Actions, resources, and condition keys for AWS Application Migration Service
AWS Application Migration Service (service prefix: mgn) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Application Migration Service
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| ArchiveApplication | Grants permission to archive an application | Write | |||
| ArchiveWave | Grants permission to archive a wave | Write | |||
| AssociateApplications | Grants permission to associate applications to a wave | Write | |||
| AssociateSourceServers | Grants permission to associate source servers to an application | Write | |||
| BatchCreateVolumeSnapshotGroupForMgn [permission only] | Grants permission to create volume snapshot group | Write | |||
| BatchDeleteSnapshotRequestForMgn [permission only] | Grants permission to batch delete snapshot request | Write | |||
| ChangeServerLifeCycleState | Grants permission to change source server life cycle state | Write | |||
| CreateApplication | Grants permission to create an application | Write | |||
| CreateConnector | Grants permission to create connector | Write | |||
| CreateLaunchConfigurationTemplate | Grants permission to create launch configuration template | Write | |||
| CreateReplicationConfigurationTemplate | Grants permission to create replication configuration template | Write | |||
| CreateVcenterClientForMgn [permission only] | Grants permission to create vcenter client | Write | |||
| CreateWave | Grants permission to create a wave | Write | |||
| DeleteApplication | Grants permission to delete an application | Write | |||
| DeleteConnector | Grants permission to delete connector | Write | |||
| DeleteJob | Grants permission to delete job | Write | |||
| DeleteLaunchConfigurationTemplate | Grants permission to delete launch configuration template | Write | |||
| DeleteReplicationConfigurationTemplate | Grants permission to delete replication configuration template | Write | |||
| DeleteSourceServer | Grants permission to delete source server | Write | |||
| DeleteVcenterClient | Grants permission to delete vcenter client | Write | |||
| DeleteWave | Grants permission to delete a wave | Write | |||
| DescribeJobLogItems | Grants permission to describe job log items | Read | |||
| DescribeJobs | Grants permission to describe jobs | List | |||
| DescribeLaunchConfigurationTemplates | Grants permission to describe launch configuration template | List | |||
| DescribeReplicationConfigurationTemplates | Grants permission to describe replication configuration template | List | |||
| DescribeReplicationServerAssociationsForMgn [permission only] | Grants permission to describe replication server associations | Read | |||
| DescribeSnapshotRequestsForMgn [permission only] | Grants permission to describe snapshots requests | Read | |||
| DescribeSourceServers | Grants permission to describe source servers | List | |||
| DescribeVcenterClients | Grants permission to describe vcenter clients | List | |||
| DisassociateApplications | Grants permission to disassociate applications from a wave | Write | |||
| DisassociateSourceServers | Grants permission to disassociate source servers from an application | Write | |||
| DisconnectFromService | Grants permission to disconnect source server from service | Write | |||
| FinalizeCutover | Grants permission to finalize cutover | Write | |||
| GetAgentCommandForMgn [permission only] | Grants permission to get agent command | Read | |||
| GetAgentConfirmedResumeInfoForMgn [permission only] | Grants permission to get agent confirmed resume info | Read | |||
| GetAgentInstallationAssetsForMgn [permission only] | Grants permission to get agent installation assets | Read | |||
| GetAgentReplicationInfoForMgn [permission only] | Grants permission to get agent replication info | Read | |||
| GetAgentRuntimeConfigurationForMgn [permission only] | Grants permission to get agent runtime configuration | Read | |||
| GetAgentSnapshotCreditsForMgn [permission only] | Grants permission to get agent snapshots credits | Read | |||
| GetChannelCommandsForMgn [permission only] | Grants permission to get channel commands | Read | |||
| GetLaunchConfiguration | Grants permission to get launch configuration | Read | |||
| GetReplicationConfiguration | Grants permission to get replication configuration | Read | |||
