Actions, resources, and condition keys for AWS Application Migration Service

AWS Application Migration Service (service prefix: mgn) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Application Migration Service
Resource types defined by AWS Application Migration Service
Condition keys for AWS Application Migration Service

Actions defined by AWS Application Migration Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
ArchiveApplication	Grants permission to archive an application	Write	ApplicationResource*
ArchiveWave	Grants permission to archive a wave	Write	WaveResource*
AssociateApplications	Grants permission to associate applications to a wave	Write	ApplicationResource*
AssociateApplications	Grants permission to associate applications to a wave	Write	WaveResource*
AssociateSourceServers	Grants permission to associate source servers to an application	Write	ApplicationResource*
AssociateSourceServers		Write	SourceServerResource*
BatchCreateVolumeSnapshotGroupForMgn [permission only]	Grants permission to create volume snapshot group	Write	SourceServerResource*
BatchDeleteSnapshotRequestForMgn [permission only]	Grants permission to batch delete snapshot request	Write
ChangeServerLifeCycleState	Grants permission to change source server life cycle state	Write	SourceServerResource*
CreateApplication	Grants permission to create an application	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateConnector	Grants permission to create connector	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateLaunchConfigurationTemplate	Grants permission to create launch configuration template	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateNetworkMigrationDefinition	Grants permission to create a network migration definition	Write
CreateReplicationConfigurationTemplate	Grants permission to create replication configuration template	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateVcenterClientForMgn [permission only]	Grants permission to create vcenter client	Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateWave	Grants permission to create a wave	Write		aws:RequestTag/${TagKey} aws:TagKeys
DeleteApplication	Grants permission to delete an application	Write	ApplicationResource*
DeleteConnector	Grants permission to delete connector	Write	ConnectorResource*
DeleteJob	Grants permission to delete job	Write	JobResource*
DeleteLaunchConfigurationTemplate	Grants permission to delete launch configuration template	Write	LaunchConfigurationTemplateResource*
DeleteNetworkMigrationDefinition	Grants permission to delete a network migration definition	Write	NetworkMigrationDefinitionResource*
DeleteReplicationConfigurationTemplate	Grants permission to delete replication configuration template	Write	ReplicationConfigurationTemplateResource*
DeleteSourceServer	Grants permission to delete source server	Write	SourceServerResource*
DeleteVcenterClient	Grants permission to delete vcenter client	Write	VcenterClientResource*
DeleteWave	Grants permission to delete a wave	Write	WaveResource*
DescribeJobLogItems	Grants permission to describe job log items	Read	JobResource*
DescribeJobs	Grants permission to describe jobs	List
DescribeLaunchConfigurationTemplates	Grants permission to describe launch configuration template	List
DescribeReplicationConfigurationTemplates	Grants permission to describe replication configuration template	List
DescribeReplicationServerAssociationsForMgn [permission only]	Grants permission to describe replication server associations	Read
DescribeSnapshotRequestsForMgn [permission only]	Grants permission to describe snapshots requests	Read
DescribeSourceServers	Grants permission to describe source servers	List
DescribeVcenterClients	Grants permission to describe vcenter clients	List
DisassociateApplications	Grants permission to disassociate applications from a wave	Write	ApplicationResource*
DisassociateApplications	Grants permission to disassociate applications from a wave	Write	WaveResource*
DisassociateSourceServers	Grants permission to disassociate source servers from an application	Write	ApplicationResource*
DisassociateSourceServers		Write	SourceServerResource*
