning Management"). Resources provisioned through the AMS change management process are supported like other change management-provisioned workloads on AMS.
+ **AWS support**:

  AMS customers can choose the level of AWS Support they require to complement their AMS Operations plan. Accounts enrolled in AMS can be subscribed to either Business Support or Enterprise Support. To learn about the differences in Support Plans, see [AWS Support Plans](https://aws.amazon.com/premiumsupport/plans/).
+ **Customer-managed account**:

  This feature enables you to request AWS accounts within the same managed environment but the ongoing operations of workloads and AWS resources within those accounts are your responsibility. AMS provisions customer-managed accounts, but once the accounts are created, no other AMS features or services are provided to those accounts. AWS will not enroll customer-managed accounts in enterprise-level premium support. It will be your responsibility to enroll customer-managed accounts in AWS support at the support rate you choose.
+ **Firewall management**:

  AMS provides an optional managed firewall solution for Supported Firewall Services, which enables internet-bound egress traffic filtering for networks in your managed environment. This excludes public-facing services that do not use the AWS network infrastructure and whose traffic goes directly to the internet. The solution combines industry-leading firewall technology with AMS infrastructure management capabilities to deploy, monitor, manage, scale, and restore the firewall infrastructure.

When you onboard AMS, you receive a complete list of your AMS network infrastructure. To get an updated list of services running in support of your AMS infrastructure at any time, file a service request with specifics about the information you want. To request a change to your network design, create a service request describing the changes you want to make—for example, adding a VPC or requesting a security group rule change.

# What we do, what we do not do
<a name="ams-do-not-do"></a>

AMS gives you a standardized approach to deploying AWS infrastructure and provides the necessary ongoing operational management. For a full description of roles, responsibilities, and supported services, see [Service Description](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-sd.html).

**Note**  
To request that AMS provide an additional AWS service, file a service request. For more information, see [Making Service Requests](https://docs.aws.amazon.com/managedservices/latest/userguide/mk-service-requests.html).
+ **What we do**:

  After you complete onboarding, the AMS environment is available to receive requests for change (RFCs), incidents, and service requests. Your interaction with the AMS service revolves around the lifecycle of an application stack. New stacks are ordered from a preconfigured list of templates, launched into specific virtual private cloud (VPC) subnets, modified during their operational life through requests for change (RFCs), and monitored for events and incidents 24/7. 

  Active application stacks are monitored and maintained by AMS, including patching, and require no further action for the life of the stack unless a change is required or the stack is decommissioned. Incidents detected by AMS that affect the health and function of the stack generate a notification and may or may not need your action to resolve or verify. How-to questions and other inquiries can be made by submitting a service request.

  Additionally, AMS allows you to enable compatible AWS services that are not managed by AMS. For information about AWS-AMS compatible services, see [Self-service provisioning mode](https://docs.aws.amazon.com/managedservices/latest/userguide/setting-up-compatible.html).

   
+ **What we DON'T do**:

  While AMS simplifies application deployment by providing a number of manual and automated options, you're responsible for the development, testing, updating, and management of your application. AMS provides troubleshooting assistance for infrastructure issues that impact applications, but AMS can't access or validate your application configurations.

# AMS responsibility matrix (RACI)
<a name="raci-table"></a>

**Note**  
In order to fulfill its obligations in a timely manner, AWS Managed Services (AMS) may require inputs from you for deciding an appropriate course of action. AMS will contact the designated customer contact for all such clarifications and inputs. AMS will expect a response to such queries within 24 business hours. In case there is no reply within 24 business hours, AMS may choose an action on your behalf.

The AMS responsible, accountable, consulted, and informed, or RACI, matrix assigns primary responsibility either to the customer or AMS for a variety of activities.

AMS manages your AWS infrastructure. The following table provides an overview of the responsibilities of customer and AMS for activities in the lifecycle of an application running within an AMS managed environment.

AMS is not responsible for any of the following activities for Customer Managed accounts or the infrastructure running within them; therefore this RACI is not applicable.
+ **R** stands for responsible party that does the work to achieve the task.
+ **C** stands for consulted; a party whose opinions are sought, typically as subject matter experts; and with whom there is bilateral communication.
+ **I** stands for informed; a party which is informed on progress, often only on completion of the task or deliverable.
+ **Self-service Provisioning** refers to resources that are provisioned by the customer with self-service through the AWS API or Console, including Developer Mode and Self-Service Provisioned Services.
**Note**  
Some sections contain 'R' for both AMS and Customers. This is because, in the AWS Shared Responsibility model, both AMS and the customers take joint ownership to respond to infrastructure and application issues.

