# Infrastructure security monitoring in AMS
<a name="acc-sec-infra-sec"></a>

When you onboard to AMS Accelerate, AWS deploys the following AWS Config baseline infrastructure and set of rules, AMS Accelerate uses these rules to monitor your accounts.
+ **AWS Config service-linked role**: AMS Accelerate deploys the service-linked role named **AWSServiceRoleForConfig**, which is used by AWS Config to query the status of other AWS services. The **AWSServiceRoleForConfig** service-linked role trusts the AWS Config service to assume the role. The permissions policy for the **AWSServiceRoleForConfig** role contains read-only and write-only permissions on AWS Config resources and read-only permissions for resources in other services that AWS Config supports. If you already have a role configured with AWS Config Recorder, AMS Accelerate validates that the existing role has an AWS Config managed-policy attached. If not, AMS Accelerate replaces the role with the service-linked role **AWSServiceRoleForConfig**.
+ **AWS Config recorder and delivery channel**: AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. AMS Accelerate deploys the configuration recorder in all service AWS Regions, with continuous recording of all resources. AMS Accelerate also creates the config delivery channel, an Amazon S3 bucket, that's used to record changes that occur in your AWS resources. The config recorder updates configuration states through the delivery channel. The config recorder and delivery channel are required for AWS Config to work. AMS Accelerate creates the recorder in all AWS Regions, and a delivery channel in a single AWS Region. If you already have a recorder and delivery channel in an AWS Region, then AMS Accelerate doesn't delete the existing AWS Config resources, instead AMS Accelerate uses your existing recorder and delivery channel after validating that they are properly configured. For more information on how to reduce AWS Config costs, see [Reduce AWS Config costs in Accelerate](acc-sec-compliance.md#acc-sec-compliance-reduct-config-spend).
+ **AWS Config rules**: AMS Accelerate maintains a library of AWS Config Rules and remediation actions to help you comply with industry standards for security and operational integrity. AWS Config Rules continuously tracks configuration changes among your recorded resources. If a change violates any rule conditions, AMS reports its findings, and allows you to remediate violations automatically or by request, according to the severity of the violation. AWS Config Rules facilitate compliance with standards set by: the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) Cloud Security Framework (CSF), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) Data Security Standard (DSS). 
+ **AWS Config aggregator authorization**: An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and multiple Regions. AMS Accelerate onboards your account to a config aggregator from which AMS Accelerate aggregates your account's resource configuration information and config compliance data and generates the compliance report. If there are existing aggregators configured in the AMS-owned account, AMS Accelerate deploys an additional aggregator and the existing aggregator is not modified.
**Note**  
The Config aggregator is not set up in your accounts; rather, it is set up in AMS-owned accounts and your account(s) are onboarded to it.

To learn more about AWS Config, see:
+ AWS Config: [What Is Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html)
+ AWS Config Rules: [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html)
+ AWS Config Rules: [ Dynamic Compliance Checking: AWS Config Rules – Dynamic Compliance Checking for Cloud Resources](https://aws.amazon.com/blogs/aws/aws-config-rules-dynamic-compliance-checking-for-cloud-resources/)
+ AWS Config Aggregator: [ Multi-Account Multi-Region Data Aggregation](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html)

For information on reports, see [AWS Config Control Compliance report](acc-report-config-control-compliance.md).

# Using service-linked roles for AMS Accelerate
<a name="using-service-linked-roles"></a>

AMS Accelerate uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role (SLR) is a unique type of IAM role that is linked directly to AMS Accelerate. Service-linked roles are predefined by AMS Accelerate and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up AMS Accelerate easier because you don’t have to manually add the necessary permissions. AMS Accelerate defines the permissions of its service-linked roles, and unless defined otherwise, only AMS Accelerate can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes**in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Deployment toolkit service-linked role for AMS Accelerate
<a name="slr-deploy-acc"></a>

AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForAWSManagedServicesDeploymentToolkit** – this role deploys AMS Accelerate infrastructure into customer accounts.

**Note**  
This policy has recently been updated; for details, see [Accelerate updates to service-linked roles](#slr-updates).

