AMS uses IAM roles, which is a type of IAM identity. An IAM role is very similar to a user, in that it is an identity with permissions policies that determine what the identity can and cannot do in AWS. However, a role doesn't have credentials associated with it and, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task.
Access roles are controlled by internal group membership, which is administered and periodically reviewed by Operations Management. AMS uses the following IAM roles:
Role name Description
Used by (entity): AMS Access Service only
ams-access-management Deployed manually by you during onboarding.
Assumed only by AMS access to deploy or update access roles. Remains in your account after onboarding for any future updates to the access roles.
Used by (entity): AMS Operations
ams-access-operations This AMS operations role has full privileges to operate in your AMS account, with the exception of IAM write permissions.
ams-access-read-only This AMS read-only role is limited to read-only permissions in your AMS account.
Used by (entity): AMS Operations and AMS Services
ams-access-admin This AMS admin role has full permissions to
operate in accounts without restrictions. Only AMS internal services (with a scoped-down session policy) and only a very few select AMS individuals can assume the admin role.
customer_ssm_automation_role ams_ssm_automation_role
Assumed by AWS Systems Manager to execute SSM Automation documents within your account.
Used by (entity): AWS Services
Authenticating with identities
Role name Description
ams-opscenter-eventbridge-role Assumed by Amazon EventBridge to create AWS System Manager OpsItems as a part of AMS-specific AWS Config Rules remediation workflow.
AMSOSConfigurationCustomerInstanceRole This IAM role is applied to your Amazon EC2 instances when AMS OS-Configuration service discovers that the required IAM policies are missing. It allows your Amazon EC2 instances to interact with AWS Systems Manager, Amazon CloudWatch, and Amazon EventBridge services.
It also has attached the AMS custom-managed policy to enable RDP access to your Windows instances.
mc-patch-glue-service-role Assumed by AWS Glue ETL workflow to perform data transformation and prepare it for AMS Patch report generator.
Used by (entity): AMS Service
ams-alarm-manager-AWSManagedServicesAlarmManagerDe-<8-digit hash>
Assumed by AMS alarm manager infrastructure within your AMS account to perform AWS Config Rules evaluation for a new AWS AppConfig deployment.
ams-alarm-manager-AWSManagedServicesAlarmManagerRe-<8-digit hash>
Assumed by AMS alarm manager remediation infrastructure within your AMS account to allow the creation or deletion of alarms for remediation.
ams-alarm-manager-AWSManagedServicesAlarmManagerSS-<8-digit hash>
Assumed by AWS Systems Manager to invoke the AMS alarm manager remediation service within your AMS account.
ams-alarm-manager-AWSManagedServicesAlarmManagerTr-<8-digit hash>
Assumed by AMS alarm manager infrastructure within your AWS account to conduct periodic AMS AWS Config Rules evaluation.
ams-alarm-manager-AWSManagedServicesAlarmManagerVa-<8-digit hash>
Assumed by AMS alarm manager infrastructure within your AMS account to ensure that the required alarms exists in the AWS account.
ams-backup-config-rule-st-amsBackupAlertConfigRule-<8-digit hash> Assumed by AMS backup infrastructure in your AMS account to evaluate the AWS Config Rules 'amsBackupAlertEval' rule.
ams-backup-config-rule-st-amsBackupPlanConfigRuleH-<8-digit hash> Assumed by AMS backup infrastructure in your AMS account to execute the AWS Config Rules 'amsBackupPlanEval' rule.
ams-backup-iam-role This role is used to run AWS Backup within your accounts.
ams-log-management-AWSManagedServicesCloudTrailLog-<8-digit hash>
Assumed by AWS CloudTrail to write logs into AMS-specific Amazon CloudWatch Logs groups.
Role name Description
ams-monitoring- AWSManagedServicesLogGroupLimitLamb-<8-digit hash>
Assumed by AMS Logging & Monitoring infrastructure in your AMS account to evaluate Amazon CloudWatch Logs groups limit and compare with the service quotas.
ams-monitoring- AWSManagedServicesRDSMonitoringRDSE-<8-digit hash>
Assumed by AMS Logging & Monitoring infrastructure in your AMS account to forward Amazon RDS events to Amazon CloudWatch Events.
ams-monitoring-AWSManagedServicesRedshiftMonitorin-<8-digit hash>
Assumed by AMS Logging & Monitoring infrastructure in your AMS account to forward Amazon Redshift events (CreateCluster and DeleteCuster) to Amazon CloudWatch Events.
ams-monitoring-infrastruc-AWSManagedServicesMonito-<8-digit hash> Assumed by AMS Logging & Monitoring infrastructure in your AMS account to publish messages to Amazon Simple Notification Service to validate that the account is reporting all necessary data.
ams-opscenter-role Assumed by AMS Notification Management
system in your AMS account to manage AWS System Manager OpsItems related to alerts in your account.
ams-opsitem-autoexecution-role Assumed by AMS Notification Management system to handle automated remediation using SSM documents for monitoring alerts related to resources in your account.
ams-patch-infrastructure-amspatchconfigruleroleC1-<8-digit hash> Assumed by AWS Config to evaluate AMS patch resources and detect drift in its AWS CloudFormation stacks.
ams-patch-infrastructure-amspatchcwruleopsitemams-<8-digit hash> Assumed by Amazon EventBridge to create AWS System Manager OpsItems for patching failures.
ams-patch-infrastructure-amspatchservicebusamspat-<8-digit hash> Assumed by Amazon EventBridge to send an event to the AMS Patch orchestrator event bus for AWS Systems Manager Maintenance Windows state change notifications.
ams-patch-reporting-infra-amspatchreportingconfigr-<8-digit hash> Assumed by AWS Config to evaluate AMS Patch reporting resources and detect drift in its AWS CloudFormation stacks.
ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>
Assumed by AMS Resource Tagger infrastructure within your AMS account to perform AWS Config Rules evaluation upon new AWS AppConfig deployment.
ams-resource-tagger-AWSManagedServicesResourceTagg-<8-digit hash>
Assumed by AMS Resource Tagger infrastructure within your AMS account to validate that required AWS tags exist for the managed resources.