DisconnectFromService	Grants permission to disconnect source server from service	Write	SourceServerResource*
FinalizeCutover	Grants permission to finalize cutover	Write	SourceServerResource*
GetAgentCommandForMgn [permission only]	Grants permission to get agent command	Read	SourceServerResource*
GetAgentConfirmedResumeInfoForMgn [permission only]	Grants permission to get agent confirmed resume info	Read	SourceServerResource*
GetAgentInstallationAssetsForMgn [permission only]	Grants permission to get agent installation assets	Read
GetAgentReplicationInfoForMgn [permission only]	Grants permission to get agent replication info	Read	SourceServerResource*
GetAgentRuntimeConfigurationForMgn [permission only]	Grants permission to get agent runtime configuration	Read	SourceServerResource*
GetAgentSnapshotCreditsForMgn [permission only]	Grants permission to get agent snapshots credits	Read	SourceServerResource*
GetChannelCommandsForMgn [permission only]	Grants permission to get channel commands	Read
GetLaunchConfiguration	Grants permission to get launch configuration	Read	SourceServerResource*
GetNetworkMigrationDefinition	Grants permission to get a network migration definition	Read	NetworkMigrationDefinitionResource*
GetNetworkMigrationMapperSegmentConstruct	Grants permission to get a network migration mapper segment construct	Read	NetworkMigrationDefinitionResource*
GetReplicationConfiguration	Grants permission to get replication configuration	Read	SourceServerResource*
GetVcenterClientCommandsForMgn [permission only]	Grants permission to get vcenter client commands	Read	VcenterClientResource*
InitializeService	Grants permission to initialize service	Write			iam:AddRoleToInstanceProfile iam:CreateInstanceProfile iam:CreateServiceLinkedRole iam:GetInstanceProfile
IssueClientCertificateForMgn [permission only]	Grants permission to issue a client certificate	Write	SourceServerResource
ListApplications	Grants permission to list application summaries	List
ListConnectors	Grants permission to list connectors	Read
ListExportErrors	Grants permission to list the errors of an export task	List	ExportResource*
ListExports	Grants permission to list export tasks	List
ListImportErrors	Grants permission to list the errors of an import task	List	ImportResource*
ListImports	Grants permission to list the import tasks	List
ListManagedAccounts	Grants permission to list managed accounts	List
ListNetworkMigrationAnalyses	Grants permission to list network migration analyses	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationAnalysisResults	Grants permission to list network migration analysis results	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationCodeGenerationSegments	Grants permission to list network migration code generation segments	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationCodeGenerations	Grants permission to list network migration code generations	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationDefinitions	Grants permission to list network migration definitions	List
ListNetworkMigrationDeployedStacks	Grants permission to list network migration deployed stacks	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationDeployedStacksDeletions	Grants permission to list network migration deployed stacks deletions	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationDeployments	Grants permission to list network migration deployments	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationExecutions	Grants permission to list network migration executions	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationMapperSegmentConstructs	Grants permission to list network migration mapper segment constructs	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationMapperSegments	Grants permission to list network migration mapper segments	List	NetworkMigrationDefinitionResource*
ListNetworkMigrationMappings	Grants permission to list network migration mappings	List	NetworkMigrationDefinitionResource*
ListSourceServerActions	Grants permission to list source server action documents	List	SourceServerResource*
ListTagsForResource	Grants permission to list tags for a resource	Read