  To provide self-service provisioning capabilities, AMS has created elevated IAM roles with permission boundaries to limit unintended changes from direct AWS service access. Roles do not prevent all changes and you are responsible to adhere to your internal controls, compliance, and to validate that all AWS services being used meet the required certifications. We call this the Self-Service Provisioning mode. For details on AWS compliance requirements, see [AWS Compliance](https://aws.amazon.com/compliance/).

  For resources that you provision through self-service, AMS provides incident management, detective controls and guardrails, reporting, designated resources (Cloud Service Delivery Manager and Cloud Architect), Security & access, and technical support through service requests. Additionally, where applicable, you assume responsibility for continuity management, patch management, infrastructure monitoring, and change management for resources provisioned or configured outside of the AMS change management system.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/raci-table.html)

8AMS provides AMIs for Amazon EC2 only

9AMS is responsible for End of Life OSes only when the customer signs an extended support agreement with OS vendor

# AMS environment basic components
<a name="basic-components"></a>

------
#### [ Multi-Account Landing Zone ]

This is an estimate of the components, and potential costs, of the infrastructure in the core accounts. This does not include other costs such as bandwidth, CloudWatch detailed monitoring, logging, alarms, Route53, Amazon S3, Simple Notification Service (Amazon SNS), snapshots, or reserved Amazon EC2 instances.

You pay for the components required by the AMS-Managed AWS landing zone infrastructure. Estimates place the cost of a plain AMS multi-account landing zone environment at \$12,450 per month and \$150 for a plain application account.

For information about pricing, see [AWS pricing](https://aws.amazon.com/pricing/).


**Basic Environment Components**  

| Component | Est. Cost | Description | 
| --- | --- | --- | 
| Management account | \$160 | An AWS Organizations Management account; creates and financially manages member accounts. It contains the AWS Landing Zone (ALZ) framework, account configuration stack sets, and AWS Organization service control policies (SCPs). [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) | 
| Shared Services Account | \$12000 | Contains infrastructure and resources required for access management (i.e., Active Directory), end-point security management (Trend Micro), and your bastions (SSH/RDP); estimate is \$12400 a month. This estimate does not include the cost of the Trend Micro licenses. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) | 
| Networking Account | \$1350 | The central hub for network routing between AMS accounts, your on-premise network, and egress traffic to the Internet. Additionally, contains public DMZ bastions (the entry point for AMS engineers to access hosts in your AMS environment). Price may increase depending on traffic traversing the Transit Gateway and Direct Connect. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) | 
| Log Archive Account | \$120 | An S3 bucket with copies of AWS CloudTrail and AWS Config log files from each of your AMS environment accounts. Costs increase as more logs are collected. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) | 
| Security Account | \$120 |  The central hub for security related operations, and the main point for funneling notifications and alerts to AMS control plane services. Additionally, houses the Amazon Guard Duty management account. Costs increase as more events are analyzed using Amazon GuardDuty. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/basic-components.html) | 

------
#### [ Single-Account Landing Zone ]

The following table lists the components of an example AMS-managed infrastructure.


**Basic Environment Components, Last Updated 2020/07/09**  

| Name | Instance Type | OS | \$1 of Components | 
| --- | --- | --- | --- | 
| mc-eps-dsm | m5.large | Linux | 2 | 
| mc-management | m5.large | Windows | 2 | 
| mc-bastion-dmz-ssh | m5.large | Linux | 2 | 
| mc-bastion-customer-rdp | m5.large | Windows | 2 | 
| mc-eps-relay | m5.large | Linux | 2 | 
| directory services | N/A | N/A |  | 
| additional components | N/A | N/A |  | 

For information about pricing, see [AWS Pricing](https://aws.amazon.com/pricing/).

------

# AMS account limits
<a name="account-limits"></a>

There are three distinct types of limits to consider within AMS multi-account landing zone: AMS API limits, AMS resource limits, and AWS limits.

There are two distinct types of limits to consider within AMS single-account landing zone: AMS API limits, and AWS limits.