### AMS Accelerate deployment toolkit SLR
<a name="slr-permissions-deploy-acc"></a>

The AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role trusts the following services to assume the role:
+ `deploymenttoolkit.managedservices.amazonaws.com`

The policy named [AWSManagedServicesDeploymentToolkitPolicy](security-iam-awsmanpol.html#security-iam-awsmanpol-DeploymentToolkitPolicy) allows AMS Accelerate to perform actions on the following resources:
+ `arn:aws*:s3:::ams-cdktoolkit*`
+ `arn:aws*:cloudformation:*:*:stack/ams-cdk-toolkit*`
+ `arn:aws:ecr:*:*:repository/ams-cdktoolkit*`

This SLR grants Amazon S3 permissions to create and manage the deployment bucket used by AMS to upload resources, like CloudFormation templates or Lambda asset bundles, into the account for component deployments. This SLR grants CloudFormation permissions to deploy the CloudFormation stack that defines the deployment buckets. For details or to download the policy, see [AWSManagedServices\$1DeploymentToolkitPolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-DeploymentToolkitPolicy). 

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [ Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

### Creating an deployment toolkit SLR for AMS Accelerate
<a name="create-slr-deploy-acc"></a>

You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you. 

**Important**  
This service-linked role can appear in your account if you were using the AMS Accelerate service before June 09, 2022, when it began supporting service-linked roles, then AMS Accelerate created the AWSServiceRoleForAWSManagedServicesDeploymentToolkit role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again. 

### Editing an deployment toolkit SLR for AMS Accelerate
<a name="edit-slr-deploy-acc"></a>

AMS Accelerate does not allow you to edit the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

### Deleting an deployment toolkit SLR for AMS Accelerate
<a name="delete-slr-deploy-acc"></a>

You don't need to manually delete the AWSServiceRoleForAWSManagedServicesDeploymentToolkit role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.

You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.

**Note**  
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete AMS Accelerate resources used by the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role**

Delete `ams-cdk-toolkit` stack from all Regions your account was onboarded to in AMS (you might have to manually empty the S3 buckets first).

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAWSManagedServicesDeploymentToolkit service-linked role. For more information, see [ Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Detective controls service-linked role for AMS Accelerate
<a name="slr-deploy-detect-controls"></a>

AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1DetectiveControlsConfig** – AWS Managed Services uses this service-linked role to deploy config-recorder, config rules and S3 bucket detective controls..

Attached to the **AWSServiceRoleForManagedServices\$1DetectiveControlsConfig** service-linked role is the following managed policy: [AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy](security-iam-awsmanpol.html#security-iam-awsmanpol-DetectiveControlsConfig). For updates to this policy, see [Accelerate updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).

### Permissions for detective controls SLR for AMS Accelerate
<a name="slr-permissions-detect-controls"></a>

The AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role trusts the following services to assume the role:
+ `detectivecontrols.managedservices.amazonaws.com`

Attached to this role is the `AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-DetectiveControlsConfig) The service uses the role to create configure AMS Detective Controls in your account, which requires deployment of resources like s3 buckets, config rules and an aggregator. You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management* User Guide.

### Creating a detective controls SLR for AMS Accelerate
<a name="create-slr-detect-controls"></a>

You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you. 

**Important**  
This service-linked role can appear in your account if you were using the AMS Accelerate service before June 09, 2022, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again. 

### Editing a detective controls SLR for AMS Accelerate
<a name="edit-slr-detect-controls"></a>

AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [ Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

### Deleting a detective controls SLR for AMS Accelerate
<a name="delete-slr-detect-controls"></a>

You don't need to manually delete the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.

You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.

**Note**  
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role**

Delete `ams-detective-controls-config-recorder`, `ams-detective-controls-config-rules-cdk` and `ams-detective-controls-infrastructure-cdk` stacks from all Regions your account was onboarded to in AMS (you might have to manually empty the S3 buckets first).