ListTemplateActions	Grants permission to list launch configuration template action documents	List	LaunchConfigurationTemplateResource*
ListWaves	Grants permission to list wave summaries	List
MarkAsArchived	Grants permission to mark source server as archived	Write	SourceServerResource*
NotifyAgentAuthenticationForMgn [permission only]	Grants permission to notify agent authentication	Write	SourceServerResource*
NotifyAgentConnectedForMgn [permission only]	Grants permission to notify agent is connected	Write	SourceServerResource*
NotifyAgentDisconnectedForMgn [permission only]	Grants permission to notify agent is disconnected	Write	SourceServerResource*
NotifyAgentReplicationProgressForMgn [permission only]	Grants permission to notify agent replication progress	Write	SourceServerResource*
NotifyVcenterClientStartedForMgn [permission only]	Grants permission to notify vcenter client started	Write	VcenterClientResource*
PauseReplication	Grants permission to pause replication	Write	SourceServerResource*
PutSourceServerAction	Grants permission to put source server action document	Write	SourceServerResource*
PutTemplateAction	Grants permission to put launch configuration template action document	Write	LaunchConfigurationTemplateResource*
RegisterAgentForMgn [permission only]	Grants permission to register agent	Write		aws:RequestTag/${TagKey} aws:TagKeys
RemoveSourceServerAction	Grants permission to remove source server action document	Write	SourceServerResource*
RemoveTemplateAction	Grants permission to remove launch configuration template action document	Write	LaunchConfigurationTemplateResource*
ResumeReplication	Grants permission to resume replication	Write	SourceServerResource*
RetryDataReplication	Grants permission to retry replication	Write	SourceServerResource*
SendAgentLogsForMgn [permission only]	Grants permission to send agent logs	Write	SourceServerResource*
SendAgentMetricsForMgn [permission only]	Grants permission to send agent metrics	Write	SourceServerResource*
SendChannelCommandResultForMgn [permission only]	Grants permission to send channel command result	Write
SendClientLogsForMgn [permission only]	Grants permission to send client logs	Write
SendClientMetricsForMgn [permission only]	Grants permission to send client metrics	Write
SendVcenterClientCommandResultForMgn [permission only]	Grants permission to send vcenter client command result	Write	VcenterClientResource*
SendVcenterClientLogsForMgn [permission only]	Grants permission to send vcenter client logs	Write	VcenterClientResource*
SendVcenterClientMetricsForMgn [permission only]	Grants permission to send vcenter client metrics	Write	VcenterClientResource*
StartCutover	Grants permission to start cutover	Write	SourceServerResource*		ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateLaunchTemplate ec2:CreateLaunchTemplateVersion ec2:CreateSecurityGroup ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteLaunchTemplateVersions ec2:DeleteSnapshot ec2:DeleteVolume ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeVolumes ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ReportInstanceStatus ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole mgn:ListTagsForResource
StartCutover	Grants permission to start cutover	Write		aws:RequestTag/${TagKey} aws:TagKeys
StartExport	Grants permission to start an export task	Write			ec2:DescribeLaunchTemplateVersions mgn:DescribeSourceServers mgn:GetLaunchConfiguration mgn:ListApplications mgn:ListWaves s3:PutObject
StartImport	Grants permission to create an import task	Write			ec2:CreateLaunchTemplateVersion ec2:DescribeLaunchTemplateVersions ec2:ModifyLaunchTemplate mgn:DescribeSourceServers mgn:GetLaunchConfiguration mgn:ListApplications mgn:ListWaves mgn:TagResource mgn:UpdateLaunchConfiguration s3:PutObject
