AWS managed policy: AWSApplicationMigrationSSMAccess
You can attach the AWSApplicationMigrationSSMAccess policy to your IAM
identities.
This policy allows Amazon SSM operations required to use AWS Application Migration Service (AWS MGN) to run SSM documents post migration of source servers. Attach this policy to your users or roles. This policy is only intended to be used for the AWS MGN console.
Permissions details
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetCommandInvocation", "ssm:DescribeInstanceInformation" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:DescribeDocument", "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*:*:document/*", "arn:aws:ssm:*:*:automation-definition/*:*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] }, "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } }, { "Effect": "Allow", "Action": [ "ssm:ListDocuments" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListDocumentVersions", "ssm:GetDocument" ], "Resource": "arn:aws:ssm:*:*:document/*" } ] }
