Actions, resources, and condition keys for AWS Database Migration Service
AWS Database Migration Service (service prefix: dms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Database Migration Service
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddTagsToResource | Grants permission to add metadata tags to DMS resources, including replication instances, endpoints, security groups, and migration tasks | Tagging | |||
| ApplyPendingMaintenanceAction | Grants permission to apply a pending maintenance action to a resource (for example, to a replication instance) | Write | |||
| AssociateExtensionPack | Grants permission to associate a extension pack | Write |
dms:StartExtensionPackAssociation |
||
| BatchStartRecommendations | Grants permission to start the analysis of up to 20 source databases to recommend target engines for each source database | Write | |||
| CancelMetadataModelAssessment | Grants permission to cancel a single metadata model assessment run | Write | |||
| CancelMetadataModelConversion | Grants permission to cancel a single metadata model conversion run | Write | |||
| CancelMetadataModelExport | Grants permission to cancel a single metadata model export run | Write | |||
| CancelReplicationTaskAssessmentRun | Grants permission to cancel a single premigration assessment run | Write | |||
| CreateDataMigration | Grants permission to create a database migration using the provided settings | Write |
iam:PassRole |
||
| CreateDataProvider | Grants permission to create an data provider using the provided settings | Write |
iam:PassRole |
||
| CreateEndpoint | Grants permission to create an endpoint using the provided settings | Write |
iam:PassRole |
||
| CreateEventSubscription | Grants permission to create an AWS DMS event notification subscription | Write | |||
| CreateFleetAdvisorCollector | Grants permission to create a Fleet Advisor collector using the specified parameters | Write |
iam:PassRole |
||
| CreateInstanceProfile | Grants permission to create an instance profile using the provided settings | Write |
iam:PassRole |
||
| CreateMigrationProject | Grants permission to create an migration project using the provided settings | Write |
iam:PassRole |
||
| CreateReplicationConfig | Grants permission to create a replication config using the provided settings | Write | |||
| CreateReplicationInstance | Grants permission to create a replication instance using the specified parameters | Write |
iam:PassRole |
||
| CreateReplicationSubnetGroup | Grants permission to create a replication subnet group given a list of the subnet IDs in a VPC | Write | |||
| CreateReplicationTask | Grants permission to create a replication task using the specified parameters | Write | |||
| DeleteCertificate | Grants permission to delete the specified certificate | Write | |||
| DeleteConnection | Grants permission to delete the specified connection between a replication instance and an endpoint | Write | |||
| DeleteDataMigration | Grants permission to delete the specified database migration | Write | |||
| DeleteDataProvider | Grants permission to delete the specified data provider | Write | |||
| DeleteEndpoint | Grants permission to delete the specified endpoint | Write | |||
| DeleteEventSubscription | Grants permission to delete an AWS DMS event subscription | Write | |||
| DeleteFleetAdvisorCollector | Grants permission to delete the specified Fleet Advisor collector | Write | |||
| DeleteFleetAdvisorDatabases | Grants permission to delete the specified Fleet Advisor databases | Write | |||
| DeleteInstanceProfile | Grants permission to delete the specified instance profile | Write | |||
| DeleteMigrationProject | Grants permission to delete the specified migration project | Write | |||
| DeleteReplicationConfig | Grants permission to delete the specified replication config | Write | |||
| DeleteReplicationInstance | Grants permission to delete the specified replication instance | Write | |||
| DeleteReplicationSubnetGroup | Grants permission to deletes a subnet group | Write | |||
| DeleteReplicationTask | Grants permission to delete the specified replication task | Write | |||
| DeleteReplicationTaskAssessmentRun | Grants permission to delete the record of a single premigration assessment run | Write | |||
| DescribeAccountAttributes | Grants permission to list all of the AWS DMS attributes for a customer account | Read | |||
| DescribeApplicableIndividualAssessments | Grants permission to list individual assessments that you can specify for a new premigration assessment run | Read | |||
| DescribeCertificates | Grants permission to provide a description of the certificate | Read | |||
| DescribeConnections | Grants permission to describe the status of the connections that have been made between the replication instance and an endpoint | Read | |||
| DescribeConversionConfiguration | Grants permission to return information about DMS Schema Conversion project configuration | Read | |||
| DescribeDataMigrations | Grants permission to return information about database migrations for your account in the specified region | Read | |||
| DescribeDataProviders [permission only] | Grants permission to list the AWS DMS attributes for a data providers. Note. This action should be added along with ListDataProviders, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListDataProviders |
||
| DescribeEndpointSettings | Grants permission to return the possible endpoint settings available when you create an endpoint for a specific database engine | Read | |||
| DescribeEndpointTypes | Grants permission to return information about the type of endpoints available | Read | |||
| DescribeEndpoints | Grants permission to return information about the endpoints for your account in the current region | Read | |||
| DescribeEngineVersions | Grants permission to return information about the available versions for DMS replication instances | Read | |||
| DescribeEventCategories | Grants permission to list categories for all event source types, or, if specified, for a specified source type | Read | |||
| DescribeEventSubscriptions | Grants permission to list all the event subscriptions for a customer account | Read | |||