## AMS account API limits
<a name="account-limits-api"></a>

This section describes the account level limits after which AWS Managed Services (AMS) throttles the AMS SKMS API service. This means, if you call any of the listed APIs more than 10 times in a second, one of the calls is "throttled" (you receive a `ThrottleException`). Under rare situations, an external or downstream dependency might throttle the AMS API and then AMS may throttle your API calls at a possibly lower rate.

**Note**  
For information on the AMS SKMS API, download the reference through the **Reports** tab of the AWS Artifact console.

For each AMS SKMS API listed, the operation is throttled after 10 TPS (transactions per second):
+ `GetStack`
+ `GetSubnet`
+ `GetVpc`
+ `ListAmis`
+ `ListStackSummaries`
+ `ListSubnetSummaries`
+ `ListVpcSummaries`

## AMS multi-account landing zone account resource limits
<a name="account-limits-resource"></a>

Account resource limits relate to AMS multi-account landing zone application accounts and VPCs and subnets.

### Application account resource limits
<a name="account-limits-resource-app-accounts"></a>

There is a soft limit of 50 application accounts per organization. If you have a use case for more than 50 application accounts, contact your cloud service delivery manager (CSDM) to relay your requirements.

### VPCs and subnets resource limits
<a name="account-limits-resource-vpc-subnets"></a>

There is a soft limit of 10 VPCs per application account within the pre-defined AWS Region for the organization.

Each VPC may have 1 to 10 private subnet tiers spanned across 2 to 3 availability zones. Additionally, each VPC may have 0 to 5 public subnet tiers spanned across 2 to 3 availability zones. If you have requirements beyond these limits, inform your CSDM or Cloud Architect to review your use case.

### AMS multi-account landing zone application to account ratio
<a name="account-limits-app-to-account"></a>

One account per application is supported in AMS multi-account landing zone; however, each Application account has a small cost, and you are charged for the number of connections to the Transit Gateway per hour, and the amount of traffic that flows through AWS Transit Gateway. So, the more segregated applications are into accounts or VPCs, the higher the costs.

To reduce costs and still ensure an appropriate segregation of duties, AMS recommends that you 1) group applications by teams with tightly coupled business processes, and 2) do not mix applications that are in different stages (prod vs. non-prod) or managed by different teams. In this way, you will have fewer accounts, access management and the segregation of duties will be easier, and traffic cost could be mitigated.

For example: An enterprise has in production a Trading application and a Portfolio Management application, both applications are managed by the Investments IT team and exchange a lot of traffic with each other. In this scenario the company can benefit from grouping both applications in the same account and same the VPC, because the Investments IT team won’t have to request access to multiple Application accounts and the company will save on traffic costs. In this case, the company should create another account for the same applications in development stage and provide access to the development team.

In another scenario, the enterprise has in production a Payroll application and an Accounting application, managed by the Human Resources IT and Accounting IT teams respectively. Although the Payroll application has to exchange information with the Accounting application, we recommend segregating both applications in different accounts, one per team, and establishing a connection between both application’s VPCs using the Networking account. In this way, the company will prevent HR IT team request changes affecting the accounting application infrastructure, of which they would have no knowledge.

Tips on how to group accounts into organizational units (OUs). An OU is logical grouping mechanism that enables you to categorize (group) accounts and apply policies and configurations to based on those groups. The recommended approach for creating OUs is to base them on policies that need to be applied to a specific group of accounts, not on the internal hierarchy of teams within your reporting structure. An OU is not equivalent to an Active Directory’s OU, and attempting to replicate the AD OU structure in AWS Organizations is discouraged and results in a difficult to maintain and/or operate structure.

## AWS account limits
<a name="account-limits-aws"></a>

AWS account limits apply to your AWS Managed Services (AMS) accounts. The easiest method to determine default and current limits for AWS services is by leveraging [AWS Service Quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). AMS recommends right-sizing individual service limits to the appropriate size to run the service(s) in the account. Limits act like guard-rails to protect your accounts for security and cost runaways. If you would like to raise a specific limit, submit a service request with AMS, and AMS Operations will raise the limit on your behalf. For example, the default limit (or quota) for RDS instances is 40; if your workload requires 50 RDS instances, raise a service request for AMS Operations to raise the limit to your needed value. 

