AWS Managed Services (AMS) is a suite of services that provides ongoing management of your AWS infrastructure, automating common tasks like patch management, backup, monitoring, and incident response. This chapter covers AMS architecture, components, operational workflows, and how it integrates with other AWS services. For the SOA-C02 exam, understanding AMS is critical for questions related to operational excellence, automation, and managed operations—approximately 5–8% of the exam touches on managed services and automation concepts.
Jump to a section
Imagine you own a large office building with hundreds of employees, complex HVAC, electrical, and plumbing systems. Instead of hiring your own full-time maintenance staff, you contract with a Managed Building Services company. This company installs sensors on every critical system—temperature, humidity, power usage, water flow—and monitors them 24/7 from a central command center. When a sensor detects an anomaly (e.g., a pipe pressure drop), the system automatically creates a work order. A technician is dispatched to fix the issue before it causes a leak. The service also handles routine maintenance: changing air filters every 90 days, testing fire alarms monthly, and replacing light bulbs. You receive a monthly report summarizing all actions taken, costs, and system health. You don't need to know the details of the plumbing or electrical work; you just know your building is running optimally. Similarly, AWS Managed Services (AMS) acts as a managed operations team for your AWS infrastructure. AMS deploys monitoring agents, automates incident response, applies patches, and performs backups—all while you retain control over your environment. Just as the building service uses sensors and automated workflows, AMS uses AWS Systems Manager, CloudWatch, and Config to detect and remediate issues. You get a monthly operational report and can request changes via a service request process.
What is AWS Managed Services (AMS)?
AWS Managed Services (AMS) is a set of services and tools that AWS offers to help you operate your AWS environment more efficiently. It provides a fully managed operations team that handles common tasks like patch management, backup, monitoring, incident management, and change management. AMS is designed for customers who want to offload day-to-day operational tasks to AWS, allowing their internal teams to focus on higher-value activities.
AMS is built on top of AWS Organizations and leverages AWS-native services such as AWS Systems Manager, Amazon CloudWatch, AWS Config, AWS CloudTrail, AWS Lambda, and AWS Step Functions. It provides a standardized operating model with predefined runbooks and automated workflows.
How AMS Works Internally
When you onboard to AMS, you create a new AWS Organization (or use an existing one) and designate a management account. AMS creates a dedicated operations account within your organization, which contains the AMS automation infrastructure. This account includes: - AMS-managed Amazon EC2 instances running the AMS agent (Systems Manager Agent - SSM Agent) and custom scripts. - AWS Lambda functions for automated remediation. - Amazon CloudWatch alarms and dashboards for monitoring. - AWS Config rules for compliance checks. - AWS Systems Manager documents (SSM documents) for patching and configuration.
AMS uses a concept called "managed instance" – any EC2 instance that is part of an AMS-managed environment. These instances are automatically registered with Systems Manager and have the SSM Agent installed. AMS applies patches according to a predefined maintenance window (e.g., every Tuesday at 2 AM). The patch baseline is defined by AWS and includes critical and security patches. You can customize the patch baseline by creating a custom patch baseline in Systems Manager.
Key Components and Defaults
AMS Change Management: All changes to the environment (e.g., launching new instances, modifying security groups) must go through a change request process. AMS provides a web portal or API for submitting change requests. Changes are reviewed and approved by the AMS operations team.
Incident Management: AMS monitors CloudWatch alarms and AWS Config rules. When an alarm triggers, AMS automatically creates a ticket and attempts remediation using predefined runbooks. For example, if an EC2 instance fails a status check, AMS might automatically reboot the instance. If the issue persists, it escalates to the AMS support team.
Backup Management: AMS can manage backups for EBS volumes, RDS databases, and other resources. Backups are scheduled using AWS Backup. The default retention period is 30 days, but you can customize it.
Patch Management: AMS uses Systems Manager Patch Manager to apply patches. The default patch baseline applies all patches classified as "Critical" or "Security" within 7 days of release. Maintenance windows are typically set for 2 hours.
Monitoring: AMS creates CloudWatch dashboards for key metrics: CPU utilization, memory usage, disk I/O, network I/O, and custom application metrics. Alarms are set at thresholds like CPU > 80% for 5 minutes.
