AWS Managed Services Release Notes AMS New or Updated Features, AMIs, and Change Types Version 10 February 2022

(1)

AWS Managed

Services Release Notes

AMS New or Updated Features, AMIs, and Change Types

Version 10 February 2022

(2)

AWS Managed Services Release Notes: AMS New or Updated Features, AMIs, and Change Types

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

AMS release notes

This page includes information on the current releases for AMS documentation, including latest AMIs. Document histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 10 February 2022 Topics

• AMS New Features (p. 1)

• AMS Security News (p. 1)

• AMS AMIs (p. 1)

• AMS Accelerate Operations Plan (p. 1)

• AMS Advanced Operations Plan (p. 2)

• AMS Advanced Change Types (p. 2)

• AMS ServiceNow Connector (last updated November 11, 2021) (p. 3)

AMS New Features

GuardDuty

AMS monitors a new AWS GuardDuty event related to IAM credential misuse.

Monitoring

Redshift Cluster Health now takes cluster maintenance mode into account and no longer alerts when the cluster is in maintenance mode.

AMS Security News

Log4j

The report generated by the Log4j change types, v1.0 (ct-19f40lfm5umy8) and v2.0 (ct-19f40lfm5umy8) previously scanned for Java Archives (JAR Files). We now also scan for Web Application Resource (WAR), Enterprise Archive (EAR), Jupiter Encrypted XML (JPI), Hemera Technologies (HPI), and ZIP ﬁles.

AMS AMIs

New AMS AMIs released February 09, 2022 AMS 02.09.2022 AMI contents and CSV ﬁle in a ZIP.

For background information, see AMS AMIs.

AMS Accelerate Operations Plan

New Region

(6)

AMS Advanced Operations Plan

• AMS Accelerate is available in the GovCloud (US) Region.

AMS Advanced Operations Plan

New and Updated Features

• IAM resources can be deployed, updated, and deleted with AWS CloudFormation Use the following CTs to automatically deploy, update, and delete IAM resources using AWS CloudFormation stacks, instead of manual RFCs.

• Deployment | Ingestion | Stack from CloudFormation Template | Create (ct-36cn2avfrrj9v)

• Management | Custom Stack | Stack from CloudFormation Template | Update (ct-361tlo1k7339x)

• Management | Custom Stack | Stack From CloudFormation Template | Approve and Update (ct-1404e21baa2ox)

• New Youtube videos explain how to use AMS services The AMS playlist on YouTube contains new videos:

1.How can I share sensitive data in AWS Managed accounts using AWS Secrets Manager?

2.How do I get read-only access to the Trend Micro DSM console to generate reports?

3.How can I raise a scheduled RFC?

4.How can I perform on-demand patching with AMS?

5.How can I reject patches from being installed on my instances?

6.How do I exclude my EC2 Instances from scheduled patching?

7.How do I deploy a maintenance window through an automated RFC?

8.How do I add correspondence and attachments to an RFC?

• New validations for migrating Linux and Windows workloads to AMS Advanced

AMS added new Workload pre-Ingestion (WIGS) validations for Linux, covering ssh and sudo conﬁguration; and for Windows, covering RDS license conﬁguration. These should prevent previously common issues during ingestion.

AMS Advanced Change Types

New Change Types

• Deployment | Advanced stack components | Identity and Access Managment (IAM) | Create OpenID Connect provider (ct-30ecvﬁ3tq4k3)

Create IAM OpenID Connect provider.

Updated Change Types

• Deployment | Advanced stack components | RDS database stack | Create (ct-2z60dyvto9g6c) This update adds performance insights options.

Create RDS DB stack

• Management | Patching | On-demand patching | Run (ct-3oy53m1qzl2s5)

(7)

AMS ServiceNow Connector (last updated November 11, 2021) Run on-demand patching

• Management | Advanced stack components | Tag | Bulk update (auto) (ct-3047c34zuvswh) Correction: The required column name is "Identiﬁer" not "ID"

Bulk tag update notes

AMS ServiceNow Connector (last updated November 11, 2021)

We’re excited to announce the release of latest version of AWS Managed Services AMS ServiceNow Connector (version - 2.4.1) to the ServiceNow store. This includes a list of features and ﬁxes for customer reported issues as outlined below:

• Customers can now easily create an RFCs from Service Catalog by utilizing the Multi-Row Variable Set functionality which improves the User Interface of the RFC forms. Prior to using Multi-Row Variable Set, customers had to manually input an array of JSON objects which made the data input cumbersome and prone to errors.

• Customers will now be presented with clear instructions on what to input in a particular ﬁeld during creation of a new RFC from Service Catalog. For example if the ﬁeld type is String, the instructions would include minimum length, maximum length, pattern etc. if applicable.

• Customers will now be not allowed to submit an RFC from Service Catalog if there are any validation errors. For example if the customer inputs invalid JSON in a ﬁeld then they will be presented with a validation error message.

• Customers can now enter either a Single Line Text, Wide Line Text or Multi Line Text for String Data type ﬁelds in RFC forms depending upon the maxLength of the Change Type ﬁeld.

• Customers will now be able to submit a large Execution Parameters data input in the RFCs.

• Customers will no longer have duplicate Question Choices each time the Scheduled Job 'AMS Connect - Change Type Ingestion' executes.

• Customers will be now be able to search all RFC catalog items by navigating to AMS Connector → Service Catalog and searching for the desired Change Type.

(8)

AMS New Features

AMS release notes

Release date: 13 January 2022 Topics

• AMS Operations News (p. 4)

• AMS AMIs (p. 5)

AMS New Features

SSM

SSM agent version management (auto-upgrade) in AMS Advanced. AMS will auto-manage the SSM agent version on the instances. Prior to this release SSM agent version upgrades were manually implemented and not centralized management. This change improves the operational and security posture of the your AMS environments.