# AMS service level objectives (SLOs)
<a name="apx-slo"></a>

The following table describes the goals of the AWS Managed Services (AMS) service. Service Level Agreements (SLAs) for other aspects of the AMS service, including incident management, are covered in the SLA document shared with you when you subscribed to AMS. For more information, speak to your CSDM.


**AMS Service Level Objectives**  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/userguide/apx-slo.html)

# Supported AWS services
<a name="supported-services"></a>

AWS Managed Services (AMS) provides operational management support services for the following AWS services. Each AWS service is distinct, and as a result AMS's level of operational management, support varies depending on the nature and characteristics of the underlying AWS service. Specific AWS services are grouped based on the complexity and scope of the operational management support service provided by AMS. 

**Note**  
The three groups, A, B, and C, indicate pricing as a percentage of total monthly spend per account for the AMS service, based on support plan (Plus or Premium), for AMS customers before March 16, 2021. AMS customers onboarded after March 16, 2021 should submit a service request for additional pricing information. Group A indicates no additional charge. Group B indicates an additional charge of 12% (Plus) or 18% (Premium). Group C indicates an additional charge of 25% (Plus) or 42% (Premium).  
One star (\$1) indicates services that are deployed within an AMS managed environment by a customer using the AWS Console and APIs. See 'Automated and self-service provisioning management' in [AWS Managed Services (AMS) AMS Advanced operation plan features](features.md) for additional details on customer responsibilities when provisioning and configuring services in this manner.  
Two stars (\$1\$1) indicate that Amazon EC2 on AWS Outposts will be billed as a Group B service; all other resources hosted on AWS Outposts will be billed at their standard rate.


**Supported AWS services**  

| Group A | Group B | Group C | 
| --- | --- | --- | 
|  <pre>Amazon Alexa for Business*<br />Amazon Managed Streaming for Apache Kafka*<br />Amazon CloudFront<br />Amazon Elastic File System<br />Amazon Glacier<br />Amazon Simple Storage Service<br />AWS Amplify*<br />AWS AppMesh*<br />AWS Auto Scaling<br />AWS Backup<br />AWS CloudFormation<br />AWS Compute Optimizer<br />AWS Global Accelerator*<br />AWS Identity and Access Management<br />AWS License Manager*<br />AWS Management Console<br />AWS Marketplace<br />AWS Lake Formation*<br />AWS Well-Architected Tool*<br />VM Import/ Export*</pre> |  <pre>Amazon API Gateway*<br />Amazon AppStream*<br />Amazon Athena*<br />Amazon Bedrock*<br />Amazon CloudSearch*<br />Amazon Cognito*<br />Amazon Comprehend*<br />Amazon Connect*<br />Amazon Document DB (with MongoDB compatibility)*<br />Amazon DynamoDB*<br />Amazon EC2 Container Registry (ECR)*<br />Amazon Elastic Container Service (ECS) on AWS Fargate*<br />Amazon Elastic Kubernetes Service (EKS) on Fargate*<br />Amazon Elemental MediaConvert*<br />Amazon Elemental MediaPackage*<br />Amazon Elemental MediaStore*<br />Amazon Elemental MediaTailor*<br />Amazon Elastic MapReduce*<br />AmazonEventBridge*<br />Amazon Forecast*<br />Amazon FSx*<br />Amazon Inspector*<br />Amazon Kendra*<br />Amazon Kinesis Analytics*<br />Amazon Kinesis Data Stream*<br />Amazon Kinesis Firehose*<br />Amazon Kinesis Video Streams*<br />Amazon Lex*<br />Amazon Managed Service for Prometheus*<br />Amazon MQ*<br />Amazon Personalize**<br />Amazon Quantum Ledger Database (QLDB)*<br />Amazon QuickSight*<br />Amazon Rekognition* <br />Amazon SageMaker*<br />Amazon SimpleDB*<br />Amazon Simple Workflow*<br />Amazon Textract*<br />Amazon Transcribe*<br />Amazon Translate*<br />Amazon WorkSpaces*<br />AWS AppSync*<br />AWS Audit Manager*<br />AWS Batch*<br />AWS Certificate Manager*<br />AWS CloudEndure*<br />AWS CloudHSM*<br />AWS CodeBuild*<br />AWS CodeCommit*<br />AWS CodeDeploy*<br />AWS CodePipeline*<br />AWS DataSync*<br />AWS Elemental MediaLive*<br />AWS Glue*<br />AWS Lambda*<br />AWS MigrationHub*<br />AWS Outposts**<br />AWS Resilience Hub*<br />AWS Secrets Manager*<br />AWS Security Hub*<br />AWS Service Catalog<br />AWS Service Catalog AppRegistry*<br />AWS Transfer for SFTP*<br />AWS Shield*<br />AWS Snowball*<br />AWS Step Functions*<br />AWS Transit Gateway*<br />AWS WAF*<br />AWS X-Ray*</pre> |  <pre>Amazon Aurora<br />Amazon CloudWatch<br />Amazon Elastic Block Store (EBS)<br />Amazon Elastic Compute Cloud**<br />Amazon Elastic Load Balancing (classic, application, and network; not gateway)<br />Amazon ElastiCache<br />Amazon OpenSearch Service<br />Amazon GuardDuty<br />Amazon Macie<br />Amazon Redshift<br />Amazon Relational Database Service<br />Amazon Route 53<br />Amazon Route 53 Resolver DNS Firewall<br />Amazon Simple Email Service<br />Amazon Simple Notification Service<br />Amazon Simple Queue Service<br />Amazon Virtual Private Cloud (VPC)<br />AWS CloudTrail<br />AWS Config<br />AWS Database Migration Service<br />AWS Data Transfer<br />AWS Direct Connect<br />AWS Directory Service<br />AWS Key Management Service<br />AWS Systems Manager (SSM)</pre> | 