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1DetectiveControlsConfig service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Amazon EventBridge rule service-linked role for AMS Accelerate
<a name="slr-evb-rule"></a>

AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1Events**. This role trusts one of the AWS Managed Services service principals (events.managedservices.amazonaws.com) to assume the role for you. The service uses the role to create Amazon EventBridge managed rule. This rule is the infrastructure required in your AWS account to deliver alarm state change information from your account to AWS Managed Services.

### Permissions for EventBridge SLR for AMS Accelerate
<a name="slr-permissions-create-evb-rule"></a>

The AWSServiceRoleForManagedServices\$1Events service-linked role trusts the following services to assume the role:
+ `events.managedservices.amazonaws.com`

Attached to this role is the `AWSManagedServices_EventsServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1EventsServiceRolePolicy](security-iam-awsmanpol.md#EventsServiceRolePolicy)). The service uses the role to deliver alarm state change information from your account to AMS. You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management User Guide*.

You can download the JSON AWSManagedServices\$1EventsServiceRolePolicy in this ZIP: [EventsServiceRolePolicy.zip](samples/EventsServiceRolePolicy.zip).

### Creating an EventBridge SLR for AMS Accelerate
<a name="slr-evb-rule-create"></a>

You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you. 

**Important**  
This service-linked role can appear in your account if you were using the AMS Accelerate service before February 7, 2023, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1Events role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again. 

### Editing an EventBridge SLR for AMS Accelerate
<a name="slr-evb-rule-edit"></a>

AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1Events service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

### Deleting an EventBridge SLR for AMS Accelerate
<a name="slr-evb-rule-delete"></a>

You don't need to manually delete the AWSServiceRoleForManagedServices\$1Events role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.

You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.

**Note**  
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1Events service-linked role**

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1Events service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Contacts service-linked role for AMS Accelerate
<a name="slr-contacts-service"></a>

AMS Accelerate uses the service-linked role (SLR) named **AWSServiceRoleForManagedServices\$1Contacts** – This role facilitates automated notifications when incidents occur by allowing the service to read the existing tags of the affected resource and retrieve the configured email of the appropriate point of contact.

This is the only service that uses this service-linked role.

Attached to the **AWSServiceRoleForManagedServices\$1Contacts** service-linked role is the following managed policy: [AWSManagedServices\$1ContactsServiceRolePolicy](security-iam-awsmanpol.html#ContactsServiceManagedPolicy). For updates to this policy, see [Accelerate updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).

### Permissions for Contacts SLR for AMS Accelerate
<a name="slr-permissions-contacts-service"></a>

The AWSServiceRoleForManagedServices\$1Contacts service-linked role trusts the following services to assume the role:
+ `contacts-service.managedservices.amazonaws.com`

Attached to this role is the `AWSManagedServices_ContactsServiceRolePolicy` AWS managed policy (see [AWS managed policy: AWSManagedServices\$1ContactsServiceRolePolicy](security-iam-awsmanpol.md#ContactsServiceManagedPolicy)). The service uses the role to read the tags on any AWS resource and find the email contained in the tag, of the appropriate point of contact for when incidents occur. This role facilitates automated notifications when incidents occur by allowing AMS to read that tag on an affected resource and retrieve the email. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *AWS Identity and Access Management* User Guide.

**Important**  
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. AMS uses tags to provide you with administration services. Tags are not intended to be used for private or sensitive data.

The role permissions policy named AWSManagedServices\$1ContactsServiceRolePolicy allows AMS Accelerate to complete the following actions on the specified resources:
+ Action: Allows the Contacts Service to read the tags specifically set up to contain the email for AMS to send incident notifications on any AWS resource.

You can download the JSON AWSManagedServices\$1ContactsServiceRolePolicy in this ZIP: [ContactsServicePolicy.zip](samples/ContactsServicePolicy.zip).

### Creating a Contacts SLR for AMS Accelerate
<a name="slr-contacts-service-create"></a>

You don't need to manually create a service-linked role. When you Onboard to AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate creates the service-linked role for you. 

**Important**  
This service-linked role can appear in your account if you were using the AMS Accelerate service before February 16, 2023, when it began supporting service-linked roles then AMS Accelerate created the AWSServiceRoleForManagedServices\$1Contacts role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you Onboard to AMS, AMS Accelerate creates the service-linked role for you again. 