AMS Security News

Trend Micro

Trend Micro Deep Security Manager was upgraded to 20.0.543, Deep Security Agent version support through 20.0.0-3445. Performance improvements and bug ﬁxes are in the newest versions.

Trend Micro Deep Security Manager and Deep Security Relay are now using M5 EC2 instance types by default for a 4% cost savings. If yours are not, then they were specifically configured with M4 instance types; file an RFC requesting an update, and they will be changed.

Trend Micro Deep Security Manager and Deep Security Relay are now using gp3 volume for a 20% cost savings.

SQS

SQS queue AMSEPSEventsProcessorQueue and SNS topic AMSEPSMonitoringTopic are now encrypted with AWS Key Management Service.

AMS Operations News

Problem management

(9)

AMS AMIs

An account level problem with AMS Monitoring, where CloudWatch alarms weren’t getting created for EC2 instances, impacting a few AMS single-account landing zone customers, has been ﬁxed and potential issues were proactively remediated.

An AMS customer was having a problem with a hostname getting changed post every reboot. AMS performed a root-cause analysis and ﬁxed the problem and added internal documentation for future purposes.

AMS identiﬁed and removed discrepancies in account level monitoring documentation. See the AMS Advanced User Guide for Baseline Alerts Monitoring and the AMS Accelerate User Guide Baseline Alerts Monitoring.

AMS AMIs

New AMS AMIs released January 13, 2021

AMS 01.13.2022 AMI contents and CSV ﬁle in a ZIP.

New PBIS Enterprise Version Release. AMS AMIs will be running the latest version of PBIS Enterprise – 21.1.3 if customers are using the January 2022 customer AMIs based on the following operating systems. and the customer account is enabled for PBIS Enterprise:

• Amazon Linux, Amazon Linux 2, Centos 7, Red Hat 7 and Red Hat 8 (including security enhanced variants based on these Operating Systems).

Note that this latest PBIS version update is not supported on SUSE.

AMS Advanced Operations Plan

• A Priority parameter has been added to all execution mode=manual change types (CTs).

For additional information, see RFC Priority.

AMS Advanced Change Types

• Management | Advanced stack components | Application Load Balancer | Add listener certiﬁcate Add ALB listener certiﬁcate.

• Management | Advanced stack components | Application Load Balancer | Remove listener certiﬁcate Remove ALB listener certiﬁcate.

• Management | Advanced stack components | Load Balancer (ELB) stack | Replace listener certiﬁcate Replace ELB listener certiﬁcate.

• Management | Advanced stack components | Network Load Balancer | Add listener certiﬁcate Add NLB listener certiﬁcate.

• Management | Advanced stack components | Network Load Balancer | Remove listener certiﬁcate

(10)

AMS ServiceNow Connector (last updated November 11, 2021) Remove NLB listener certiﬁcate.

• Management | Managed landing zone | Networking account | Disable TGW propagation Disable transit gateway propagation.

• Management | Managed landing zone | Networking account | Enable TGW propagation Enable transit gateway propagation.

• Management | Standalone resources | EC2 instance | Terminate Terminate standalone EC2.

• Management | Advanced stack components | EC2 Instance Stack | Gather log4j information

Gather log4j information on multiple instances. The CT schema was updated to provide an option to target all instances in the speciﬁed region.

• Management | Advanced stack components | EC2 instance stack | Change hostname (Linux) Change EC2 hostname (Linux). Automated, with additional parameters and moved to version 2.0.

Start DMS replication task and Stop DMS replication task. This change updates the task ARN regular expression to the allow tasks containing the a dash ( - ).

AMS ServiceNow Connector (last updated November 11, 2021)

We’re excited to announce the release of latest version of AWS Managed Services AMS ServiceNow Connector (version - 2.4.1) to the ServiceNow store. This includes a list of features and ﬁxes for customer reported issues as outlined below:

(11)

AMS New Features

AMS release notes

Release date: 20 December 2021

NoteThere was an emergent release on December 17 for the Log4j change type; many of the release items described here were released on that date.

Topics

• AMS AMIs (p. 8)

• Both AMS Accelerate and Advanced Operations Plans (p. 8)

AMS New Features

Advanced operations plan: Quick Create request for change (RFC)

AMS introduces a stream-lined way to create RFCs, Quick Create. Use quick create to create AMS's most commonly-requested change types (CTs) in one click without having to search for and select them.

Summary of changes:

• The three step RFC wizard has been replaced with a simpler RFC creation flow. The first page has an intuitive card view where you can search all the available CTs. Selecting a CT navigates to the final page with an auto-populated title for the RFC.

• Responsive card view for CTs selection (the number of cards in a row increases or decreases in response to changing the window size)

• Segmented control to switch between cards/table view and CT selection type (Browse CT/ Choose by category)

• More informative CT Details card (shown only in the Choose by category view to avoid redundancy)

• Moved the Modify version button and the Create button from the bottom of the form to the cards/

table toggle header. These buttons are enabled only after a CT is selected.

For additional information, see Create an RFC.

AMS Security News

Log4j

(12)

AMS AMIs

AWS Managed Services (AMS) has published a new (SSM) Automation Document, AWSManagedServices- GatherLog4jInformation that you can use to scan EC2 Workloads for impact to the Log4j Remote Code Execution (RCE) [CVE-2021-44228].

AMS Advanced customers use AMS Change Management to run the document through the new change type Management | Advanced Stack Components | EC2 Instance Stack | Gather log4j information (ct-19f40lfm5umy8). For details, see (single instance scan, v1.0) Gather Log4j information on an EC2 instance or (multi instance scan, v2.0) Gather Log4j information on multiple EC2 instances.

AMS Accelerate customers can use the AWSManagedServices-GatherLog4jInformation SSM Document directly through the AWS Systems Manager Console or through the AWS SSM SendCommand API.