If you request AWS Managed Services to provide services for any software or service that is not expressly identified as supported below, any AWS Managed Services provided for such customer requested configurations will be treated as a "Beta Service" under the Service Terms.

# Supported configurations
<a name="supported-configs"></a>

These are the configurations AWS Managed Services (AMS) supports:
+ Language: AMS is available in English.
+ Firewall Services: 
  + Amazon Route 53 Resolver DNS Firewall
  + Palo Alto VM-Series Next-Generation Firewall
+ Security software: Deep Security from Trend Micro (Required). AWS Marketplace: [Trend Micro Deep Security](https://aws.amazon.com/marketplace/pp/B01AVYHVHO?ref_=srh_res_product_title)
+ Approved directory services: Microsoft Active Directory (AD)
+ [Supported AWS services](supported-services.md).
+ Supported AWS Regions:

  AMS operates in a subset of all AWS Regions; however, the AMS API/CLI runs out of the "USA East (N. Virginia)" Region only. If you run either the AMS change management API (`amscm`) or the AMS service knowledge management API (`amsskms)`, in a non-USA East Region, you must add `--region us-east-1` to the command.<a name="what-is-ams-regions-note"></a>
  + US East (Virginia)
  + US West (N. California)
  + US West (Oregon)
  + US East (Ohio)
  + Canada (Central)
  + South America (São Paulo)
  + EU (Ireland)
  + EU (Frankfurt)
  + EU (London)
  + EU West (Paris)
  + Asia Pacific (Mumbai)
  + Asia Pacific (Seoul)
  + Asia Pacific (Singapore)
  + Asia Pacific (Sydney)
  + Asia Pacific (Tokyo)
+ Amazon machine images (AMIs): AMS provides security enhanced images (AMIs) based on the CIS Level 1 benchmark for a subset of operating systems supported by AMS. To find operating systems that have a security enhanced image available, see the *AMS Security User Guide*. To access this guide, in AWS Artifact, filter the **Reports** tab for AWS Managed Services. To access AWS Artifact, contact your CSDM or see, [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started).
+ Supported operating systems:

  **Supported operating systems (x86-64)**
  + Amazon Linux 2023
  + Amazon Linux 2 (**expected AMS support end date June 30, 2026**)
  + Oracle Linux 9.x, 8.x
  + Red Hat Enterprise Linux (RHEL) 9.x, 8.x
  + SUSE Linux Enterprise Server 15 SP6
  + SUSE Linux Enterprise Server for SAP 15 SP3 and later
  + Microsoft Windows Server 2025, 2022, 2019, 2016
  + Ubuntu 20.04, 22.04, 24.04

