# Receiving AMS notifications Communications between you and AMS occur for many reasons: + An RFC created by AMS that requires your approval + An AMS case created to investigate an RFC you created that has failed + Events created by monitoring alerts + Patching service notifications that inform you of upcoming patching + Service requests and incident reports + Monthly CRM reports + Occasional important AWS announcements (your CSDM contacts you if any action on your part is required) All of these notifications are sent to the default contact information (the root account email) that you provided AMS when you were onboarded. Because it's difficult to keep individual emails updated, we recommend that you use a group email that can be updated on your end. All notifications sent to you are also received by AMS operations and analyzed before making a response. AMS notification service provides two additional ways to set up contacts for notifications: + Tag your resources with contact tags (the tag Key Value being contact information) and provide the tag Key Name to your CSDM. Alarms on those resources will be sent to the contacts provided in the Key Value, in addition to the account contact created at onboarding. This is especially useful for application owners. For more information, see [Tag-based alert notification](how-monitoring-works.md#how-mon-works-alert-notes-tags). + (Required at onboarding) Send to your CSDM named lists of contacts for non-resource based notifications. For example, you might have a list named "SecurityContacts" and another named "OperationsContacts", and so forth. AMS adds the list to the notification service, and alarms that apply to that list's context are sent to those contacts. This is especially useful for organizational matters. This advanced alert routing feature is active for most of the essential CloudWatch alarms such as Amazon EC2 instance failure, Amazon Elastic Block Store (Amazon EBS) volume capacity utilization - Root usage, Amazon EBS NonRoot usage, High Memory utilization, High Swap usage, and High CPU utilization for Amazon EC2. Additionally, when you file a service request, or incident report, you have the option of adding "CC Emails" (highly recommended) and those email addresses receive notifications about the service request or incident. **Important** While the CC email addresses provided in service requests and incident reports receive email notifications of communications, other notifications, such as patching notifications, appear in your Service Request list (an email is also sent to the default contact), *without* explicit notification to you that you have a communication awaiting your attention. This is why we strongly recommend adding a CC email where you can, and setting up the default contact email as a group to which everyone using AMS is a member. Additionally, you can request special notifications for new AMIs, for RFC state change, and for configuration changes in your AMS account. These optional notification services are discussed next. # AMS AMI notifications with SNS AMS provides an AMI notification service. You can use it to subscribe to an Amazon Simple Notification Service (SNS) topic that notifies you when AMS AMI updates have been released. You can choose to receive notifications for only the AMS AMIs you use, or you can sign up to receive update notifications for all AMS AMIs. For more information on SNS topics, see [What is Amazon Simple Notification Service?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) Whenever AMIs are released, we send notifications to the subscribers of the corresponding topic; this section describes how to subscribe to the AMS AMI notifications. **Sample message** ``` { "Type" : "Notification", "MessageId" : "example messageId", "TopicArn" : "arn:aws:sns:us-east-1:591688410472:customer-ams-windows2019", "Subject" : "New AMS AMIs are Now Available", "Message" : "{"v1": {"Message": "A new version of the AMS Amazon Machine Images has been released. You are now able to launch new EC2 stacks from these AMIs. Please use this time to update any dependencies such as CloudFormation or Autoscaling