Predefined post-launch actions reference - Application Migration Service
Install the SSM agentConfigure AWS Elastic Disaster RecoveryConvert operating systemsReplace SUSE subscriptionConduct Amazon EC2 connectivity checksValidate volume integrityVerify process statusConvert MS-SQL license Install a CloudWatch AgentUpgrade Windows Create AMI from instanceJoin Directory Service domainConfigure Time SyncValidate disk spaceVerify HTTP/HTTPS responseEnable Amazon Inspector Classic Verify TagsAuto Scaling group settingEnable Refactor SpacesApp2Container for ReplatformingDynatraceNew relicTrendMicro

Predefined post-launch actions reference

AWS Application Migration Service allows you to execute various predefined post-launch actions on your Amazon EC2 launch instance. Use these out-of-the-box actions to modernize your servers while you're migrating: Change existing license, upgrade your operating system, configure disaster recovery, and more.

Install the SSM agent

The SSM allows AWS Application Migration Service to execute modernization actions on your servers after they are launched.

When you activate the post-launch actions, AWS Application Migration Service will install the SSM agent and create the required IAM roles.

The SSM agent must be installed for any other post-launch action to run. Therefore, this is the only post-launch action that is activated by default and cannot be deactivated.

Learn more about SSM.

Configure AWS Elastic Disaster Recovery

Note

This feature is supported on operating systems that are supported by AWS Elastic Disaster Recovery (AWS DRS). See the AWS DRS documentation.

This action is not supported in Application Migration Service GovCloud regions (US-East, US-West).

Use the DR after migration feature to configure disaster recovery using AWS Elastic Disaster Recovery.

This action will install the AWS Elastic Disaster Recovery Replication Agent on your Amazon EC2 instance.

You must select the target disaster recovery region, which is the AWS Region in which the Recovery instances will be deployed. AWS Elastic Disaster Recovery must be available in the selected Region and initiated in your account. You must initialize Elastic Disaster Recovery for this action to work.

Important

Ensure that you review the costs associated with AWS Elastic Disaster Recovery in the service pricing documentation.

Learn more about Elastic Disaster Recovery AWS Regions.

Learn more about initializing Elastic Disaster Recovery.

Convert operating systems

Note

This feature is supported on CentOS version 8.x.

Use the CentOS to Rocky feature to perform changes to the target machine operating system. It allows you to convert any of your source servers that are running CentOS to Rocky Linux.

Replace SUSE subscription

Note

  • This feature is supported on SUSE Linux versions 12 SP 1 and later.

  • This action is not supported on SLES4SAP servers.

Use the Replace SUSE subscription feature to choose whether you want to change the SUSE Linux subscription of any source server that runs SUSE to an AWS-provided SUSE subscription.

An AWS-provided SUSE subscription allows AWS to manage your licenses, including renewal handling, saving you time and simplifying your billing and license management processes

Conduct Amazon EC2 connectivity checks

Use the EC2 connectivity check feature to conduct network connectivity checks to a predefined list of ports and hosts.

Note

Up to 5 Port:IP couples can be checked in a single action.

Validate volume integrity

Use the Volume integrity validation feature to ensure that Amazon EBS volumes on the launched instance are:

  • The same size as the source (rounded up)

  • Properly mounted on the Amazon EC2 instance

  • Accessible

This feature allows you to conduct the required validations automatically and saves the time of manual validations.

Note

Up to 50 volumes can be checked in a single action.

Verify process status

Use the Process status validation feature to ensure that processes are in running state following instance launch. You will need to provide a list of processes that you want to verify, and define how long the service should wait before testing begins.

To check a specific process that should run multiple times, include it several times in the list.

Convert MS-SQL license

Use the Windows MS-SQL license conversion feature to easily convert Windows MS-SQL BYOL to an AWS license.

Application Migration Service will do the following:

  • Check the SQL edition (Enterprise, Standard, or Web) as part of the launch process

  • Use the right AMI with the right billing code to launch from

The SSM document will run and verify that the right billing code is used post launch.

The action uses the following APIs:

To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.

Install a CloudWatch Agent

Use the CloudWatch agent installation feature to install and configure the CloudWatch Agent and Application Insights.

You will need the following policy to run this post-launch action (in addition to the full access policy):

  • AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)

The launched instance will require the following policies:

  • CloudWatchAgentServerPolicy – The permissions required to use AmazonCloudWatchAgent on servers

  • AmazonSSMManagedInstanceCore – The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality

To ensure that the launch instance has the right policies, create a role that has the required permissions as per the policies above or has access to a role with those permissions.

  • Go to Launch settings > EC2 launch template > Modify > Advance > IAM instance profile.

  • Use an existing profile or create a new one using the Create new IAM profile link.

Note

  • You must attach both policies to the template for the CloudWatch agent to operate. Without the CloudWatchAgentServerPolicy, the action will still be marked as successful but the CloudWatch Agent will not be active.