  **Supported operating systems (ARM64)**
  + Amazon Linux 2023
  + Amazon Linux 2 (**expected AMS support end date June 30, 2026**)
+ Supported End of Support (EOS) operating systems:
**Note**  
End of Support (EOS) operating systems are outside of the general support period of the operating system manufacturer and have increased security risk. EOS operating systems are considered supported configurations only if AMS-required agents support the operating system and the following are true:  
you have extended support with the operating system vendor that allows you to receive updates, or 
any instances using an EOS operating system follow the [ security controls](https://docs.aws.amazon.com/managedservices/latest/userguide/key-terms.html#CritRec) as specified by AMS in the Advanced User Guide, or
you comply with any other compensating security controls required by AMS.
In the event AMS is no longer able to support an EOS operating system, AMS issues a [Critical Recommendation](https://docs.aws.amazon.com/managedservices/latest/userguide/key-terms.html#CritRec) to upgrade the operating system.  
AMS-required agents may include but are not limited to: AWS Systems Manager, Amazon CloudWatch, Endpoint Security (EPS) agent, and Active Directory (AD) Bridge (Linux only).
  + Ubuntu Linux 18.04
  + SUSE Linux Enterprise Server 15 SP3, SP4, and SP5
  + SUSE Linux Enterprise Server for SAP 15 SP2
  + SUSE Linux Enterprise Server 12 SP5
  + SUSE Linux Enterprise Service for SAP 12 SP5
  + Microsoft Windows Server 2012/2012 R2

# Capabilities for unsupported operating systems in AMS
<a name="ams-unsupported-os"></a>

An *unsupported* operating system is any operating system not listed in the [Supported configurations](supported-configs.md). AMS considers instances with unsupported operating systems to be "Customer-Requested Configurations" that are subject to the [AWS Betas and Previews service terms](https://aws.amazon.com/service-terms/#2._Betas_and_Previews).

The following limited set of AMS capabilities are available to instances with unsupported operating systems:


| **Capability** | **Notes** | 
| --- | --- | 
| Incident management | AMS provides incident response. | 
| Service request management | AMS responds to service requests. | 
| Requests for change (RFCs) | AMS evaluates RFCs for execution. Unsupported operating systems may impact the ability to execute RFCs. | 
| Monitoring | AMS monitors and responds to Amazon EC2 system status checks and instance status checks. System status checks include: loss of network connectivity, loss of system power, software issues on the physical host, and hardware issues on the physical host that impact network reachability. Instance status checks include: incorrect networking or startup configuration, exhausted memory, corrupted file system, and incompatible kernel. | 
| Security management | AMS monitors and responds to Amazon EC2 [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html). | 
| Backup management | AMS provides [Continuity management in AMS Advanced](https://docs.aws.amazon.com/managedservices/latest/userguide/continuity-mgmt.html) for EC2 using AMS-customized AWS Backup plans and vaults. | 

# AMS Advanced interfaces
<a name="ams-interfaces"></a>
+ *AMS Advanced console*: You use the AMS Advanced console to create RFCs, report and respond to incidents, make service requests, and find information on existing VPCs and stacks. When in doubt of what to do, or when you need help with AMS or your managed resources, create a service request by using this interface.
+ *AWS Management Console*: Many AWS consoles can be useful for viewing AMS information, for example:
  + *Amazon EC2 console*: Use to view instance information including bastion IP addresses, Amazon EC2 Auto Scaling groups, and load balancers.
  + *Multi-Account Landing Zone AWS Config Rules compliance*: You can view compliance status across your accounts and identify non-compliant resources.
  + *AWS CloudFormation console*: Use to view stack information including stack IDs (you can find Amazon RDS stacks and Amazon RDS instance IDs here, and event information).
  + *Amazon RDS console*: Use to view event information such as a post made to a WordPress app on a site in your account. Note you must have the Amazon RDS instance ID.

  Depending on the mode of your login role, you have different level of access to the AWS Management Console. For more information on modes, see [AMS modes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-modes.html). 
+ *AMS Advanced change management API* – Read/Write: Use the change management API (CM API) to request additions and specific changes to your managed infrastructure including resource monitoring, log, backup, and patch configurations. Also, use this API to request access to resources, delete resources, create AMIs, and create IAM instance profiles. You can access the CM API through the AMS CLI and SDKs.
+ *AMS SKMS API* – Read-Only: Use this API to list managed resources and get information needed for reporting or preparing requests for change.
+ *Support API*: Use the standard Support API to programmatically create and respond to incidents and service requests. To learn more, see [Getting Started with Support](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html).
+ *AWS APIs* – Read Only: Your main IT administrator can use the AWS APIs to see all resources under management, view CloudTrail logs, billing information, and many other read functions.