groups. Release Notes Windows - Contains latest Windows Patches: Microsoft Windows Server 2008 R2 Datacenter - (KB2819745, KB3018238, KB4507004, KB4507437) Microsoft Windows Server 2016 Datacenter Security Enhancedn - (KB4509091, KB4507459) Microsoft Windows Server 2016 Datacentern - (KB4509091, KB4507459) Microsoft Windows Server 2012 R2 Security Enhancedn - (KB3191564, KB3003057, KB3013172, KB3185319, KB4504418, KB4506996, KB4507463) Microsoft Windows Server 2012 R2 Standardn - (KB3003057, KB3013172, KB3185319, KB4504418, KB4506996, KB4507463) Linux - Contains latest Linux patches - All AMIs now force domainjoin-cli leave before domainjoin-cli join for better stability in the domain join process.", "images": {"images": {"image_name": "customer-ams-windows2019-2021.08-1", "image_id": "ami-05dfa45396fddaa5e"}}, "region": "us-east-1"}}", "Timestamp" : "2021-09-03T19:05:57.882Z", "SignatureVersion" : "1", "Signature" : "example sig", "SigningCertURL" : "example url", "UnsubscribeURL" : "example url" } ``` Possible AMS AMI topics to subscribe to: + **ALL**: Use `customer-ams-all-amis`. This topic subscription notifies you when any of the AMS AMIs are updated. + **AMS AWS Linux AMIs**: For Amazon Linux, use `customer-ams-amazon1` and `customer-ams-amazon1-security-enhanced`. For Amazon Linux 2, use `customer-ams-amazon2` and `customer-ams-amazon2-security-enhanced`. + **AMS SUSE Linux AMIs**: Use `customer-ams-sles12` or `customer-ams-sles15`. + **AMS AWS RedHat AMIs**: Use `customer-ams-rhel8`, `customer-ams-rhel8-security-enhanced`, `customer-ams-rhel7`, `customer-ams-rhel7-security-enhanced`. + **AMS AWS CentOs AMIs**: Use `customer-ams-centos7`, `customer-ams-centos7-security-enhanced`. + **AMS Ubuntu AMIs**: Use `customer-ams-ubuntu18`. + **AMS AWS Windows AMIs**: Use `customer-ams-windows2019`, `customer-ams-windows2019-security-enhanced`, `customer-ams-windows2016`, `customer-ams-windows2016-security-enhanced`, `customer-ams-windows2012`, `customer-ams-windows2012r2`, `customer-ams-windows2012r2-security-enhanced`, `customer-ams-windows2022`. To subscribe to AMS new AMI notifications by using the Amazon SNS console: 1. Open the Amazon SNS console to the [Dashboard](https://console.aws.amazon.com/sns/v2/home). 1. In the upper-right corner, change to the AWS Region for the AMIs that you are subscribing to. 1. In the left-navigation pane, choose **Subscriptions**, and then choose **Create subscription**. 1. Provide the following information: 1. **Topic ARN**: `arn:aws:sns:{REGION}:287847593866:{AMS_AMI_NAME}` where REGION is the selected AWS Region (where the SNS notification was created) and AMS\$1AMI\$1NAME is the AMI that you want notifications about. Examples: + To subscribe to notifications of new AMS Amazon Linux AMIs in AWS Region us-east-1, use this **Topic ARN** = `arn:aws:sns:us-east-1:287847593866:customer-ams-amazon1`. + To subscribe to notifications of new AMS Window Server 2016 AMIs in AWS Region us-west-2, use this **Topic ARN** = `arn:aws:sns:us-west-2:287847593866:customer-ams-windows2016` 1. For **Protocol**, choose **Email**. 1. For **Endpoint**, enter an email address that you can use to receive the notifications. We recommend a distribution list rather than an individual's email. 1. Choose **Create subscription**. 1. When you receive a confirmation email with the subject line "AWS Notification - Subscription Confirmation," open the email and choose **Confirm subscription** to complete your subscription. **Note** You are not limited to email for the **Protocol**. For information on other acceptable protocols and how to use them, see [subscribe](https://docs.aws.amazon.com/cli/latest/reference/sns/subscribe.html). To unsubscribe from AMS new AMI notifications by using the AWS SNS console: 1. Open the Amazon SNS console to the [Dashboard](https://console.aws.amazon.com/sns/v2/home). 1. In the navigation bar, change to the AWS Region of your choice. You must use the AWS Region in which you want to receive notifications for the corresponding AMIs. 1. In the navigation pane, choose **Subscriptions**, select the subscription, and then choose **Actions** -> **Delete subscriptions**. 