StartNetworkMigrationAnalysis	Grants permission to start a network migration analysis	Write	NetworkMigrationDefinitionResource*		directconnect:DescribeConnections directconnect:DescribeDirectConnectGatewayAssociations directconnect:DescribeDirectConnectGatewayAttachments directconnect:DescribeDirectConnectGateways directconnect:DescribeVirtualGateways directconnect:DescribeVirtualInterfaces ec2:AuthorizeSecurityGroupIngress ec2:CreateNetworkInsightsPath ec2:CreateNetworkInterface ec2:CreateSecurityGroup ec2:CreateTags ec2:DeleteNetworkInsightsAnalysis ec2:DeleteNetworkInsightsPath ec2:DeleteNetworkInterface ec2:DeleteSecurityGroup ec2:DeleteTags ec2:DescribeAvailabilityZones ec2:DescribeCustomerGateways ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeManagedPrefixLists ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInsightsAnalyses ec2:DescribeNetworkInsightsPaths ec2:DescribeNetworkInterfaces ec2:DescribePrefixLists ec2:DescribeRegions ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayConnects ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeTransitGateways ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcEndpoints ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways ec2:GetManagedPrefixListEntries ec2:GetTransitGatewayRouteTablePropagations ec2:SearchTransitGatewayRoutes ec2:StartNetworkInsightsAnalysis elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeRules elasticloadbalancing:DescribeTags elasticloadbalancing:DescribeTargetGroupAttributes elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth globalaccelerator:ListAccelerators globalaccelerator:ListCustomRoutingAccelerators globalaccelerator:ListCustomRoutingEndpointGroups globalaccelerator:ListCustomRoutingListeners globalaccelerator:ListCustomRoutingPortMappings globalaccelerator:ListEndpointGroups globalaccelerator:ListListeners network-firewall:DescribeFirewall network-firewall:DescribeFirewallPolicy network-firewall:DescribeResourcePolicy network-firewall:DescribeRuleGroup network-firewall:ListFirewallPolicies network-firewall:ListFirewalls network-firewall:ListRuleGroups tiros:CreateQuery tiros:ExtendQuery tiros:GetQueryAnswer tiros:GetQueryExplanation tiros:GetQueryExtensionAccounts
StartNetworkMigrationCodeGeneration	Grants permission to start network migration code generation	Write	NetworkMigrationDefinitionResource*
StartNetworkMigrationDeployedStacksDeletion	Grants permission to start deletion of network migration deployed stacks	Write	NetworkMigrationDefinitionResource*		ec2:AcceptTransitGatewayVpcAttachment ec2:AssociateNatGatewayAddress ec2:AssociateRouteTable ec2:AssociateSubnetCidrBlock ec2:AssociateTransitGatewayRouteTable ec2:AssociateVpcCidrBlock ec2:AttachInternetGateway ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:DeleteInternetGateway ec2:DeleteLaunchTemplate ec2:DeleteLaunchTemplateVersions ec2:DeleteNatGateway ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:DeleteNetworkInsightsAnalysis ec2:DeleteNetworkInsightsPath ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:DeleteRouteTable ec2:DeleteSecurityGroup ec2:DeleteSnapshot ec2:DeleteSubnet ec2:DeleteTransitGateway ec2:DeleteTransitGatewayRoute ec2:DeleteTransitGatewayRouteTable ec2:DeleteTransitGatewayVpcAttachment ec2:DeleteVolume ec2:DeleteVpc ec2:DetachInternetGateway ec2:DetachVolume ec2:DisableTransitGatewayRouteTablePropagation ec2:DisassociateNatGatewayAddress ec2:DisassociateRouteTable ec2:DisassociateTransitGatewayRouteTable ec2:EnableTransitGatewayRouteTablePropagation ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ModifySubnetAttribute ec2:ModifyTransitGateway ec2:ModifyTransitGatewayVpcAttachment ec2:ModifyVolume ec2:ModifyVpcAttribute ec2:RejectTransitGatewayVpcAttachment ec2:ReleaseAddress ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:ReplaceRoute ec2:ReplaceTransitGatewayRoute ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:SearchTransitGatewayRoutes
StartNetworkMigrationDeployment	Grants permission to start a network migration deployment	Write	NetworkMigrationDefinitionResource*		ec2:AcceptTransitGatewayVpcAttachment ec2:AssociateNatGatewayAddress ec2:AssociateRouteTable ec2:AssociateSubnetCidrBlock ec2:AssociateTransitGatewayRouteTable ec2:AssociateVpcCidrBlock ec2:AttachInternetGateway ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateNatGateway ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreateNetworkInsightsPath ec2:CreateNetworkInterface ec2:CreateRoute ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSubnet ec2:CreateTags ec2:CreateTransitGatewayRoute ec2:CreateTransitGatewayRouteTable