For additional information, see Update for Apache Log4j2 Issue (CVE-2021-44228).

AMS AMIs

New AMS AMIs released December 16, 2021 AMS 12.16.2021 AMI contents and CSV ﬁle in a ZIP.

Both AMS Accelerate and Advanced Operations Plans

• Updated the trigger condition for the DiskQueueDepth alert. Previous trigger condition: Sum is > 75 for 1 mins, 2 consecutive times, new trigger condition: Sum is > 75 for 1 mins, 15 consecutive times.

See Advanced: Alerts from baseline monitoring and Accelerate: Alerts from baseline monitoring.

• In the AMS console, in the Create a service request form, the Category menu now includes the option of Operations on Demand. Operations Engineers will contact you to help you.

• In the event AMS is no longer able to support an operating system version, AMS will issue a Critical Recommendations. See the note in Supported Conﬁgurations.

AMS Advanced Operations Plan

AMS Advanced Change Types

• Management | Advanced Stack Components | EC2 Instance Stack | Gather log4j information Gather Log4j information on an EC2 instance.

(13)

AMS ServiceNow Connector (last updated November 11, 2021)

• Deployment | Directory service | DNS | Delete conditional forwarder Delete conditional forward.

• Deployment | Directory service | DNS | Create group managed service account Create a group managed service account.

• Management | Directory service | DNS | Update cluster permissions Update cluster permissions.

• Management | Directory service | DNS | Update record permission Update record permissions.

• Deployment | Advanced stack components | Identity and Access Management (IAM) | Create EC2 instance proﬁle

Create EC2 instance IAM proﬁle.

• Deployment | Advanced stack components | Identity and Access Management (IAM) | Create Lambda execution role

Create Lambda execution role.

• Management | Directory service | DNS | Delete conditional forwarder Delete conditional forwarder.

• Management | Directory service | DNS | Update conditional forwarder Update conditional forwarder.

• Deployment | Advanced stack components | Redshift | Create (Cluster)

Create Redshift Cluster. The CT schema was updated to allow more IAM role names.

• Deployment | Advanced stack components | Redshift | Create (cluster from snapshot)

Create Redshift cluster from a snapshot. The CT schema was updated to allow more IAM role names.

AMS ServiceNow Connector (last updated November 11, 2021)

We’re excited to announce the release of latest version of AWS Managed Services (AMS) ServiceNow Connector (version - 2.4.1) to the ServiceNow store. This includes a list of features and ﬁxes for customer reported issues as outlined below:

(14)

(15)

AMS Security News

AMS release notes

Release date: 17 December 2021 Topics

• AMS AMIs (p. 11)

• Both AMS Accelerate and Advanced Operations Plans (p. 11)

AMS Security News

Log4j

AWS Managed Services (AMS) has published a new (SSM) Automation Document, AWSManagedServices- GatherLog4jInformation that you can use to scan EC2 Workloads for impact to the Log4j Remote Code Execution (RCE) [CVE-2021-44228].

AMS Advanced customers use AMS Change Management to run the document through the new change type Management | Advanced Stack Components | EC2 Instance Stack | Gather log4j information (ct-19f40lfm5umy8). For details, see (single instance scan, v1.0) Gather Log4j information on an EC2 instance or (multi instance scan, v2.0) Gather Log4j information on multiple EC2 instances.

AMS Accelerate customers can use the AWSManagedServices-GatherLog4jInformation SSM Document directly through the AWS Systems Manager Console or through the AWS SSM SendCommand API.

For additional information, see Update for Apache Log4j2 Issue (CVE-2021-44228).

AMS AMIs

New AMS AMIs released December 16, 2021 AMS 12.16.2021 AMI contents and CSV ﬁle in a ZIP.

Both AMS Accelerate and Advanced Operations Plans

(16)

• In the AMS console, in the Create a service request form, the Category menu now includes the option of Operations on Demand. Operations Engineers will contact you to help you.

AMS Advanced Operations Plan

AMS Advanced Change Types

• Management | Advanced Stack Components | EC2 Instance Stack | Gather log4j information Gather Log4j information on an EC2 instance.

• Deployment | Directory service | DNS | Delete conditional forwarder Delete conditional forward.

• Deployment | Directory service | DNS | Create group managed service account Create a group managed service account.

• Management | Directory service | DNS | Update cluster permissions Update cluster permissions.

• Management | Directory service | DNS | Update record permission Update record permissions.

• Deployment | Advanced stack components | Identity and Access Management (IAM) | Create EC2 instance proﬁle

Create EC2 instance IAM proﬁle.

• Deployment | Advanced stack components | Identity and Access Management (IAM) | Create Lambda execution role

Create Lambda execution role.

• Management | Directory service | DNS | Delete conditional forwarder Delete conditional forwarder.

• Management | Directory service | DNS | Update conditional forwarder Update conditional forwarder.

• Deployment | Advanced stack components | Redshift | Create (Cluster)

Create Redshift Cluster. The CT schema was updated to allow more IAM role names.

• Deployment | Advanced stack components | Redshift | Create (cluster from snapshot)

(17)

Create Redshift cluster from a snapshot. The CT schema was updated to allow more IAM role names.

AMS ServiceNow Connector (last updated November 11, 2021)

(18)

AMS Accelerate Operations Plan

AMS release notes

Release date: 11 November 2021 Topics

• AMS ServiceNow Connector (p. 9)

AMS Accelerate Operations Plan

• AMS Accelerate now enables enriched VPC Flow Logs with additional fields to better understand your network and application dependencies. VPC Flow Logs gives AMS and customers’ security engineers a history of high-level network traffic flows within entire VPCs, subnets, or specific network interfaces (ENIs). You use the additional fields to capture more relevant information about the IP traffic going to and from network interfaces in the VPCs and to monitor VPC traffic, understand network dependencies, troubleshoot network connectivity issues, and identify network threats.