| GetVcenterClientCommandsForMgn [permission only] | Grants permission to get vcenter client commands | Read | |||
| InitializeService | Grants permission to initialize service | Write |
iam:AddRoleToInstanceProfile iam:CreateInstanceProfile iam:CreateServiceLinkedRole iam:GetInstanceProfile |
||
| IssueClientCertificateForMgn [permission only] | Grants permission to issue a client certificate | Write | |||
| ListApplications | Grants permission to list application summaries | List | |||
| ListConnectors | Grants permission to list connectors | Read | |||
| ListExportErrors | Grants permission to list the errors of an export task | List | |||
| ListExports | Grants permission to list export tasks | List | |||
| ListImportErrors | Grants permission to list the errors of an import task | List | |||
| ListImports | Grants permission to list the import tasks | List | |||
| ListManagedAccounts | Grants permission to list managed accounts | List | |||
| ListSourceServerActions | Grants permission to list source server action documents | List | |||
| ListTagsForResource | Grants permission to list tags for a resource | Read | |||
| ListTemplateActions | Grants permission to list launch configuration template action documents | List | |||
| ListWaves | Grants permission to list wave summaries | List | |||
| MarkAsArchived | Grants permission to mark source server as archived | Write | |||
| NotifyAgentAuthenticationForMgn [permission only] | Grants permission to notify agent authentication | Write | |||
| NotifyAgentConnectedForMgn [permission only] | Grants permission to notify agent is connected | Write | |||
| NotifyAgentDisconnectedForMgn [permission only] | Grants permission to notify agent is disconnected | Write | |||
| NotifyAgentReplicationProgressForMgn [permission only] | Grants permission to notify agent replication progress | Write | |||
| NotifyVcenterClientStartedForMgn [permission only] | Grants permission to notify vcenter client started | Write | |||
| PauseReplication | Grants permission to pause replication | Write | |||
| PutSourceServerAction | Grants permission to put source server action document | Write | |||
| PutTemplateAction | Grants permission to put launch configuration template action document | Write | |||
| RegisterAgentForMgn [permission only] | Grants permission to register agent | Write | |||
| RemoveSourceServerAction | Grants permission to remove source server action document | Write | |||
| RemoveTemplateAction | Grants permission to remove launch configuration template action document | Write | |||
| ResumeReplication | Grants permission to resume replication | Write | |||
| RetryDataReplication | Grants permission to retry replication | Write | |||
| SendAgentLogsForMgn [permission only] | Grants permission to send agent logs | Write | |||
| SendAgentMetricsForMgn [permission only] | Grants permission to send agent metrics | Write | |||
| SendChannelCommandResultForMgn [permission only] | Grants permission to send channel command result | Write | |||
| SendClientLogsForMgn [permission only] | Grants permission to send client logs | Write | |||
| SendClientMetricsForMgn [permission only] | Grants permission to send client metrics | Write | |||
| SendVcenterClientCommandResultForMgn [permission only] | Grants permission to send vcenter client command result | Write | |||
| SendVcenterClientLogsForMgn [permission only] | Grants permission to send vcenter client logs | Write | |||
| SendVcenterClientMetricsForMgn [permission only] | Grants permission to send vcenter client metrics | Write | |||
| StartCutover | Grants permission to start cutover | Write |
ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateLaunchTemplate ec2:CreateLaunchTemplateVersion ec2:CreateSecurityGroup ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteLaunchTemplateVersions ec2:DeleteSnapshot ec2:DeleteVolume ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeVolumes ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ReportInstanceStatus ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole mgn:ListTagsForResource |
||
| StartExport | Grants permission to start an export task | Write |
ec2:DescribeLaunchTemplateVersions mgn:DescribeSourceServers mgn:GetLaunchConfiguration mgn:ListApplications mgn:ListWaves s3:PutObject |