ec2:CreateTransitGatewayVpcAttachment ec2:DeleteInternetGateway ec2:DeleteLaunchTemplate ec2:DeleteLaunchTemplateVersions ec2:DeleteNatGateway ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:DeleteNetworkInsightsAnalysis ec2:DeleteNetworkInsightsPath ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:DeleteRouteTable ec2:DeleteSecurityGroup ec2:DeleteSnapshot ec2:DeleteSubnet ec2:DeleteTransitGateway ec2:DeleteTransitGatewayRoute ec2:DeleteTransitGatewayRouteTable ec2:DeleteTransitGatewayVpcAttachment ec2:DeleteVolume ec2:DeleteVpc ec2:DescribeAccountAttributes ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeCustomerGateways ec2:DescribeEgressOnlyInternetGateways ec2:DescribeHosts ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeManagedPrefixLists ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInsightsAnalyses ec2:DescribeNetworkInsightsPaths ec2:DescribeNetworkInterfaces ec2:DescribePrefixLists ec2:DescribeRegions ec2:DescribeRouteTables ec2:DescribeSecurityGroupRules ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayConnects ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeTransitGateways ec2:DescribeVolumes ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcEndpoints ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways ec2:DetachInternetGateway ec2:DetachVolume ec2:DisableTransitGatewayRouteTablePropagation ec2:DisassociateNatGatewayAddress ec2:DisassociateRouteTable ec2:DisassociateTransitGatewayRouteTable ec2:EnableTransitGatewayRouteTablePropagation ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault ec2:GetManagedPrefixListEntries ec2:GetTransitGatewayRouteTableAssociations ec2:GetTransitGatewayRouteTablePropagations ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ModifySubnetAttribute ec2:ModifyTransitGateway ec2:ModifyTransitGatewayVpcAttachment ec2:ModifyVolume ec2:ModifyVpcAttribute ec2:RejectTransitGatewayVpcAttachment ec2:ReleaseAddress ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:ReplaceRoute ec2:ReplaceTransitGatewayRoute ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:SearchTransitGatewayRoutes ec2:StartNetworkInsightsAnalysis
StartNetworkMigrationMapping	Grants permission to start a network migration mapping	Write	NetworkMigrationDefinitionResource*
StartReplication	Grants permission to start replication	Write	SourceServerResource*
StartTest	Grants permission to start test	Write	SourceServerResource*		ec2:AttachVolume ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateLaunchTemplate ec2:CreateLaunchTemplateVersion ec2:CreateSecurityGroup ec2:CreateSnapshot ec2:CreateTags ec2:CreateVolume ec2:DeleteLaunchTemplateVersions ec2:DeleteSnapshot ec2:DeleteVolume ec2:DescribeAccountAttributes ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstanceTypes ec2:DescribeInstances ec2:DescribeLaunchTemplateVersions ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:DescribeSnapshots ec2:DescribeSubnets ec2:DescribeVolumes ec2:DetachVolume ec2:ModifyInstanceAttribute ec2:ModifyLaunchTemplate ec2:ReportInstanceStatus ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:StartInstances ec2:StopInstances ec2:TerminateInstances iam:PassRole mgn:ListTagsForResource
StartTest	Grants permission to start test	Write		aws:RequestTag/${TagKey} aws:TagKeys
StopReplication	Grants permission to stop replication	Write	SourceServerResource*
TagResource	Grants permission to assign a resource tag	Tagging	ApplicationResource
			ConnectorResource
			JobResource
			LaunchConfigurationTemplateResource
			ReplicationConfigurationTemplateResource
			SourceServerResource
			VcenterClientResource
			WaveResource
				aws:RequestTag/${TagKey} mgn:CreateAction aws:TagKeys
TerminateTargetInstances	Grants permission to terminate target instances	Write	SourceServerResource*		ec2:DeleteVolume ec2:DescribeInstances ec2:DescribeVolumes ec2:TerminateInstances
TerminateTargetInstances	Grants permission to terminate target instances	Write		aws:RequestTag/${TagKey} aws:TagKeys
UnarchiveApplication	Grants permission to unarchive an application	Write	ApplicationResource*
UnarchiveWave	Grants permission to unarchive a wave	Write	WaveResource*