# AMS VPC endpoints
<a name="ams-endpoints"></a>

A VPC endpoint lets you privately connect your VPC to AWS services without requiring an Internet gateway. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. To learn more, see [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html).

There are two types of VPC endpoints: interface endpoints and gateway endpoints.
+ Gateway endpoints: The VPC in the account has an Amazon S3 Gateway endpoint enabled by default.
+ Interface endpoints: Instances in your AMS environment can talk to supported services without leaving the Amazon network. This is optional for **single-account landing zone** and it is not enabled in the account by default; submit a service request to AMS operations to get this enabled. However, for **multi-account landing zone**, interface endpoints are enabled by default in the Shared Services account.

  List of interface endpoints supported by AMS:
  + AWS CloudFormation
  + AWS CloudTrail
  + AWS Config
  + Amazon EC2 API
  + AWS Key Management Service
  + Amazon CloudWatch
  + Amazon CloudWatch Events
  + Amazon CloudWatch Logs
  + AWS Secrets Manager
  + Amazon SNS
  + AWS Systems Manager
  + AWS Security Token Service

# AMS protected namespaces
<a name="apx-namespaces"></a>

The list of protected namespaces for AWS Managed Services (AMS). When you work with AWS resources, prevent conflict with AMS by not using these namespaces. For details on other AWS service namespaces, see [ Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces).
+ `ams-*` (this is the preferred naming standard for new resources)
+ `/ams/*` (this is the preferred naming standard for path-based resources)
+ `AWSManagedServices*` (this is the preferred naming standard for resources where CamelCase is appropriate)
+ `ams*` and `AMS*` and `Ams*`
+ `AWS_*` and `aws*`
+ `*/aws_reserved/*`
+ `CloudTrail*` and `Cloudtrail*`
+ `codedeploy_service_role`
+ `customer-mc-*`
+ `eps` and `EPS`
+ `EPSMarketplaceSubscriptionRole`
+ `EPSDB*`
+ `IAMPolicy*`
+ `INGEST*`
+ `LandingZone*`
+ `Managed_Services*`
+ `managementhost`
+ `mc*` and `MC*` and `Mc*`
+ `MMS*`
+ `ms-`
+ `NewAMS*`
+ `Root*`
+ `sentinel*` and `Sentinel*`
+ `sentinel.int.`
+ `StateMachine*`
+ `StackSet-ams*`
+ `StackSet-AWS-Landing-Zone`
+ `TemplateId*`
+ `UnhealthyInServiceBastion`
+ `VPC_*`

# AMS reserved prefixes
<a name="ams-reserved-prefixes-2"></a>

AMS resource attributes must comply with certain patterns; for example, IAM instance profile names, BackupVault names, tag names, and so forth, must not start with AMS reserved prefixes. Those reserved prefixes are:

```
*/aws_reserved/*
ams-*
/ams/*
ams*
AMS*
Ams*
aws*
AWS*
AWS_*
AWSManagedServices*
codedeploy_service_role
CloudTrail*
Cloudtrail*
customer-mc-*
eps
EPSDB*
IAMPolicy*
INGEST*
LandingZone*
Managed_Services*
managementhost
mc*
MC*
Mc*
MMS*
ms-
NewAMS*
Root*
sentinel*
Sentinel*
sentinel.int.
StackSet-ams*
StackSet-AWS-Landing-Zone    
StateMachine*
TemplateId*
VPC_*
UnhealthyInServiceBastion
```

# AMS maintenance window
<a name="maintenance-win"></a>

The AWS Managed Services Maintenance Window (or Maintenance Window) performs maintenance activities for AWS Managed Services (AMS) and recurs the second Thursday of every month from 3 PM to 4 PM Pacific Time. AMS may change the maintenance window with 48 hours notice. This is for AWS Managed Services (AMS); to perform maintenance activities for managed infrastructures, such as deploying new AMS AMIs.

*Your* maintenance window is when AMS will apply patching and you determine your maintenance window at onboarding. You can also agree to the proposed patching window provided in your patching service notification, or suggest a different window. 

For guidance on creating a maintenance window, see [Maintenance Window](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/og-maintenance-window.html).