  • Configuring the Application Insights is optional. You can choose to skip the Application Insights agent configuration and only install the CloudWatch agent. To do so, simply provide the required parameterStoreName parameter and leave the other parameters empty.

Learn more about the CloudWatch Agent.

Upgrade Windows

Use the Windows upgrade feature to easily upgrade your migrated server to Windows Server 2012 R2, 2016, 2019, or 2022 (see the full list of available OS versions).

You will need the following policy to run this post-launch action (in addition to the full access policy).

  • AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)

To allow the SSM document to run these APIs, you will need to have the required permissions (including CreateImages, RunInstances, DescribeInstances, and more) or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.

Learn more about the different permissions required to perform the upgrade.

The SSM document will:

  • Create an Amazon Machine Image (AMI) from the instance using the CreateImage API.

  • Use the AMI to create a new instance and then upgrade that instance.

  • Create an AMI from the upgraded instance and terminate the upgraded instance.

Note

  • This operation may run for several hours.

  • All other post-launch actions will run on the instance launched by Application Migration Service and not on the upgraded instance.

Learn more about upgrading Windows.

Create AMI from instance

Use the Create AMI from Instance feature to create a new Amazon Machine Image (AMI) from your Application Migration Service launched instance.

You will need the following policy to run this post-launch action (in addition to the full access policy):

  • AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)

Attach the following permissions to your instance:

The action uses the following APIs:

To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.

Learn more about creating AMI from instance.

Join Directory Service domain

Use this Join domain feature to simplify the AWS Join Domain process. If you activate this action, your instance will be managed by the AWS Cloud Directory (instead of on-premises).

You will need the following policy to run this post-launch action (in addition to the full access policy):

The launched instance will require the following policies:

  • AmazonSSMManagedInstanceCore – The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality.

  • AmazonSSMDirectoryServiceAccess – This policy allows the SSM Agent to access Directory Service on behalf of the customer for domain-join the managed instance.

To ensure that the launched instance has the right policies, create a role that has the required permissions as per the policies above or has access to a role with those permissions.

  • Go to Launch settings > EC2 launch template > Modify > Advance > IAM instance profile.

  • Use an existing profile or create a new one using the Create new IAM profile link.

Configure Time Sync

Use the Time Sync feature to set the time for your Linux instance using ATSS.

Learn more about Amazon Time Sync.

Validate disk space

Use the Disk space validation feature to obtain visibility into the disc space that you have at your disposal, as well as logs with actionable insights.

Verify HTTP/HTTPS response

Use the Verify HTTP/HTTPS response feature to conduct HTTP/HTTPS connectivity checks to a predefined list of URLs. The feature will verify that HTTP/HTTPS requests (for example, https://localhost) receive the correct response.

Enable Amazon Inspector Classic

The Enable Inspector feature allows you to run security scans on your Amazon EC2 resources. The Amazon Inspector service will be enabled at the account level.

Note

Amazon Inspector is a paid AWS service. For additional information, refer to the full Inspector pricing documentation.

This action uses the following APIs:

To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.

Verify Tags

Use the Verify tags feature to validate that tags which have been defined in the launch template and on the source server are copied to the migrated server.

Auto Scaling group setting

Use the Auto Scaling group setting when you would like to create an Auto Scaling group for a migrated stateless web application.

Enable Refactor Spaces

Use this action to create an AWS Migration Hub Refactor Spaces environment. Refactor Spaces helps accelerate application refactoring by automating the creation of refactor environments in AWS. A Refactor Spaces environment includes the AWS infrastructure, multi-account networking, and routing needed to support the iterative transformation of applications to microservices.

Learn more about Refactor Spaces.

This action is available in all Regions where Refactor Spaces is available.

App2Container for Replatforming

Use this action to activate application Replatforming using the AWS App2Container service. This action provides automation for discovering, analyzing, and containerizing all supported applications discovered on the launched Amazon EC2 instance. The action also takes care of App2Container prerequisites settings, installation, and initialization, so you can focus on the application containerization and deployment.

This action is not available in GovCloud regions.

Learn more about the App2Container for Replatforming action.

Dynatrace

Note

This action is provided by a third party vendor, and is not available in the GovCloud Regions.

This action installs Dynatrace OneAgent on your launched instance.

To configure this action, you will need to have an existing Dynatrace account and configure the required additionalArguments for your particular usage.

Learn more about Dynatrace

New relic

Note

This action is provided by a third party vendor, and is not available in the GovCloud Regions.

This action installs New Relic Infrastructure agent on your launched Amazon EC2 instance.

To configure this action, you will need to have an existing New Relic account and configure the required additionalArguments for your particular usage. You must use an original account license key for this action to succeed.

Learn more about New relic

TrendMicro

Note

This action is provided by a third party vendor, and is not available in the GovCloud Regions.

This action installs the Trend Micro agent on your launched instance.

Learn more about Trend Micro