Note
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see Managing your AWS Migration Hub home Region.
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
To run an automation unit, you must associate with it an IAM role with a trust policy and a permissions policy that depend on the kind of unit (custom or managed) and on the actions that the unit performs.
Warning
This IAM role allows Migration Hub to execute automation units on your behalf. By specifying a service role, you define the specific actions that can be performed during an automation run, which may differ from the permissions of the user that creates or runs the automation unit. A user with the following four permissions can perform any actions in your AWS account.
-
mgh:CreateAutomationUnit
-
mgh:AssociateAutomationUnitRole
-
mgh:CreateAutomationRun
-
iam:PassRole
To minimize security risks, apply strict least-privilege permissions to service roles, and carefully review and audit automation unit roles. For more information, see Apply least-privilege permissions in the IAM User Guide.
Topics
IAM role and policies for managed automation
units
For managed automation units, create an IAM role and give the role any name that you want. Attach the following trust policy to the role. For information about how to create an IAM role with this trust policy, see Create a role using custom trust policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ssm.amazonaws.com", "migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account-id"
}
}
}
]
}Attach the following permissions policy to the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetPublicSsafClientSignature",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-application-migration-service-region/latest/source-automation-client/linux/ssaf-client/ssaf_client.sig"
]
},
{
"Sid": "AllowListMGNResources",
"Effect": "Allow",
"Action": [
"mgn:DescribeSourceServers",
"mgn:DescribeLaunchConfigurationTemplates",
"mgn:DescribeReplicationConfigurationTemplates",
"mgn:DescribeJobs",
"mgn:ListApplications",
"mgn:ListWaves",
"mgn:ListConnectors",
"mgn:ListTagsForResource"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowMGNRehostMigrationActions",
"Effect": "Allow",
"Action": [
"mgn:StartCutover",
"mgn:StartTest",
"mgn:ChangeServerLifecycleState",
"mgn:FinalizeCutover",
"mgn:MarkAsArchived",
"mgn:UpdateSourceServer",
"mgn:TerminateTargetInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowVerifyExistenceOfMGNConnectorRoles",
"Effect": "Allow",
"Action": ["iam:GetRole"],
"Resource": [
"arn:aws:iam::account-id:role/AWSApplicationMigrationConnectorManagementRole",
"arn:aws:iam::account-id:role/AWSApplicationMigrationConnectorSharingRole_account-id"
]
},
{
"Sid": "AllowReadSSMRunSourceServerActionDocument",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument"
],
"Resource": [
"arn:aws:ssm:region::document/AWSMigration-RunSourceServerAction"
]
},
{
"Sid": "AllowReadSSMRehostDocument",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument"
],
"Resource": [
"arn:aws:ssm:region::document/AWSMigrationHub-MGNRehostAutomation"
]
},
{
"Sid": "AllowRunSourceServerActionCommand",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ssm:region::document/AWSMigration-RunSourceServerAction"
]
},
{
"Sid": "AllowSendCommandWithManagedInstance",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ssm:region:account-id:managed-instance/*"
]
},
{
"Sid": "AllowMGHTrackingActions",
"Effect": "Allow",
"Action": [
"mgh:CreateProgressUpdateStream",
"mgh:ImportMigrationTask",
"mgh:NotifyMigrationTaskState",
"mgh:AssociateCreatedArtifact",
"mgh:AssociateSourceResource",
"mgh:DescribeMigrationTask",
"mgh:ListMigrationTaskUpdates",
"mgh:ListSourceResources",
"mgh:ListCreatedArtifacts"
],
"Resource": [
"arn:aws:mgh:region:account-id:progressUpdateStream/AWS-*"
]
},
{
"Sid": "AllowStartMGNRehostAutomationDocument",
"Effect": "Allow",
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": ["arn:aws:ssm:region::automation-definition/AWSMigrationHub-MGNRehostAutomation:$DEFAULT"],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "AWSMigrationHubService"
}
}
},
{
"Sid": "AllowAutomationExecutionRead",
"Effect": "Allow",
"Action": [
"ssm:DescribeAutomationStepExecutions",
"ssm:GetAutomationExecution"
],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "AWSMigrationHubService"
}
}
},
{
"Sid": "AllowSSMList",
"Effect": "Allow",
"Action": [
"ssm:ListCommandInvocations",
"ssm:ListCommands"
],
"Resource": ["*"]
},
{
"Sid": "AllowPassRoleToSSM",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::account-id:role/role-name"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::account-id:role/service-role/AWSApplicationMigrationConversionServerRole"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}IAM role and policies for custom
automation units
For custom automation units, create an IAM role and give the role any name that you want. The trust policy and permissions policy that you must attach to the IAM role depend on your implementation of the unit, as described in the following sections. For information about how to create an IAM role with one of these trust policies, see Create a role using custom trust policies.
Topics
IAM policies for custom automation units that use an AWS Systems Manager document as their target
If your custom unit uses an AWS Systems Manager document as its target, then the IAM role that you attach to the unit must have the following trust policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ssm.amazonaws.com", "migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account-id"
}
}
}
]
}You must also attach to the IAM role a permissions policy that has at least the permissions that are in the following policy. Add to this policy any permissions that the custom unit needs in order to perform its actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowMGHTrackingActions",
"Effect": "Allow",
"Action": [
"mgh:CreateProgressUpdateStream",
"mgh:ImportMigrationTask",
"mgh:NotifyMigrationTaskState",
"mgh:AssociateCreatedArtifact",
"mgh:AssociateSourceResource",
"mgh:DescribeMigrationTask",
"mgh:ListMigrationTaskUpdates",
"mgh:ListSourceResources",
"mgh:ListCreatedArtifacts"
],
"Resource": [
"arn:aws:mgh:region:account-id:progressUpdateStream/*"
]
},
{
"Sid": "AllowReadSSMAutomationDocument",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument"
],
"Resource": ["ssm-based-runCommandTargetArn"]
},
{
"Sid": "AllowStartSSMAutomationDocument",
"Effect": "Allow",
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": ["ssm-based-runCommandTargetArn:$DEFAULT"],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "AWSMigrationHubService"
}
}
},
{
"Sid": "AllowAutomationExecutionTag",
"Effect": "Allow",
"Action": [
"ssm:AddTagsToResource"
],
"Resource": ["*"]
}
{
"Sid": "AllowAutomationExecutionRead",
"Effect": "Allow",
"Action": [
"ssm:DescribeAutomationStepExecutions",
"ssm:GetAutomationExecution"
],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "AWSMigrationHubService"
}
}
},
{
"Sid": "AllowPassRoleToSSM",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::account-id:role/role-name"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
}
}
}
]
}IAM policies for custom automation units that use an AWS Lambda as their target
For a custom automation unit that uses an AWS Lambda function as its target, you must attach the following trust policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account-id"
}
}
}
]
}You must also attach to the IAM role a permissions policy that has at least the permissions that are in the following policy. Add to this policy any permissions that the custom unit needs in order to perform its actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InvokeLambdaFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"lambda-based-runCommandTargetArn"
]
},
{
"Sid": "AllowMGHTrackingActions",
"Effect": "Allow",
"Action": [
"mgh:CreateProgressUpdateStream",
"mgh:ImportMigrationTask",
"mgh:NotifyMigrationTaskState",
"mgh:AssociateCreatedArtifact",
"mgh:AssociateSourceResource",
"mgh:DescribeMigrationTask",
"mgh:ListMigrationTaskUpdates",
"mgh:ListSourceResources",
"mgh:ListCreatedArtifacts"
],
"Resource": [
"arn:aws:mgh:region:account-id:progressUpdateStream/*"
]
}
]
}