Security: AMS enforces AWS Foundational Security Best Practices via AWS Security Hub and AWS Config. It also integrates with AWS Shield and AWS WAF for DDoS protection.
Configuration and Verification
To check if an instance is managed by AMS, look for the tag aws:managed:instance set to true. You can also verify by checking the Systems Manager console – managed instances appear in the Fleet Manager.
Example AWS CLI command to list managed instances:
aws ssm describe-instance-information --filters Key=ResourceType,Values=ManagedInstanceTo view patching status:
aws ssm describe-instance-patches --instance-id i-1234567890abcdef0Interaction with Related Technologies
AMS deeply integrates with: - AWS Organizations: AMS requires an organization and uses Service Control Policies (SCPs) to restrict actions. - AWS Systems Manager: The backbone for patching, configuration, and runbooks. - AWS Config: For compliance and resource tracking. - Amazon CloudWatch: For monitoring and alarming. - AWS Lambda: For automated remediation. - AWS Backup: For centralized backup management. - AWS Service Catalog: AMS uses Service Catalog to provision approved resources.
Important Considerations
AMS is not free; pricing is based on the number of managed instances and the level of service (e.g., basic vs. advanced).
AMS does not manage the operating system of containerized workloads (ECS/EKS) directly, but it can manage the underlying EC2 instances.
You cannot directly SSH into AMS-managed instances. Instead, you use Systems Manager Session Manager for shell access.
AMS enforces a strict change management process. Any attempt to modify resources outside of the process may be reverted.
AMS supports multiple regions, but each region is managed separately.
Common Use Cases
Enterprises that need to meet compliance requirements (e.g., PCI DSS, HIPAA) by offloading operational tasks.
Organizations that lack in-house AWS expertise and want AWS to handle day-to-day operations.
Companies that want to standardize operations across multiple accounts using a managed service.
Onboard AWS Organization to AMS
You begin by creating or selecting an existing AWS Organization. Then you submit an onboarding request through the AMS console or API. AWS creates a dedicated operations account within the organization. This account contains the AMS automation infrastructure, including Lambda functions, CloudWatch alarms, and SSM documents. The onboarding process typically takes 24–48 hours. During this time, AWS configures the necessary IAM roles and service-linked roles. You must also install the SSM Agent on all existing EC2 instances that you want AMS to manage. New instances launched after onboarding automatically get the agent if they use an AMI that supports it.
Define Baseline Configurations
After onboarding, you work with AMS to define your operational baselines: patching schedule (e.g., weekly on Sunday at 3 AM), backup policies (e.g., daily snapshots with 30-day retention), monitoring thresholds (e.g., CPU > 80% for 5 minutes triggers a ticket), and compliance rules (e.g., enforce encryption on EBS volumes). These baselines are implemented using AWS Config rules, CloudWatch alarms, and Systems Manager maintenance windows. AMS provides a set of default baselines that you can customize. Changes to baselines require a change request.
Automated Monitoring and Incident Detection
Once baselines are active, AMS continuously monitors your environment. CloudWatch metrics are collected every 1 minute for standard metrics and every 5 minutes for custom metrics. CloudWatch alarms evaluate these metrics and trigger if thresholds are breached. AWS Config rules evaluate resource compliance every 6 hours or on configuration changes. When an alarm or config rule triggers, AMS automatically creates an incident ticket in its ticketing system. The ticket includes details like resource ID, metric value, and timestamp.
Automated Remediation via Runbooks
For common issues, AMS has predefined runbooks (SSM documents) that execute automated remediation. For example, if an EC2 instance fails its status check, a runbook might attempt to stop and start the instance. If an EBS volume is at 90% capacity, a runbook might add more storage. The runbook is executed by AWS Systems Manager Automation. If the runbook fails or the issue is not covered, the ticket escalates to the AMS operations team, who will manually investigate and resolve. You can also create custom runbooks via Systems Manager.