### Editing a Contacts SLR for AMS Accelerate
<a name="slr-contacts-service-edit"></a>

AMS Accelerate does not allow you to edit the AWSServiceRoleForManagedServices\$1Contacts service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

### Deleting a Contacts SLR for AMS Accelerate
<a name="slr-contacts-service-delete"></a>

You don't need to manually delete the AWSServiceRoleForManagedServices\$1Contacts role. When you Offboard from AMS in the AWS Management Console, the AWS CLI, or the AWS API, AMS Accelerate cleans up the resources and deletes the service-linked role for you.

You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.

**Note**  
If the AMS Accelerate service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete AMS Accelerate resources used by the AWSServiceRoleForManagedServices\$1Contacts service-linked role**

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForManagedServices\$1Contacts service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Supported regions for AMS Accelerate service-linked roles
<a name="slr-regions"></a>

AMS Accelerate supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).

## Accelerate updates to service-linked roles
<a name="slr-updates"></a>

View details about updates to Accelerate service-linked roles since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Accelerate [Document history for AMS Accelerate User Guide](doc-history.md) page.


| Change | Description | Date | 
| --- | --- | --- | 
| Updated policy – [Deployment Toolkit](#slr-deploy-acc) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | April 4, 2024 | 
| Updated policy – [Deployment Toolkit](#slr-deploy-acc) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | May 09, 2023 | 
| Updated policy – [Detective Controls](#slr-deploy-detect-controls) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/using-service-linked-roles.html) | April 10, 2023 | 
| Updated policy – [Detective Controls](#slr-deploy-detect-controls) | Updated the policy and added the permissions boundary policy. | March 21, 2023 | 
| New service-linked role – [Contacts SLR](#slr-contacts-service) | Accelerate added a new service-linked role for the Contacts service. This role facilitates automated notifications when incidents occur by allowing the service to read the existing tags of the affected resource and retrieve the configured email of the appropriate point of contact. | February 16, 2023 | 
| New service-linked role – [EventBridge](#slr-evb-rule) | Accelerate added a new service-linked role for an Amazon EventBridge rule. This role trusts one of the AWS Managed Services service principals (events.managedservices.amazonaws.com) to assume the role for you. The service uses the role to create Amazon EventBridge managed rule. This rule is the infrastructure required in your AWS account to deliver alarm state change information from your account to AWS Managed Services. | February 7, 2023 | 
| Updated service-linked role – [Deployment Toolkit](#slr-deploy-acc) | Accelerate updated AWSServiceRoleForAWSManagedServicesDeploymentToolkit with new S3 permissions. These new permissions were added: <pre>"s3:GetLifecycleConfiguration",<br />"s3:GetBucketLogging",<br />"s3:ListBucket",<br />"s3:GetBucketVersioning",<br />"s3:PutLifecycleConfiguration",<br />"s3:GetBucketLocation",<br />"s3:GetObject*"</pre> | January 30, 2023 | 
| Accelerate started tracking changes | Accelerate started tracking changes for its service-linked roles. | November 30, 2022 | 
| New service-linked role – [Detective Controls](#slr-deploy-detect-controls) | Accelerate added a new service-linked role to deploy Accelerate detective controls. AWS Managed Services uses this service-linked role to deploy config-recorder, config rules and S3 bucket detective controls. | October 13, 2022 | 
| New service-linked role – [Deployment Toolkit](#slr-deploy-acc) | Accelerate added a new service-linked role to deploy Accelerate infrastructure. this role deploys AMS Accelerate infrastructure into customer accounts. | June 09, 2022 | 

# AWS managed policies for AMS Accelerate
<a name="security-iam-awsmanpol"></a>

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

For a table of changes, see [Accelerate updates to AWS managed policies](#security-iam-awsmanpol-updates).