||
| StartImport | Grants permission to create an import task | Write |
ec2:CreateLaunchTemplateVersion ec2:DescribeLaunchTemplateVersions ec2:ModifyLaunchTemplate mgn:DescribeSourceServers mgn:GetLaunchConfiguration mgn:ListApplications mgn:ListWaves mgn:TagResource mgn:UpdateLaunchConfiguration s3:PutObject |
||
| StartReplication | Grants permission to start replication | Write | |||
| StartTest | Grants permission to start test | Write |
ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateLaunchTemplate ec2:CreateLaunchTemplateVersion ec2:CreateSecurityGroup ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteLaunchTemplateVersions ec2:DeleteSnapshot ec2:DeleteVolume ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeVolumes ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ReportInstanceStatus ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole mgn:ListTagsForResource |
||
| StopReplication | Grants permission to stop replication | Write | |||
| TagResource | Grants permission to assign a resource tag | Tagging | |||
| TerminateTargetInstances | Grants permission to terminate target instances | Write |
ec2:DeleteVolume ec2:DescribeInstances ec2:DescribeVolumes ec2:TerminateInstances |
||
| UnarchiveApplication | Grants permission to unarchive an application | Write | |||
| UnarchiveWave | Grants permission to unarchive a wave | Write | |||
| UntagResource | Grants permission to untag a resource | Tagging | |||
| UpdateAgentBacklogForMgn [permission only] | Grants permission to update agent backlog | Write | |||
| UpdateAgentConversionInfoForMgn [permission only] | Grants permission to update agent conversion info | Write | |||
| UpdateAgentReplicationInfoForMgn [permission only] | Grants permission to update agent replication info | Write | |||
| UpdateAgentReplicationProcessStateForMgn [permission only] | Grants permission to update agent replication process state | Write | |||
| UpdateAgentSourcePropertiesForMgn [permission only] | Grants permission to update agent source properties | Write | |||
| UpdateApplication | Grants permission to update an application | Write | |||
| UpdateConnector | Grants permission to update connector | Write | |||
| UpdateLaunchConfiguration | Grants permission to update launch configuration | Write | |||
| UpdateLaunchConfigurationTemplate | Grants permission to update launch configuration | Write | |||
| UpdateReplicationConfiguration | Grants permission to update replication configuration | Write | |||
| UpdateReplicationConfigurationTemplate | Grants permission to update replication configuration template | Write | |||
| UpdateSourceServer | Grants permission to update source server | Write | |||
| UpdateSourceServerReplicationType | Grants permission to update source server replication type | Write | |||
| UpdateWave | Grants permission to update a wave | Write | |||
| VerifyClientRoleForMgn [permission only] | Grants permission to verify client role | Read |
Resource types defined by AWS Application Migration Service
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| JobResource |
arn:${Partition}:mgn:${Region}:${Account}:job/${JobID}
|
|
| ReplicationConfigurationTemplateResource |
arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}
|
|
| LaunchConfigurationTemplateResource |
arn:${Partition}:mgn:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}
|
|
| VcenterClientResource |
arn:${Partition}:mgn:${Region}:${Account}:vcenter-client/${VcenterClientID}
|
|
| SourceServerResource |
arn:${Partition}:mgn:${Region}:${Account}:source-server/${SourceServerID}
|
|
| ApplicationResource |
arn:${Partition}:mgn:${Region}:${Account}:application/${ApplicationID}
|
|
| WaveResource |
arn:${Partition}:mgn:${Region}:${Account}:wave/${WaveID}
|
|
| ImportResource |
arn:${Partition}:mgn:${Region}:${Account}:import/${ImportID}
|
|
| ExportResource |
arn:${Partition}:mgn:${Region}:${Account}:export/${ExportID}
|
|
| ConnectorResource |
arn:${Partition}:mgn:${Region}:${Account}:connector/${ConnectorID}
|
Condition keys for AWS Application Migration Service
AWS Application Migration Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by presence of tag keys in the request | ArrayOfString |
| mgn:CreateAction | Filters access by the name of a resource-creating API action | String |