Change Request and Approval Workflow
Any modification to the environment (e.g., launching a new EC2 instance, modifying a security group, changing an RDS instance type) must go through a change request. You submit a change request via the AMS portal or API, specifying the resource, action, and scheduled time. The AMS operations team reviews the request for compliance with your baselines and security policies. Approved changes are executed during the next maintenance window or immediately if urgent. Changes are logged in CloudTrail and reported in the monthly operational report.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to operate its AWS environment in compliance with PCI DSS. They have 500 EC2 instances across 3 regions. By using AMS, they offload patch management, backup, and monitoring to AWS. The bank sets up a patching baseline that applies critical patches within 48 hours. AMS automatically patches instances, and the bank receives a monthly compliance report showing patch status. The bank also uses AMS's change management to enforce that all security group changes are approved by the security team. In production, the bank configured AMS to automatically remediate any S3 bucket that becomes publicly accessible by applying a bucket policy that blocks public access. This is done via a custom Config rule and Lambda function. Performance considerations: with 500 instances, AMS scales well; the main bottleneck is the change request queue, which can have a 24-hour turnaround for non-urgent changes.
Enterprise Scenario 2: E-commerce Platform with Variable Workload
An e-commerce company runs a seasonal business with heavy traffic during Black Friday. They use AMS to manage their baseline infrastructure (100 EC2 instances) and rely on auto scaling for peak periods. However, AMS does not manage auto scaling groups directly; it manages the instances within them. The company experienced an issue where AMS's patching maintenance window overlapped with a traffic spike. They resolved this by adjusting the maintenance window to off-peak hours and setting CloudWatch alarms to suppress patching if CPU utilization exceeds 50%. Misconfiguration: initially, they set the backup retention to 7 days, but a compliance audit required 30 days. They submitted a change request to modify the backup policy, which was approved and applied within 2 hours.
Enterprise Scenario 3: Healthcare with Hybrid Environment
A healthcare provider uses both on-premises and AWS resources. They use AMS only for their AWS environment (200 instances). They integrated AMS with their on-premises ticketing system via webhooks. When AMS creates an incident ticket, it sends a notification to their ServiceNow instance. They encountered a problem where AMS's automated remediation rebooted an instance that was part of a critical database cluster, causing a brief outage. They learned to tag instances with a 'Critical' tag and configured AMS to skip automated remediation for tagged instances, instead escalating directly to their team. This required a custom runbook that checks for the tag before executing any action.
What SOA-C02 Tests on AMS
The exam focuses on understanding AMS as a managed service that automates operational tasks. Key objective codes: Domain 3 (Deployment), Objective 3.2 (Automate deployment and management). Expect 2–3 questions on AMS. Questions typically ask about the benefits of AMS, what tasks it automates, and how it integrates with other services. They may also test your ability to differentiate AMS from similar services like AWS Systems Manager or AWS OpsWorks.
Common Wrong Answers and Why Candidates Choose Them
"AMS replaces the need for a CloudOps team entirely." – Wrong. AMS handles routine tasks, but you still need staff to manage business logic, architecture, and high-level strategy. Candidates choose this because they oversimplify the managed aspect.
"AMS can be used to manage on-premises servers." – Wrong. AMS only manages AWS resources. Candidates confuse AMS with Systems Manager Hybrid Activations.
"AMS provides root access to managed EC2 instances." – Wrong. AMS does not provide root access; you use Session Manager. Candidates think managed means full control.
"AMS automatically scales resources based on demand." – Wrong. AMS does not manage auto scaling; it manages the instances that are part of auto scaling groups. Candidates confuse AMS with Auto Scaling.
Specific Numbers and Terms That Appear on the Exam
Default patch window: 2 hours.
Default backup retention: 30 days.
AMS uses Systems Manager for patching and runbooks.
AMS requires AWS Organizations.
The AMS operations account is separate from your production accounts.
Change requests are mandatory for any resource modification.
AMS monitors via CloudWatch and Config.
Edge Cases and Exceptions the Exam Loves to Test
What happens if you try to SSH directly into an AMS-managed instance? The exam expects you to know that direct SSH is blocked; you must use Session Manager.
Can you customize the patch baseline? Yes, by creating a custom baseline in Systems Manager.
Does AMS manage RDS? Yes, it can manage backups and patching for RDS.
Can you use AMS with a single AWS account? No, it requires an organization.
How to Eliminate Wrong Answers
If an answer says "AMS provides full access to all resources" – it's wrong because AMS restricts direct access.
If an answer says "AMS is free" – it's wrong; it's a paid service.