• AMS Accelerate now provides a customer-facing inventory of all resources that Accelerate deploys. Use this to help understand the purpose and origin of resources you might not otherwise recognize.

AMS Advanced Operations Plan

• AMS Direct Change Mode (DCM, aka Migration Mode). A new provisioning mode that extends AMS Advanced Change Management giving customers native AWS access to CloudFormation and supported AWS services for low-risk actions (standard changes). See Getting Started with Direct Change mode

• AMS automated the creation of Developer Mode accounts in Advanced with a new Change Type (CT).

This new automated CT simpliﬁes the creation of MALZ Developer Mode accounts by consolidating the request from 3 diﬀerent CTs into a single one, allowing you to deploy your workloads faster and reducing risk of user errors. See Documentation: Create Management account developer mode account with VPC.

• Bring Your Own End Point Solution (BYOEPS) an opt-in feature for AMS Advanced customers is now available. The feature allows customers to use their preferred endpoint security solution instead of AMS managed Trend Micro Deep Security for managed customer instances.Some common reasons to use this feature are:

• You have existing licenses for products other than Trend Micro DeepSecurity and want to use them.

• You have a team that provides managed EPS using a diﬀerent tool.

• You want to use a speciﬁc EPS tool due to regulatory or application requirements.

(19)

AMS Advanced Change Types

• AMS buckets aws-landing-zone-logs-<accountId>-<region> and aws-landing-zone-s3-access-logs-

<accountId>-<region> now has an additional bucket policy that require requests to use Secure Socket Layer (SSL), in order to be compliant with the Conﬁg rule ams-nist-cis-s3-bucket-ssl-requests-only.

AMS Advanced Change Types

• Management | Managed landing zone | Management account | Move Account to OU Move an account to a diﬀerent OU.

• Management | Advanced stack components | EC2 instance | Start

Start EC2. The CT schema was updated so you can start multiple EC2 instances.

• Management | Advanced stack components | EC2 instance | Stop

Stop EC2. The CT schema was updated so you can stop multiple EC2 instances. There's also a new parameter, ForceStop.

• Management | AWS Backup | Recovery point | Delete

Delete a recovery point. The CT schema was updated so you can delete mulitple recovery points.

• Management | Advanced stack components | EBS snapshot | Delete

Delete EBS snapshot. The CT description was expanded to mention some caveats.

AMS ServiceNow Connector

(20)

AMS AMIs

New AMS AMIs released November 10, 2021 AMS 11.10.2021 AMI contents and CSV ﬁle in a ZIP.

Also see AMS AMIs.

(21)

AMS release notes

Release date: 14 October 2021 Topics

AMS Accelerate Operations Plan

• Resource Tagger can be placed into ReadOnly mode. Using a ﬂag in your Resource Tagger

conﬁguration document, you can specify that Resource Tagger should not add, update or delete any tags on your resources. See Preventing Resource Tagger from modifying resources.

AMS Advanced Operations Plan

• AWS Application Migration Service (AWS MGN). Use AWS MGN to migrate applications and databases that run on supported versions of Windows and Linux operating systems. See AWS Application Migration Service (AWS MGN).

• Auto-created troubleshooting RFC for failed Restore EC2 stack volumes. The Restore EC2 stack

volumes CT is most often used in disaster recovery situations; now, if it fails, AMS automatically creates an RFC for you and an AMS Operations engineer begins investigating. See EC2 instance volume restore fail.

• AMS Console: AMS Knowledge Center Videos. Links to these Youtube videos have been added to the Getting Started box in the AMS console and to several places in the documentation.

• AMS Console: A new ﬁlter, Customer Approval Pending on the RFCs list page, lets you ﬁnd all RFCs awaiting your response. Additionally, you can see how many RFCs awaiting your response you have on the Dashboard page.

AMS Advanced Change Types

• Management | Directory Service | Computer object | Remove SPN Remove a computer object's SPN.

• Deployment | Managed landing zone | Networking account | Disassociate TGW attachment

(22)

AMS AMIs

Disassociate TGW attachment in your Networking account.

• Deployment | Managed landing zone | Networking account | Associate TGW attachment Associate TGW attachment in your Networking account.

• Deployment | Managed landing zone | Networking account | Add static route Add a static route in your Networking account.

• Deployment | Managed landing zone | Management account | Create Developer Mode account (with VPC)

Create Management account developer mode account with VPC.

• Management | Advanced stack components | Security Group | Delete (no review required) Delete security group (no review required).

• Management | Advanced stack components | Security Group | Disassociate (no review required) Disassociate security group to resource (no review required).

• Management | Advanced stack components | AMI | Deregister

Delete or deregister AMIs. This CT has a new parameter "DeleteSnapshots" to allow deleting snapshots associated with AMI.

• Management | Advanced stack components | RDS | Stop

Stop RDS DB stack DB instance. A note was added that you cannot use the CT with Aurora MySQL or Aurora PostgreSQL.

• Deployment | Advanced stack components | Redshift | Create (cluster from snapshot) version 1.0 Create a Redshift cluster from a snapshot. A new parameter, NodeType, was added.

AMS AMIs

New AMS AMIs released October 13, 2021 AMS 10.13.2021 AMI contents and CSV ﬁle in a ZIP.

Also see AMS AMIs.

(23)

AMS release notes

This page includes information on the current releases for AMS documentation, including latest AMIs.

histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 16 September 2021 Topics

• AMS ServiceNow Connector (p. 20)

AMS Accelerate Operations Plan

• AMS Operations on Demand (OOD) Public Launch.

Operations on Demand provides you with a curated catalog of operations activities that extend and complement the capabilities provided in the AMS Accelerate operations plan. OOD brings operational expertise and automation of AWS services to assist you in adopting, operating and optimizing your AWS infrastructure within AMS-managed accounts. Operations on Demand is available via a catalog of offerings consisting of runbooks and automations to achieve the goals of the specific catalog offering.