## AWS managed policy: AWSManagedServices\$1AlarmManagerPermissionsBoundary
<a name="security-iam-awsmanpol-AlarmManagerPermissionsBoundary"></a>

AWS Managed Services (AMS) uses the `AWSManagedServices_AlarmManagerPermissionsBoundary` AWS managed policy. This AWS-managed policy is used in the AWSManagedServices\$1AlarmManager\$1ServiceRolePolicy to restrict permissions of IAM roles created by AWSServiceRoleForManagedServices\$1AlarmManager.

This policy grants IAM roles created as part of [How Alarm Manager works](acc-mem-tag-alarms.md#acc-mem-how-tag-alarms-work), permissions to perform operations like AWS Config evaluation, AWS Config read to fetch Alarm Manager configuration, and creation of necessary Amazon CloudWatch alarms.

The `AWSManagedServices_AlarmManagerPermissionsBoundary` policy is attached to the `AWSServiceRoleForManagedServices_DetectiveControlsConfig` service-linked role. For updates to this role, see [Accelerate updates to service-linked roles](using-service-linked-roles.md#slr-updates).

You can attach this policy to your IAM identities.

**Permissions details**

This policy includes the following permissions.
+ `AWS Config` – Allows permissions to evaluate config rules and select resource configuration.
+ `AWS AppConfig` – Allows permissions to fetch AlarmManager configuration.
+ `Amazon S3` – Allows permissions to operate AlarmManager buckets and objects.
+ `Amazon CloudWatch` – Allows permissions to read and put AlarmManager managed alarms and metrics.
+ `AWS Resource Groups and Tags` – Allows permissions to read resource tags.
+ `Amazon EC2` – Allows permissions to read Amazon EC2 resources.
+ `Amazon Redshift` – Allows permissions to read Redshift instances and clusters.
+ `Amazon FSx` – Allows permissions to describe file systems, volumes and resource tags.
+ `Amazon CloudWatch Synthetics` – Allows permissions to read Synthetics resources.
+ `Amazon Elastic Kubernetes Service` – Allows permissions to describe Amazon EKS cluster.
+ `Amazon ElastiCache` – Allows permissions to describe resources.

You can download the policy file in this ZIP: [RecommendedPermissionBoundary.zip](samples/RecommendedPermissionBoundary.zip).

## AWS managed policy: AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy
<a name="security-iam-awsmanpol-DetectiveControlsConfig"></a>

AWS Managed Services (AMS) uses the `AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy` AWS managed policy. This AWS-managed policy is attached to the [`AWSServiceRoleForManagedServices_DetectiveControlsConfig` service-linked role](using-service-linked-roles.html#slr-deploy-detect-controls), (see [Detective controls service-linked role for AMS Accelerate](using-service-linked-roles.md#slr-deploy-detect-controls)). For updates to the `AWSServiceRoleForManagedServices_DetectiveControlsConfig` service-linked role, see [Accelerate updates to service-linked roles](using-service-linked-roles.md#slr-updates).

The policy allows the service-linked role to complete actions for you.

You can attach the AWSManagedServices\$1DetectiveControlsConfig\$1ServiceRolePolicy policy to your IAM entities.

For more information, see [Using service-linked roles for AMS Accelerate](using-service-linked-roles.md).

**Permissions details**

This policy has the following permissions to allow AWS Managed Services Detective Controls to deploy and configure all necessary resources.
+ `CloudFormation` – Allows AMS Detective Controls to deploy CloudFormation stacks with resources like s3 buckets, config rules and config-recorder.
+ `AWS Config` – Allows AMS Detective Controls to create AMS config rules, configure an aggregator and tag resources.
+ `Amazon S3` – allows AMS Detective Controls to manage its s3 buckets.

You can download the JSON policy file in this ZIP: [DetectiveControlsConfig\$1ServiceRolePolicy.zip](samples/DetectiveControlsConfig_ServiceRolePolicy.zip).