If an answer says "AMS manages containers directly" – it's wrong; it manages the underlying EC2 instances.
If an answer says "AMS can be used with any cloud provider" – it's wrong; it's AWS-specific.
AMS is a managed operations service that automates patching, backup, monitoring, and incident response.
AMS requires an AWS Organization and creates a dedicated operations account.
All changes to managed resources must go through the AMS change request process.
Direct SSH access to AMS-managed instances is blocked; use Systems Manager Session Manager.
AMS uses AWS Systems Manager for patching and runbooks, CloudWatch for monitoring, and AWS Config for compliance.
Default patch maintenance window is 2 hours; default backup retention is 30 days.
AMS does not manage auto scaling or container orchestration directly; it manages the underlying EC2 instances.
AMS is a paid service; pricing depends on the number of managed instances and service tier.
These come up on the exam all the time. Here's how to tell them apart.
AWS Managed Services (AMS)
Full managed operations service with dedicated team
Includes change management and incident response
Priced per instance per month
Requires AWS Organization
Provides monthly operational reports
AWS Systems Manager (SSM)
Toolset for operational tasks, not a managed service
No built-in change management or incident response
Free to use (pay for underlying resources)
Can be used in single accounts or hybrid environments
No automated reporting; you build your own dashboards
Mistake
AMS gives you full root access to managed EC2 instances.
Correct
AMS does not provide root access. You must use AWS Systems Manager Session Manager for shell access, and actions are logged and controlled. Direct SSH is blocked.
Mistake
AMS automatically scales your EC2 instances based on load.
Correct
AMS does not manage auto scaling. It manages the instances themselves (patching, monitoring, backup). Auto scaling must be configured separately.
Mistake
AMS can manage on-premises servers if you install an agent.
Correct
AMS only manages AWS resources. On-premises servers can be managed using Systems Manager Hybrid Activations, but that is separate from AMS.
Mistake
AMS is free for accounts with less than 10 instances.
Correct
AMS is a paid service regardless of instance count. Pricing is based on the number of managed instances and service tier.
Mistake
AMS eliminates the need for a change management process.
Correct
AMS enforces a change management process. All resource modifications require a change request that is reviewed and approved by the AMS team.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AMS is a fully managed operations service that includes a team of AWS experts who handle day-to-day management tasks like patching, backup, monitoring, and incident response. AWS Systems Manager is a set of tools that you can use to perform those tasks yourself. AMS uses Systems Manager as part of its automation, but adds a managed service layer with change management, ticketing, and a dedicated operations team. For the exam, remember that AMS is a managed service, while Systems Manager is a toolset you manage.
No, AMS requires an AWS Organization. You must have a management account and at least one member account. The AMS infrastructure is deployed in a dedicated operations account within the organization. If you only have a single account, you cannot use AMS. However, you can use AWS Systems Manager for similar automation without the managed service component.
AMS uses AWS Systems Manager Patch Manager to apply patches. It creates a maintenance window (default 2 hours) during which patches are installed. The default patch baseline includes all patches classified as Critical or Security, applied within 7 days of release. You can customize the patch baseline by creating your own in Systems Manager. AMS also generates a patching report that shows which instances were patched and any failures.
AMS has automated runbooks that attempt to remediate common issues. For an EC2 status check failure, the runbook might first try to reboot the instance. If that doesn't work, it may stop and start the instance. If the issue persists, an incident ticket is escalated to the AMS operations team for manual investigation. You can also create custom runbooks for specific scenarios.
No, direct SSH access is blocked. You can use AWS Systems Manager Session Manager to get shell access, but that access is logged and controlled. AMS does not provide root passwords or keys. This is a security measure to ensure that all actions are auditable and compliant with your operational baselines.
Yes, AMS can manage resources in multiple regions. However, each region is managed separately, and you may need to configure baselines and maintenance windows per region. The AMS operations account is global, but the automation infrastructure is region-specific. When onboarding, you specify which regions you want to manage.
You submit a change request through the AMS web portal or via the AMS API. You specify the resource, the action (e.g., launch instance, modify security group), the scheduled time, and a justification. The AMS operations team reviews the request for compliance and either approves or rejects it. Approved changes are executed during the next maintenance window or immediately if marked urgent.
You've just covered AWS Managed Services (AMS) — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?