Catalog oﬀerings are available in blocks of 20 hours for an additional fee, and AMS works with you to determine the number of blocks needed per month to achieve their desired outcomes.

• AMS reduces the cost of running AWS Conﬁg in Accelerate.

AWS Managed Services (AMS) now deploys our collection of Conﬁg Rules to AMS Accelerate accounts without using Conformance Packs, helping you reduce your AWS Conﬁg cost by 15-20%

approximately.

AMS will delete the AWS Config Conformance pack created by AMS, namely "NIST-CIS-Conformance- Pack" and redeploy the same set of AWS Config Rules that were part of this Conformance pack. The rules will reevaluate their compliance status without compliance status and history in the Config report that AMS provides.

After this change, AWS Conﬁg will stop billing you for the "NIST-CIS-Conformance-Pack" and you should see a reduction on your "ConformancePackEvaluations" charges.

AMS Advanced Operations Plan

• AMS Operations on Demand (OOD) Public Launch.

Operations on Demand provides you with a curated catalog of operations activities that extend and complement the capabilities provided in the AMS Advanced operations plan. OOD brings operational

(24)

AMS Advanced Change Types

expertise and automation of AWS services to assist you in adopting, operating and optimizing your AWS infrastructure within AMS-managed accounts. Operations on Demand is available via a catalog of offerings consisting of runbooks and automations to achieve the goals of the specific catalog offering.

Catalog oﬀerings are available in blocks of 20 hours for an additional fee, and AMS works with you to determine the number of blocks needed per month to achieve their desired outcomes.

AMS Advanced Change Types

• Deployment | Advanced stack components | Identity and Access Management (IAM) | Create entity or policy (no review required) change type (ct-19jq3ulr3g9zg). Create IAM entity or policy, no review required.

• Management | Standard stacks | Stack | Remediate drift (auto) Remediate stack drift, no review required.

• Management | AWS Backup | Backup plan | Enable cross account copy (Management account) Enable cross account copy in a backup plan.

• Management | Advanced stack components | EC2 instance stack | Encrypt instance volumes (ct-0hahohe17csnc) Encrypt EC2 stack instance.

• Management | Managed landing zone | Management account | Create Developer Mode account (with VPC) (ct-0hahohe17csnc) Create Management account Developer Mode account with VPC.

• Management | Advanced stack components | Security Group | Associate (ct-12lyw7otiyr6f). Updated with a new version, 2.0, and support for new resource types and additional information in the walkthrough. Associate security group to resource.

• Deployment | Advanced stack components | Network Load Balancer | Create (ct-2qldv4h9osmau).

Updated to allow log access log sending by default to a pre-existing AMS-owned S3 bucket (no new parameters). Create NLB load balancer.

• Deployment | Advanced stack components | Database Migration Service (DMS) | Create replication subnet group (ct-2q5azjd8p1ag5).

Added note to warn that this CT will fail if the 'dms-vpc-role' IAM role doesn't exist in the account.

Create DMS replication subnet group.

The note for InstanceType has been updated to mention that AMS does not recommend using the t2.micro/t3.micro and t2.nano/t3.nano instance types as they can impact the performance of the application and AMS tooling running on the instances. Create EC2 stack instance and Create EC2 stack instance with additional volumes. .

• All Deployment | Managed landing zone | Management account and Management | Managed landing zone | Management account change type walkthrough ﬁle names have been renamed to use "mgmt" in the URL instead of "master" in the ongoing eﬀort for inclusive language. Redirects were created.

AMS ServiceNow Connector

• You can now use the "Copy AMS RFC" feature on the existing RFCs. It will create a new RFC by copying the execution parameters data from the existing RFC record.

(25)

AMS AMIs

• You can now use the Automated Test Framework (ATF) scripts for testing Incidents, Service Requests and RFCs. This include automated tests for server-side integration scripts and form-based user action(s).

• You can now see the planned execution start date and planned execution end date on change request records in ServiceNow for scheduled AMS RFCs.

• You can now see the "minItems" and "maxItems" in the help text of variables wherever applicable on the RFC Service Catalog view.

• You will no longer encounter issues while submitting RFCs accepting array of Boolean values in the execution parameters or viewing change request records in non-ams views in ServiceNow.

AMS AMIs

New AMS AMIs released September 15, 2021 AMS 09.15.2021 AMI contents and CSV ﬁle in a ZIP.

Also see AMS AMIs.

(26)

AMS release notes

This page includes information on the current releases for AMS documentation. histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 12 August 2021

AMS Advanced Operations Plan

Category Description

New features • Quick starts! AMS has added quick starts, that is, a combination of RFCs with various change types, to accomplish a task. Our ﬁrst quick start is for setting up AMS Resource Scheduler. Quick starts for cross-account backups and cross-region snapshot copy are in the works.

See managedservices/latest/ctexguide/ AMS Resource Scheduler quick start.

• New information on using root credentials and avoiding a security investigation.

See How and when to use root.

• AMS customer documentation is now public.

For more information, see README.

AMS Advanced New and Updated Change Types

Change Description Date

Management | Patching | Patch window | Update

Patch window: Update. August 26,

2021 Management | Advanced stack components | KMS

key | Enable rotation KMS key: Enable rotation. August 26, 2021 Management | Directory Service | Users and

groups | Add group to group Directory Server DNS: Group add to group.

August 26, 2021

Management | Directory Service | Users and groups | Add user to group Directory Server DNS:

User add to group.

August 26, 2021

Management | Directory Service | Users and groups | Add group Directory Server DNS: Add group.

August 26, 2021

Management | Directory Service | Users and groups | Remove user from group Directory Server DNS: Remove user from group.