1. When prompted for confirmation, choose **Delete**. To subscribe to AMS New AMI notifications using the Deployment \$1 Ingestion \$1 Stack from CloudFormation Template \$1 Create (ct-36cn2avfrrj9v): 1. To subscribe to the AmazonLinuxSubscription, create and save an execution parameters JSON file; this example names it CreateSubscribeAmiParams.json: ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "AmazonLinuxSubscription":{ "Type" : "AWS::SNS::Subscription", "Properties": { "TopicArn": "arn:aws:sns:{REGION}:287847593866:{AMS_AMI_NAME}", "Protocol": "email", "Endpoint": "username@yourdomain.com" } } } } ``` 1. Create and save the RFC parameters JSON file with the following content; this example names it CreateSubscribeAmiRfc.json file: ``` { "ChangeTypeId": "ct-36cn2avfrrj9v", "ChangeTypeVersion": "1.0", "Title": "cfn-ingest-subscribe-ami" } ``` 1. Create the RFC, specifying the CreateSubscribeAmiRfc file and the CreateSubscribeAmiParams file: ``` aws amscm create-rfc --cli-input-json file://CreateSubscribeAmiRfc.json --execution-parameters file://CreateSubscribeAmiParams.json ``` You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start. For examples of creating AMIs, see [Create AMI](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-ami-create-col.html). For information on consuming AMIs programmatically, see [EC2 stack: creating](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-ec2-create-col.html). # Service notifications AMS sends outbound service requests, or service notifications, when you need to act on, or be aware of, something that might impact your account or resources, including: + Infrastructure impact: AMS sends a service notification when there is an underlying AWS service impacting your infrastructure, and you need to take action before a certain date, or you may have an outage. + EC2 Hardware issues: AMS sends service notifications out for EC2 hardware issues that require you to reboot an EC2 instance before a certain date, or letting you know that AMS will reboot the instance for you. This is an important notice because reboot can cause an outage and you must respond with an acceptable date, or create an RFC with ct-09qbhy7kvtxqw, to reboot the instance yourself. A service notification like this automatically closes in five days if you do not respond. # RFC state change notifications AMS offers notifications for RFC state changes by email and CloudWatch Events: + Emails by way of the AMS Console: There is an option on the second page of the Create RFC wizard, where you can add up to five email addresses to be notified when that RFC state changes. + CloudWatch Events: You can configure different rules and targets for CloudWatch Events to receive notifications for every RFC state change. # Email notifications You can add email addresses to receive RFC state changes to an RFC that you create in the AMS console, or by using the AMS API/CLI. In the AMS console, use the **Email notifications** option, on the second page of the Create RFC wizard: ![\[Email notification options are under general configurations.\]](http://docs.aws.amazon.com/managedservices/latest/userguide/images/emailNoticeOption2.png) In the AMS API/CLI, add a line like this to the RFC parameters section of your RFC (do not add the line to the run parameters section): ``` --notification "{\"Email\": {\"EmailRecipients\" : [\"email@example.com\"]}}" ``` The behavior of the notifications varies depending the RFC scheduling type: + Scheduled RFCs receive email notifications on : Submitted, Scheduled, InProgress, Completed, Rejected, Canceled, Auto-Rejected, or Auto-Canceled. + ASAP RFCs receive email notification on: Submitted, InProgress, Completed, Rejected, Canceled, AutoRejected, or Auto-Canceled. **Note** Email notifications are sent from this address: `no-reply@managedservices.amazonaws.com`. Special characters and URLs in your RFC title are redacted in the emails we send. This is a security measure. # CloudWatch Events notifications AMS offers push notifications for the RFC State changes through CloudWatch Events. To get these notifications: 1. Create a topic and subscription where notifications will be sent. You can name the topic what you like; for information about doing this, see [SNS Topic and Subscription: Creating](https://docs.aws.amazon.com/managedservices/latest/ctref/ex-sns-top-sub-create-col.html). 