AWS managed policies for AWS Application Migration Service

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in theIAM User Guide. AWS MGN read-only permissions are included in the general IAM ReadOnlyAccess policy.

Topics

AWS MGN updates for AWS managed policies

View details about updates to AWS managed policies for AWS Application Migration Service since March 1, 2021.

Change	Description	Date
AWSApplicationMigrationFullAccess – Updated policy	Updated the AWSApplicationMigrationFullAccess policy to support SecureString parameter type in SSM Parameters Store for post-migration framework actions.	March 10, 2024
AWSApplicationMigrationServiceEc2InstancePolicy – Updated policy	Created a new revision of the managed policy to support MGN in GovCloud and added SID to statements in the managed policy	December 28, 2023
AWSApplicationMigrationServiceEc2InstancePolicy – New policy	This policy allows installing and using the AWS Replication Agent, which is used by AWS Application Migration Service (AWS MGN) to migrate source servers that run on EC2 (cross-Region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances.	August 21, 2023
AWSApplicationMigrationServiceRolePolicy – Updated policy	Updated the AWSApplicationMigrationServiceRolePolicy with Organizations permissions to support the global view feature.	June 18, 2023
AWSApplicationMigrationFullAccess – Updated policy	Updated the AWSApplicationMigrationFullAccess policy to support specific automation SSM documents.	April 1, 2023
AWSApplicationMigrationFullAccess – Updated policy AWSApplicationMigrationSSMAccess – Updated policy AWSApplicationMigrationReadOnlyAccess – Created policy	Updated the AWSApplicationMigrationFullAccess policy to support both command and automation SSM documents for post-migration framework actions. Updated the AWSApplicationMigrationSSMAccess policy to support both command and automation SSM documents for the custom actions feature. Updated the AWSApplicationMigrationReadOnlyAccess policy to support the new import and export feature.	March 21, 2023
AWSApplicationMigrationEC2Access – Updated policy	Updated the AWSApplicationMigrationEC2Access policy to support: DescribeSnapshots, DescribeImages, DescribeVolumes.	January 29, 2023
AWSApplicationMigrationEC2Access – Updated policy AWSApplicationMigrationReadOnlyAccess – Updated policy AWSApplicationMigrationSSMAccess – Created policy	Updated the AWSApplicationMigrationEC2Access policy to support: CreateLaunchTemplate, DeleteLaunchTemplate. Updated the AWSApplicationMigrationReadOnlyAccess policy to support: DescribeLaunchConfigurationTemplates, ListSourceServerActions, ListTemplateActions, ListApplications, ListWaves. Created new AWSApplicationMigrationSSMAccess policy to support new custom actions feature.	November 28, 2022
AWSApplicationMigrationAgentPolicy – Updated policy AWSApplicationMigrationAgentInstallationPolicy – Updated policy	Updated the AWSApplicationMigrationAgentPolicy policy and the AWSApplicationMigrationAgentInstallationPolicy policy to support sending additional metrics during the agent installation process.	September 20, 2022
AWSApplicationMigrationAgentInstallationPolicy – New policy	AWS MGN added a new policy. This policy allows installing the AWS Replication Agent, which is used with Application Migration Service to migrate source servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. The installed AWS Replication Agent will communicate with Application Migration Service using the recommended strong authentication method.	June 15, 2022
AWSApplicationMigrationFullAccess – Updated policy	Updated the AWSApplicationMigrationFullAccess policy to to support the Post Migration Framework.	May 16, 2022
AWSApplicationMigrationAgentPolicy_v2 – New policy	AWS Application Migration Service added a new policy. This policy allows using the AWS Replication Agent, which is used with AWS Application Migration Service to migrate source servers to AWS. We do not recommend that you attach this policy to your users or roles.	May 10, 2022
AWSApplicationMigrationReadOnlyAccess – Updated policy	Updated the AWSApplicationMigrationReadOnlyAccess policy to include service quotas.	April 3, 2022
AWSApplicationMigrationEC2Access – Updated policy	Updated the AWSApplicationMigrationEC2Access policy to add additional permissions and restrict certain existing permissions. This policy is only intended to be used for the AWS MGN console. The restriction prevents certain requests from being called directly by the calling identity, whilst enabling an AWS Application Migration Service (AWS MGN) to make the request to EC2 on behalf of the calling identity.	March 2, 2022
AWSApplicationMigrationServiceRolePolicy – Updated policy	AWS Application Migration Service added a new policy to allow AWS Application Migration Service to manage AWS resources on your behalf.	December 15, 2021
AWSApplicationMigrationVCenterClientPolicy – New policy	AWS Application Migration Service added a new policy that allows the installation and usage of the AWS vCenter Appliance.	November 7, 2021
AWSApplicationMigrationAgentPolicy – New policy	AWS Application Migration Service added a new policy to allow the installation of the AWS Replication Agent on source servers.	April 18, 2021
AWSApplicationMigrationConversionServerPolicy – New policy	AWS Application Migration Service added a new policy that allows AWS Application Migration Service to communicate with the service.	April 18, 2021
AWSApplicationMigrationMGHAccess – New policy	AWS Application Migration Service added a new policy to allow AWS Application Migration Service access to your account's AWS Migration Hub	April 18, 2021
AWSApplicationMigrationReplicationServerPolicy – New policy	AWS Application Migration Service added a new policy to allow the AWS Application Migration Service replication servers to communicate with the service, create and manage resources on your behalf.	April 7, 2021
AWS MGN started tracking changes	AWS Application Migration Service started tracking changes for AWS managed policies.	April 7, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Grant permission to tag resources during creation

AWSApplicationMigrationServiceRolePolicy