August 26, 2021 New CTs:

Management | Directory Service | DNS | Remove

record Directory Server: Remove record. August 26, 2021

(27)

AMS Advanced New and Updated Change Types

Management | Directory Service | DNS | Add CNAME record Directory Server: Add CNAME record.

August 26, 2021

Management | Directory Service | DNS | Add A

record Directory Server: Add "A" record. August 26, 2021 Management | Advanced stack components | EC2

instance stack | Restore volumes The schema is updated with new parameters and the version is now 3.0. EC2: Restore volumes.

August 26, 2021

Deployment | Advanced stack components | DNS (private) | Create

The schema is updated with new parameters:

AliasTargetDnsName, AliasTargetHostedZoneId, and AliasTargetEvaluatedTargetHealth to support "A" record to route traﬃc to AWS resource such as CloudFront distribution or an Amazon S3 bucket, by providing the DNSName and HostedZoneID associated with the AWS resource.

DNS (private): Create.

August 26, 2021

Deployment | Advanced stack components | DNS (public) | Create

DNS (public): Create.

August 26, 2021 Updated CTs:

Management | Advanced stack components | DNS (private) | Update

DNS (private): Update.

August 26, 2021

(28)

Management | Advanced stack components | DNS (public) | Update

DNS (public): Update.

August 26, 2021

Updated Change Type

Classiﬁcation: The Management | Advanced stack components

| Directory Service | Accept sharing change type has moved to a new classiﬁcation, with other directory service change types: Management | Directory service | Directory | Accept sharing. The change type ID, ct-13xvbj5pqg253, remains the same.

August 26, 2021

AMS Accelerate Operations Plan

New features • New information on using root credentials and avoiding a security investigation.

See How and when to use root.

AMS AMIs

Next release of AMS AMIs is scheduled for the week of September 13th.

(29)

AMS release notes

This page includes information on the current releases for AMS documentation. histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 12 August 2021

AMS Advanced Operations Plan

New features • New feature in alert remediation that auto-remediates RDS Low Storage events.

See Amazon RDS low storage event remediation automation.

• AMS customer documentation is now public.

For more information, see README.

Updated

change types • RDS DB stack, creating. Add mariadb as an option for RDSDBEngine.

Deployment | Advanced stack components | RDS database stack | Create (ct-2z60dyvto9g6c).

AMS Accelerate Operations Plan

New features A changelog for the account discovery CLI is now available.

See: Account discovery.

AMS AMIs

Category Description New AMIs

AMS 08.11.2021 AMI contents and CSV ﬁle in a ZIP.

Also see AMS AMIs.

(30)

AMS July 29 release notes

This page includes information on the current releases for AMS documentation. Document histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 29 July 2021

See this table for documentation access changes:

Content type Description New access location STARTING

JUNE 30th AMS Advanced User Guide

for multi-account and single- account landing zone AMS Advanced Onboarding Guide for multi-account and single-account landing zone AMS Advanced Change Management User Guide AMS Advanced Application Developer’s Guide

AMS Advanced Change Type Reference

AMS CM API Reference

AWS Managed Services Documentation landing page Note: The AMS Advanced Introduction Guide content has been migrated to the AMS Advanced UG and we have stopped publishing the standalone Intro Guide.

Important!: Some content has been migrated out of the AMS Advanced User Guide to an AMS Security Guide that is available on the AMSReports tab in the AWS Artifact Console.

AMS SKMS API Reference This reference document is available on the Reports for AMS tab in the AWS Artifact Console.

AMS Customer documentation

AMS CLI Reference You can ﬁnd this

reference document in the Documentation box at the lower right of the Managed Services page of the AMS Console.

AMS Private Security Guides PDFs only These security guides, and other conﬁdential AMS content such as the AMS Technical Standards document, are available on the AMS Reports tab in the AWS Artifact Console.

ServiceNow Install Guide ServiceNow documentation

ServiceNow User Guide

This documentation is available only through the ServiceNow connector or by special request to your CSDM.

AWS Managed Services Service

Description AMS Advanced and AMS

Accelerate service descriptions Both service descriptions are available as part of their respective user guides. AMS

(31)

Content type Description New access location STARTING JUNE 30th

Accelerate Service Description, AMS Advanced Service Description.

AMS CLI and SDKs Zip ﬁles Both the AMS CLI zip and the

AMS SDK zip are available on the Developer’s Resources page in the AMS Console.

AMS Release Notes HTML and PDF AMS Release Notes.

Content notes and CSV ﬁle These documents are emailed directly to the account contact list and are available in the AMS Release Notes..

AMS Latest AMIs

AMS security enhanced AMI

settings These spreadsheets are available

by special request to your CSDM and on the Developer’s Resources page in the AMS Console. AMS encourages you to use AWS Inspector to discover AMI security settings.

AMS Videos on YouTube AMS usage videos AMS YouTube

Automate Account Setup ZIP AMS Onboarding guide AMS post-account prescriptive guidance.

Automate Account Setup

Lambda ZIP This is now an AWS Solution:

Automated Account Conﬁguration.

Linux WIGS Pre-ingestion

Validation tar ﬁle AMS Application Guide

Migrating workloads: Linux pre- ingestion validation.

Windows WIGS Pre-ingestion

Validation zip ﬁle AMS Application Guide Migrating workloads: Windows pre-ingestion validation.

CFN Lint Custom Rules,

2021.16.19 ZIP ﬁle This helper ﬁle is available on the AMS GitHub repo.

AMS Helper Files

CFN Ingest 3-tier Web App

Example JSON ﬁle, 08/06/2020 AMS Application Guide CFN Ingest 3-tier Web App Example

(32)

Content type Description New access location STARTING

JUNE 30th WIGs Cloud Endure Landing

Zone Example AMS Application Guide,

for single-account landing zone: Migrating Workloads:

CloudEndure Landing Zone (SALZ), for multi-account landing zone: Tools account, Migrating Workloads:

CloudEndure Landing Zone (MALZ)

AMS Allow List text ﬁle Migration Quick Reference

These ﬁles are available on the Developer’s Resources page in the AMS Console.