1. Submit an RFC with the Management \$1 Other \$1 Other \$1 Create change type and include the SNS topic and subscription in the request for RFC state change notices. When you submit the Management \$1 Other \$1 Other RFC request for this feature, you can specify what RFC state changes you're interested in getting notified about and what change types, and set other filters. For example, you may want to request to be notified only when Admin Access change types are EventType = RfcSubmitted and EventType = RfcUpdated. This is a template of CloudWatch event notifications that you can receive (with all possible values): ``` { "source ": "aws.managedservices", "detail-type": "AMS RFC State Change", "detail": { "ActionState": "null | AwsActionPending | AwsOperatorAssigned | CustomerActionPending | NotApplicable | NoActionPending", "ActualExecutionTimeRange": { "StartTime": "null | Actual Start Time", "EndTime": "null | Actual End Time" }, "AutomationStatus": "Automated | Manual", "AwsAccountId": "AWS Account ID", "AwsApprovalStatus": "null | SubmissionPending | NotRequired | ApprovalPending | Rejected | Approved", "ChangeTypeId": "Change_Type_ID", "ChangeTypeVersion": "Change_Type_Version", "CreatedTime": "Created_Time", "CustomerApprovalStatus": "null | SubmissionPending | NotRequired | ApprovalPending | Rejected | Approved", "EventType": "RfcActionStateUpdated | RfcApproved | RfcAutoRejected | RfcCanceled | RfcCompleted | RfcCreated | RfcInProgress | RfcRejected | RfcSubmitted | RfcUpdated", "LastModifiedTime": "Last_Updated_Time", "LastSubmittedTime": "null | Last_Submitted_Time", "RequestedExecutionTimeRange": { "StartTime": "null | Expected_Start_Time", "EndTime": "null | Expected_End_Time" }, "RfcId": "RFC_ID", "Status": "Editing | PendingApproval | Scheduled | Rejected | Canceled | ExecutionLock | InProgress | Success | Failure", "Title": "Title" } } ``` The supported RFC state changes (EventType), as they appear in the actual CloudWatch Events notification are: + RfcActionStateUpdated (no AMS console option): The RFC in one of the states, described later, changed. + RfcApproved (no AMS console option): The RFC passed system and/or AMS operator validation and has been approved for completion. + RfcAutoRejected (**Auto-Rejected**): The RFC failed system validation or AMS operator and has been rejected. + RfcCanceled (**Canceled** or **Auto-Canceled**): The RFC was canceled by either the submitter or an AMS operator. + RfcCompleted (**Completed**): The RFC run parameters have been completed, including UserData. + RfcCreated (no AMS console option): The RFC was successfully created (the JSON and submitted parameters were valid). + RfcInProgress (**InProgress**): The RFC run is still in progress. + RfcRejected (**Rejected**): The RFC failed system or AMS operator validation has been rejected. + RfcSubmitted (**Submitted**): The RFC has been submitted and is undergoing system validation. + RfcUpdated (no AMS console option): The RFC has been manually updated by an AMS operator. Additionally, you can send CloudWatch Events (CWE) notifications to any of the supported destinations and build your own systems on top of these automated notifications: + Amazon EC2 instances + AWS Lambda functions + Streams in Amazon Kinesis Data Streams + Delivery streams in Amazon Data Firehose + Log groups in Amazon CloudWatch Logs + Amazon ECS tasks + Systems Manager Run Command + Systems Manager Automation + AWS Batch jobs + Step Functions state machines + Pipelines in CodePipeline + CodeBuild projects + Amazon Inspector assessment templates + Amazon SNS topics + Amazon SQS queues + Built-in targets: EC2 CreateSnapshot API call, EC2 RebootInstances API call, EC2 StopInstances API call, and EC2 TerminateInstances API call. + The default event bus of another AWS account **Note** We send CloudWatch Events notification for RFC state changes, on a best-effort basis.