## AWS managed policy: AWSManagedServicesDeploymentToolkitPolicy
<a name="security-iam-awsmanpol-DeploymentToolkitPolicy"></a>

AWS Managed Services (AMS) uses the `AWSManagedServicesDeploymentToolkitPolicy` AWS managed policy. This AWS-managed policy is attached to the [`AWSServiceRoleForAWSManagedServicesDeploymentToolkit` service-linked role](using-service-linked-roles.html#slr-deploy-acc), (see [Deployment toolkit service-linked role for AMS Accelerate](using-service-linked-roles.md#slr-deploy-acc)). The policy allows the service-linked role to complete actions for you. You can't attach this policy to your IAM entities. For more information, see [Using service-linked roles for AMS Accelerate](using-service-linked-roles.md).

For updates to the `AWSServiceRoleForManagedServicesDeploymentToolkitPolicy` service-linked role, see [Accelerate updates to service-linked roles](using-service-linked-roles.md#slr-updates).

**Permissions details**

This policy has the following permissions to allow AWS Managed Services Detective Controls to deploy and configure all necessary resources.
+ `CloudFormation` – Allows AMS Deployment Toolkit to deploy CFN stacks with S3 resources required by CDK.
+ `Amazon S3` – allows AMS Deployment Toolkit to manage its S3 buckets.
+ `Elastic Container Registry` – allows AMS Deployment Toolkit to manage its ECR repository that is used to deploy assets needed by AMS CDK apps.

You can download the JSON policy file in this ZIP: [AWSManagedServicesDeploymentToolkitPolicy.zip](samples/AWSManagedServices_DeploymentToolkitPolicy.zip).

## AWS managed policy: AWSManagedServices\$1EventsServiceRolePolicy
<a name="EventsServiceRolePolicy"></a>

AWS Managed Services (AMS) uses the `AWSManagedServices_EventsServiceRolePolicy` AWS managed policy. This AWS-managed policy is attached to the [`AWSServiceRoleForManagedServices_Events` service-linked role](using-service-linked-roles.html#slr-evb-rule). The policy allows the service-linked role to complete actions for you. You can't attach this policy to your IAM entities. For more information, see [Using service-linked roles for AMS Accelerate](using-service-linked-roles.md).

For updates to the `AWSServiceRoleForManagedServices_Events` service-linked role, see [Accelerate updates to service-linked roles](using-service-linked-roles.md#slr-updates).

**Permissions details**

This policy has the following permissions to allow Amazon EventBridge to deliver alarm state change information from your account to AWS Managed Services.
+ `events` – Allows Accelerate to create Amazon EventBridge managed rule. This rule is the infrastructure required in your AWS account to deliver alarm state change information from your account to AWS Managed Services.

You can download the JSON policy file in this ZIP: [EventsServiceRolePolicy.zip](samples/EventsServiceRolePolicy.zip).

## AWS managed policy: AWSManagedServices\$1ContactsServiceRolePolicy
<a name="ContactsServiceManagedPolicy"></a>

AWS Managed Services (AMS) uses the `AWSManagedServices_ContactsServiceRolePolicy` AWS managed policy. This AWS-managed policy is attached to the [`AWSServiceRoleForManagedServices_Contacts` service-linked role](using-service-linked-roles.html#slr-contacts-service), (see [Creating a Contacts SLR for AMS Accelerate](using-service-linked-roles.md#slr-contacts-service-create)). The policy allows the AMS Contacts SLR to look at your resource tags, and their values, on AWS resources. You can't attach this policy to your IAM entities. For more information, see [Using service-linked roles for AMS Accelerate](using-service-linked-roles.md).

**Important**  
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. AMS uses tags to provide you with administration services. Tags are not intended to be used for private or sensitive data.

For updates to the `AWSServiceRoleForManagedServices_Contacts` service-linked role, see [Accelerate updates to service-linked roles](using-service-linked-roles.md#slr-updates).