Downloadable content

AMS Change Type CSV ﬁle This ﬁle is available on the AMS Developer’s Resources page and will continue to be updated regularly.

Console Getting Started AMS Answers Map This ﬁle is deprecated as it was an assist given that AMS documentation lacked a search function. With AMS documentation published to the public site, the search function, as well as feedback function, are now available.

AMS Advanced Operations Plan

New features • Technical Standards documentation. Access is now provided, through AWS Artifact, to the AMS Technical Standards document that is used by AMS to determine when RFCs must be further investigated.

See RFC security reviews.

• Remediation of RDS alerts.

See Amazon RDS low storage event remediation automation.

• AWS Migration Hub is now a supported service.

See Supported services.

New Change

Types • IAM: Create SAML identity provider, IAM: Delete SAML identity provider, IAM:

Update SAML identity provider.

Updated

change types • EBS volume: Modify.

The parameters have changed to a diﬀerent method.

(33)

AMS Accelerate Operations Plan

New features Alert remediation, RDS low storage event remediation automation.

See: RDS low storage event remediation automation.

New features Default backup plans, additional details.

See: Backup management in AMS Accelerate.

(34)

AMS July 15 release notes

This page includes information on the current releases for AMS documentation. Document histories are located at the end of each individual guide; see AMS documentation histories (p. 36) for links.

Release date: 15 July 2021

AMS Advanced Operations Plan

New features • Developer's Resources page. This new AMS Advanced console page provides access to downloadable ﬁles for use with AMS.

• AMS Advanced documenation is now all available on the AWS Documentation public site. This provides a working Search engine, feedback options, and more. For more information, see README.

New Change

Types • AMS AMIs. Create an AMS AMI from an AMS Auto Scaling group (ct-3e3prksxmdhw8).

See Deployment | Advanced stack components | AMI | Create from Auto Scaling group.

• EBS volumes. Attach an EBS volume to a speciﬁed instance using the AMS console or the AMS API/CLI (ct-34jldf2qihaic).

See Management | Advanced stack components | EBS Volume | Attach.

• EBS volumes. Detach an EBS volume to a speciﬁed instance using the AMS console or the AMS API/CLI (ct-2d55p1d7z6w3d).

See Management | Advanced stack components | EBS Volume | Detach.

• Managed ﬁrewall, Outbound (Palo Alto): Create allow list (ct-309eozh6lpkr8) See Management | Managed ﬁrewall | Outbound (Palo Alto) | Create allow list.

• Managed ﬁrewall, Outbound (Palo Alto): Delete allow list (ct-2fzh1wckpl7f5) See Management | Managed ﬁrewall | Outbound (Palo Alto) | Delete allow list.

• Managed ﬁrewall, Outbound (Palo Alto): Create security policy (ct-281dpwh9tqnan)

See Management | Managed ﬁrewall | Outbound (Palo Alto) | Create security policy.

• Managed ﬁrewall, Outbound (Palo Alto): Delete security policy (ct-1taxucdyi84iy) See Management | Managed ﬁrewall | Outbound (Palo Alto) | Delete security policy.

• Managed ﬁrewall, Outbound (Palo Alto): Update security policy (ct-0mss4i7neuj7f) See Management | Managed ﬁrewall | Outbound (Palo Alto) | Update security policy.

(35)

Category Description Updated

change types • Managed Firewall, Palo Alto Outbound. New schemas.

Management | Managed ﬁrewall | Outbound (Palo Alto) | Add URLs

(ct-2b9q8339bj2sa) and Management | Managed ﬁrewall | Outbound (Palo Alto) | Remove URLs (ct-2mf36chtp1ejh).

• Self-Service Provisioning Service. New parameter, SAMLProviders.

Management | AWS service | Self-provisioned service | Add (ct-3qe6io8t6jtny).

• AMI encryption. Note warning not to try to encrypt AMIs that are already encrypted.

Management | Advanced stack components | AMI | Encrypt (ct-3u9yd8jznb2zd).

AMS Accelerate Operations Plan

New features A changelog for the account discovery CLI is now available.

See: Account discovery.

New features Minimum required VPC service endpoints for Accelerate OS Conﬁguration Service is now available.

See: AMS Accelerate VPC endpoints.

AMS AMIs

AMS07.14.2021 AMI contents and CSV ﬁle in a ZIP.

Also see AMS AMIs.

(36)

AMS June 29 release notes

This page includes information on the current releases for the AMS Advanced and AMS Accelerate operations plan, the AMS CM API, and AMS AMI releases and updates.

For documentation updates, see the document histories located at the end of each individual guide, see AMS documentation histories (p. 36) for links.

Release date: 29 June 2021

AMS Advanced Operations Plan

New features • AMS customer documentation is now entirely available through the public AWS Documentation site. See: AWS Managed Services Documentation.

• AMS has added a new page in the AMS Console: The Developer's Resources page.

This page provides downloadable ﬁles, such as the AMS SDKs. Find it in the left navigation pane of the AMS Console.

(37)

AMS June 17 release notes

This page includes information on the current releases for the AMS Advanced and AMS Accelerate operations plan, the AMS CM API, and AMS AMI releases and updates.

For documentation updates, see the document histories located at the end of each individual guide, see AMS documentation histories (p. 36) for links.

Release date: 17 June 2021

AMS Advanced Operations Plan

New features • AMS now has a public GitHub repo: GitHub repo.

• AMS now oﬀers self-service reporting through a new Reporting page in the AMS Console. See: Self-service reporting.

• AMS customer documentation access points are changing. See: README.