UntagResource	Grants permission to untag a resource	Tagging	ApplicationResource
			ConnectorResource
			JobResource
			LaunchConfigurationTemplateResource
			ReplicationConfigurationTemplateResource
			SourceServerResource
			VcenterClientResource
			WaveResource
				aws:TagKeys
UpdateAgentBacklogForMgn [permission only]	Grants permission to update agent backlog	Write	SourceServerResource*
UpdateAgentConversionInfoForMgn [permission only]	Grants permission to update agent conversion info	Write	SourceServerResource*
UpdateAgentReplicationInfoForMgn [permission only]	Grants permission to update agent replication info	Write	SourceServerResource*
UpdateAgentReplicationProcessStateForMgn [permission only]	Grants permission to update agent replication process state	Write	SourceServerResource*
UpdateAgentSourcePropertiesForMgn [permission only]	Grants permission to update agent source properties	Write	SourceServerResource*
UpdateApplication	Grants permission to update an application	Write	ApplicationResource*
UpdateConnector	Grants permission to update connector	Write	ConnectorResource*
UpdateLaunchConfiguration	Grants permission to update launch configuration	Write	SourceServerResource*
UpdateLaunchConfigurationTemplate	Grants permission to update launch configuration	Write	LaunchConfigurationTemplateResource*
UpdateNetworkMigrationDefinition	Grants permission to update a network migration definition	Write	NetworkMigrationDefinitionResource*
UpdateNetworkMigrationMapperSegment	Grants permission to update a network migration mapper segment	Write	NetworkMigrationDefinitionResource*
UpdateNetworkMigrationMapperSegmentConstruct	Grants permission to update a network migration mapper segment construct	Write	NetworkMigrationDefinitionResource*
UpdateReplicationConfiguration	Grants permission to update replication configuration	Write	SourceServerResource*
UpdateReplicationConfigurationTemplate	Grants permission to update replication configuration template	Write	ReplicationConfigurationTemplateResource*
UpdateSourceServer	Grants permission to update source server	Write	SourceServerResource*
UpdateSourceServerReplicationType	Grants permission to update source server replication type	Write	SourceServerResource*
UpdateWave	Grants permission to update a wave	Write	WaveResource*
VerifyClientRoleForMgn [permission only]	Grants permission to verify client role	Read

Resource types defined by AWS Application Migration Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
JobResource	`arn:${Partition}:mgn:${Region}:${Account}:job/${JobID}`	aws:ResourceTag/${TagKey}
ReplicationConfigurationTemplateResource	`arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}`	aws:ResourceTag/${TagKey}
LaunchConfigurationTemplateResource	`arn:${Partition}:mgn:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}`	aws:ResourceTag/${TagKey}
VcenterClientResource	`arn:${Partition}:mgn:${Region}:${Account}:vcenter-client/${VcenterClientID}`	aws:ResourceTag/${TagKey}
SourceServerResource	`arn:${Partition}:mgn:${Region}:${Account}:source-server/${SourceServerID}`	aws:ResourceTag/${TagKey}
ApplicationResource	`arn:${Partition}:mgn:${Region}:${Account}:application/${ApplicationID}`	aws:ResourceTag/${TagKey}
WaveResource	`arn:${Partition}:mgn:${Region}:${Account}:wave/${WaveID}`	aws:ResourceTag/${TagKey}
ImportResource	`arn:${Partition}:mgn:${Region}:${Account}:import/${ImportID}`	aws:ResourceTag/${TagKey}
ExportResource	`arn:${Partition}:mgn:${Region}:${Account}:export/${ExportID}`	aws:ResourceTag/${TagKey}
ConnectorResource	`arn:${Partition}:mgn:${Region}:${Account}:connector/${ConnectorID}`	aws:ResourceTag/${TagKey}
NetworkMigrationDefinitionResource	`arn:${Partition}:mgn:${Region}:${Account}:network-migration-definition/${NetworkMigrationDefinitionID}`	aws:ResourceTag/${TagKey}

Condition keys for AWS Application Migration Service

AWS Application Migration Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by presence of tag keys in the request	ArrayOfString
mgn:CreateAction	Filters access by the name of a resource-creating API action	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Application Discovery Service

Amazon Application Recovery Controller - Zonal Shift