# AWS Identity and Access Management in AMS Accelerate AWS Identity and Access Management AWS Identity and Access Management is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. During AMS Accelerate onboarding, you are responsible for creating cross-account IAM administrator roles within each of your managed accounts. In AMS Accelerate, you're responsible for managing access to your AWS accounts and their underlying resources, such as access management solutions, access policies, and related processes. This means that you manage your user lifecycle, permissions in directory services, and federated authentication system, to access the AWS console or AWS APIs. To help you manage your access solution, AMS Accelerate deploys AWS Config rules that detect common IAM misconfigurations, and delivers remediation notifications. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). ## Authenticating with identities in AMS Accelerate AMS uses IAM roles, which are a type of IAM identity. An IAM role is similar to a user, in that it is an identity with permissions policies that determine what the identity can and can't do in AWS. However, a role doesn't have credentials associated with it and, instead of being uniquely associated with one person, is assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. Access roles are controlled by internal group membership, which is administered and periodically reviewed by Operations Management. AMS uses the following IAM roles. **Note** AMS access roles allow AMS operators to access your resources to provide AMS capabilities (see [Service description](acc-sd.md)). Altering these roles can inhibit our ability to provide these capabilities. If you need to alter AMS access roles, consult your Cloud Architect. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/acc-sec-iam.html) **Note** This is the template for the ams-access-management role. It's the stack that cloud architects (CAs) manually deploy in your account at onboarding: [management-role.yaml](https://ams-account-access-templates.s3.amazonaws.com/management-role.yaml). This is the template for the different access roles and access levels: ams-access-read-only, ams-access-operations, ams-access-admin-operations, ams-access-admin: [accelerate-roles.yaml](https://ams-account-access-templates.s3.amazonaws.com/accelerate-roles.yaml). To learn more about AWS Cloud Development Kit (AWS CDK) (AWS CDK) identifiers, including hashes, see [UniqueIDs](https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_unique_ids). AMS Accelerate feature services assume the **ams-access-admin** role for programmatic access to the account, but with a session policy scoped down for the respective feature service (for example, patch, backup, monitoring, and so forth). AMS Accelerate follows industry best practices to meet and maintain compliance eligibility. AMS Accelerate access to your account is recorded in CloudTrail and also available for your review through change tracking. For information about queries that you can use to get this information, see [Tracking changes in your AMS Accelerate accounts](acc-change-record.md). ## Managing access using policies Various AMS Accelerate support teams such as Operations Engineers, Cloud Architects, and Cloud Service Delivery Managers (CSDMs), sometimes require access to your accounts in order to respond to service requests and incidents. Their access is governed by an internal AMS access service that enforces controls, such as business justification, service requests, operations items, and support cases. The default access is read-only, and all access is tracked and recorded; see also [Tracking changes in your AMS Accelerate accounts](acc-change-record.md). ### Validation of IAM resources The AMS Accelerate access system periodically assumes roles in your accounts (at least every 24 hours) and validates that all of our IAM resources are as expected. In order to protect your accounts, AMS Accelerate has a "canary" that monitors and alarms on the presence and status of the IAM roles, as well as their attached policies, mentioned above. Periodically, the canary assumes the **ams-access-read-only** role and initiates CloudFormation and IAM API calls against your accounts. The canary evaluates the status of the AMS Accelerate access roles to make sure they are always unmodified and up-to-date. This activity creates CloudTrail logs in the account. The AWS Security Token Service (AWS STS) session name of the canary is **AMS-Access-Roles-Auditor-\$1uuid4()\$1** as seen in CloudTrail and the following API calls occur: + Cloud Formation API Calls: `describe_stacks()` + IAM API Calls: + `get_role()` + `list_attached_role_policies()` + `list_role_policies()` + `get_policy()` + `get_policy_version()` + `get_role_policy()`