Feature

changes • We have moved the 'AMS Advanced service control policy restrictions' and 'AMS Advanced detective controls Conﬁg rules' tables to the new private AMS Security Guide, which is available on AWS Artifact. To access AWS Artifact, contact your cloud service delivery manager (CSDM) for instructions or go to Getting Started with AWS Artifact.

The 'Security best practices', 'AMS Advanced Guardrails', 'MALZ Service control policies', 'Security control for end-of-support operating systems', 'AMS Advanced detective controls', 'Detective controls in developer mode', and 'Security enhanced AMIs' sections are also moved to the new private security guide.

The 'Compliance validation', 'Security event logging and monitoring', 'Security alerts defaults', 'How do I oﬀboard a Multi-Account Landing Zone environment', and 'How do I oﬀboard a Multi-Account Landing Zone application account?' sections were redacted and the redacted content was moved tothe new private security guide.

New Change

Types • VPN gateway. Create a VPN gateway and associate it to an existing VPC, using the AMS console or the AMS API/CLI.

See Deployment | Advanced stack components | VPNGateway | Create (ct-0qbikxr9okwvy).

• AMIs. Delete or deregister an AMI using the AMS console or the AMS API/CLI.

See Management | Advanced stack components | AMI | Deregister (ct-26vhhlj9jmlpf).

Updated

change types • EC2 stack: Create with additional volumes. Updated to v4, new parameters were added.

Management | Advanced stack components | EC2 instance stack | Create (with additional volumes) (ct-1aqsjf86w6vxg).

• EC2 stack: Resize instance. Updated description to include all instance types and to specify that changing between Xen and Nitro hypervisors is not supported.

(38)

AMS Accelerate Operations Plan Category Description

Management | Advanced stack components | EC2 instance stack | Resize instance (ct-15mazjj88xc69).

• Tags: creating and updating. Updated descriptions for the AddOrUpdateTags parameter in the four corresponding CTs.

Deployment | Advanced stack components | Tag | Create (auto)

(ct-3cx7we852p3af) Deployment | Advanced stack components | Tag | Create (review required) (ct-0176f0n99vcps)) Management | Advanced stack components

• High availability one-tier stacks: Creating (with ELB). Updated Autoscaling parameters.

Deployment | Standard stacks | High availability one-tier stack | Create (with ELB) (ct-3w4lxdl3pqxob)

• Creating EBS with additional volumes. Updated to reﬂect added support for gp3 and io2 volumes and added a new parameter, Throughput.

Deployment | Advanced stack components | EBS Volume | Create from backup (ct-063qsm82cfxu6)

• Associating security groups (SGs). Updated the ResourceId parameter to support associating SG to EC2 instances created using EC2 with additional volumes CT.

Management | Advanced stack components | Security group | Associate (ct-12lyw7otiyr6f)

• Creating high availability stacks.

New parameter, LoadBalancerAccessCIDRRange Deployment | Standard stacks | High availability one-tier stack | Create (ct-09t6q7j9v5hrn)

New parameter, AccessCIDRRange Deployment | Standard stacks | High availability two-tier stack | Create (ct-06mjngx5ﬂwto)

AMS Accelerate Operations Plan

New features AMS now oﬀers self-service reporting through a new Reporting page in the AMS Console. See: Self-service reporting.

Feature

changes Not applicable

AMS AMIs

(39)

AMS AMIs Category Description

AWS Managed Services (AMS) AMI Contents Notes: 2021.06 See email from your CSDM for details.

Also see AMS AMIs

(40)

AMS documentation histories

Document histories can be found within each individual guide.

Service Documents AMS Advanced

Operations Plan

• AMS User Guide

• Change Management User's Guide

• Application Developer's Guide

• Onboarding Guide

• Change Type Reference Guide AMSAccelerate

Operations Plan

• Accelerate User Guide

AMS API • API Reference for Change Management

AWS Managed Services Release Notes AMS New or Updated Features, AMIs, and Change Types Version 10 February 2022

AWS Managed

Services Release Notes

AMS New or Updated Features, AMIs, and Change Types

Version 10 February 2022

AWS Managed Services Release Notes: AMS New or Updated Features, AMIs, and Change Types

Table of Contents

AMS release notes

AMS New Features

AMS Security News

AMS AMIs

AMS Accelerate Operations Plan

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector (last updated November 11, 2021)

AMS release notes

AMS New Features

AMS Security News

AMS Operations News

AMS AMIs

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector (last updated November 11, 2021)

AMS release notes

AMS New Features

AMS Security News

AMS AMIs

Both AMS Accelerate and Advanced Operations Plans

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector (last updated November 11, 2021)

AMS release notes

AMS Security News

AMS AMIs

Both AMS Accelerate and Advanced Operations Plans

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector (last updated November 11, 2021)

AMS release notes

AMS Accelerate Operations Plan

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector

AMS AMIs

AMS release notes

AMS Accelerate Operations Plan

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS AMIs

AMS release notes

AMS Accelerate Operations Plan

AMS Advanced Operations Plan

AMS Advanced Change Types

AMS ServiceNow Connector

AMS AMIs

AMS release notes

AMS Advanced Operations Plan

AMS Advanced New and Updated Change Types

AMS Accelerate Operations Plan

AMS AMIs

AMS release notes

AMS Advanced Operations Plan

AMS Accelerate Operations Plan

AMS AMIs

AMS July 29 release notes

AMS Advanced Operations Plan

AMS Accelerate Operations Plan

AMS July 15 release notes

AMS Advanced Operations Plan

AMS Accelerate Operations Plan

AMS AMIs

AMS June 29 release notes

AMS Advanced Operations Plan

AMS June 17 release notes

AMS Advanced Operations Plan

AMS Accelerate Operations Plan

AMS AMIs

AMS documentation histories