**Permissions details**

This policy has the following permissions to allow the Contacts SLR to read your resource tags to retrieve resource contact information that you have set up ahead of time.
+ `IAM` – Allows Contacts service to look at tags on IAM Roles and IAM users.
+ `Amazon EC2` – Allows Contacts service to look at tags on Amazon EC2 resources.
+ `Amazon S3` – Allows Contacts Service to look at tags on Amazon S3 buckets. This action uses a Condition to ensure AMS accesses your bucket tags using the HTTP Authorization header, using the SigV4 signature protocol, and using HTTPS with TLS 1.2 or greater. For more information, see [Authentication Methods](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#auth-methods-intro) and [Amazon S3 Signature Version 4 Authentication Specific Policy Keys](https://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html).
+ `Tag` – Allows Contacts service to look at tags on other AWS resources.
+ "iam:ListRoleTags", "iam:ListUserTags", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "ec2:DescribeTags", "s3:GetBucketTagging"

You can download the JSON policy file in this ZIP: [ContactsServicePolicy.zip](samples/ContactsServicePolicy.zip).

## Accelerate updates to AWS managed policies
<a name="security-iam-awsmanpol-updates"></a>

View details about updates to AWS managed policies for Accelerate since this service began tracking these changes. 


| Change | Description | Date | 
| --- | --- | --- | 
| Updated policy – [Deployment Toolkit](#security-iam-awsmanpol-DeploymentToolkitPolicy) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/security-iam-awsmanpol.html) | April 4, 2024 | 
| Updated policy – [Deployment Toolkit](#security-iam-awsmanpol-DeploymentToolkitPolicy) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/security-iam-awsmanpol.html) | May 9, 2023 | 
| Updated policy – [Detective Controls](#security-iam-awsmanpol-DetectiveControlsConfig) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/managedservices/latest/accelerate-guide/security-iam-awsmanpol.html) | April 10, 2023 | 
| Updated policy – [Detective Controls](#security-iam-awsmanpol-DetectiveControlsConfig) | The `ListAttachedRolePolicies` action is removed from the policy. The action had Resource as wildcard (\$1). As "list" is a non-mutative action, it is given access over all resources, and the wildcard is disallowed. | March 28, 2023 | 
| Updated policy – [Detective Controls](#security-iam-awsmanpol-DetectiveControlsConfig) | Updated the policy and added the permissions boundary policy. | March 21, 2023 | 
| New policy – [Contacts Service](#ContactsServiceManagedPolicy) | Accelerate added a new policy to look at your account contact information from your resource tags. Accelerate added a new policy to read your resource tags so that it can retrieve the resource contact information that you have set up ahead of time. | February 16, 2023 | 
| New policy – [Events Service](#EventsServiceRolePolicy) | Accelerate added a new policy to deliver alarm state change information from your account to AWS Managed Services. Grants IAM roles created as part of [How Alarm Manager works](acc-mem-tag-alarms.md#acc-mem-how-tag-alarms-work) permissions to create a required Amazon EventBridge managed rule. | February 07, 2023 | 
| Updated policy – [Deployment Toolkit](#security-iam-awsmanpol-DeploymentToolkitPolicy) | Added S3 permissions to support customer offboarding from Accelerate. | January 30, 2023 | 
| New policy – [Detective Controls](#security-iam-awsmanpol-DetectiveControlsConfig)  | Allows the service-linked role, [Detective controls service-linked role for AMS Accelerate](using-service-linked-roles.md#slr-deploy-detect-controls), to complete actions for you to deploy Accelerate detective controls. | December 19, 2022 | 
| New policy – [Alarm Manager](#security-iam-awsmanpol-AlarmManagerPermissionsBoundary)  | Accelerate added a new policy to allow permissions to perform alarm manager tasks. Grants IAM roles created as part of [How Alarm Manager works](acc-mem-tag-alarms.md#acc-mem-how-tag-alarms-work) permissions to perform operations like AWS Config evaluation, AWS Config read to fetch alarm manager configuration, creation of necessary Amazon CloudWatch alarms. | November 30, 2022 | 
| Accelerate started tracking changes | Accelerate started tracking changes for its AWS managed policies. | November 30, 2022 | 
| New policy – [Deployment Toolkit](#security-iam-awsmanpol-DeploymentToolkitPolicy) | Accelerate added this policy for deployment tasks. Grants the service-linked role [AWSServiceRoleForAWSManagedServicesDeploymentToolkit](using-service-linked-roles.md#slr-deploy-acc) permissions to access and update deployment-related Amazon S3 buckets and CloudFormation stacks. | June 09, 2022 |