| DescribeEvents | Grants permission to list events for a given source identifier and source type | Read | |||
| DescribeExtensionPackAssociations [permission only] | Grants permission to list the AWS DMS attributes for extension packs. Note. This action should be added along with ListExtensionPacks, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListExtensionPacks |
||
| DescribeFleetAdvisorCollectors | Grants permission to return a paginated list of Fleet Advisor collectors in your account based on filter settings | Read | |||
| DescribeFleetAdvisorDatabases | Grants permission to return a paginated list of Fleet Advisor databases in your account based on filter settings | Read | |||
| DescribeFleetAdvisorLsaAnalysis | Grants permission to return a paginated list of descriptions of large-scale assessment (LSA) analyses produced by your Fleet Advisor collectors | Read | |||
| DescribeFleetAdvisorSchemaObjectSummary | Grants permission to return a paginated list of descriptions of schemas discovered by your Fleet Advisor collectors based on filter settings | Read | |||
| DescribeFleetAdvisorSchemas | Grants permission to return a paginated list of schemas discovered by your Fleet Advisor collectors based on filter settings | Read | |||
| DescribeInstanceProfiles [permission only] | Grants permission to list the AWS DMS attributes for a instance profiles. Note. This action should be added along with ListInstanceProfiles, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListInstanceProfiles |
||
| DescribeMetadataModelAssessments [permission only] | Grants permission to list the AWS DMS attributes for metadata model assessments. Note. This action should be added along with ListMetadataModelAssessments, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListMetadataModelAssessments |
||
| DescribeMetadataModelConversions [permission only] | Grants permission to list the AWS DMS attributes for a metadata model conversions. Note. This action should be added along with ListMetadataModelConversions, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListMetadataModelConversions |
||
| DescribeMetadataModelExportsAsScript [permission only] | Grants permission to list the AWS DMS attributes for a metadata model exports. Note. This action should be added along with ListMetadataModelExports, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListMetadataModelExports |
||
| DescribeMetadataModelExportsToTarget [permission only] | Grants permission to list the AWS DMS attributes for a metadata model exports. Note. This action should be added along with ListMetadataModelExports, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListMetadataModelExports |
||
| DescribeMetadataModelImports | Grants permission to return information about start metadata model import operations for a migration project | Read | |||
| DescribeMigrationProjects [permission only] | Grants permission to list the AWS DMS attributes for a migration projects. Note. This action should be added along with ListMigrationProjects, but does not currently authorize the described Schema Conversion operation | Read |
dms:ListMigrationProjects |
||
| DescribeOrderableReplicationInstances | Grants permission to return information about the replication instance types that can be created in the specified region | Read | |||
| DescribePendingMaintenanceActions | Grants permission to return information about pending maintenance actions | Read | |||
| DescribeRecommendationLimitations | Grants permission to return a paginated list of descriptions of limitations for recommendations of target AWS engines | Read | |||
| DescribeRecommendations | Grants permission to return a paginated list of descriptions of target engine recommendations for your source databases | Read | |||
| DescribeRefreshSchemasStatus | Grants permission to returns the status of the RefreshSchemas operation | Read | |||
| DescribeReplicationConfigs | Grants permission to describe replication configs | Read | |||
| DescribeReplicationInstanceTaskLogs | Grants permission to return information about the task logs for the specified task | Read | |||
| DescribeReplicationInstances | Grants permission to return information about replication instances for your account in the current region | Read | |||
| DescribeReplicationSubnetGroups | Grants permission to return information about the replication subnet groups | Read | |||
| DescribeReplicationTableStatistics | Grants permission to describe replication table statistics | Read | |||
| DescribeReplicationTaskAssessmentResults | Grants permission to return the latest task assessment results from Amazon S3 | Read | |||
| DescribeReplicationTaskAssessmentRuns | Grants permission to return a paginated list of premigration assessment runs based on filter settings | Read | |||
| DescribeReplicationTaskIndividualAssessments | Grants permission to return a paginated list of individual assessments based on filter settings | Read | |||
| DescribeReplicationTasks | Grants permission to return information about replication tasks for your account in the current region | Read | |||
| DescribeReplications | Grants permission to describe replications | Read | |||
| DescribeSchemas | Grants permission to return information about the schema for the specified endpoint | Read | |||
| DescribeTableStatistics | Grants permission to return table statistics on the database migration task, including table name, rows inserted, rows updated, and rows deleted | Read | |||
| DisassociateExtensionPack | Grants permission to disassociate a extension pack | Write | |||
| ExportMetadataModelAssessment | Grants permission to export the specified metadata model assessment | Write | |||
| GetMetadataModel | Grants permission to list all of the AWS DMS attributes for a metadata model. Note. Despite this action requires StartMetadataModelImport, the latter does not currently authorize the described Schema Conversion operation | Read |
dms:StartMetadataModelImport |
||
| ImportCertificate | Grants permission to upload the specified certificate | Write | |||
| ListDataProviders | Grants permission to list the AWS DMS attributes for a data providers | Read |
dms:DescribeDataProviders |
||
| ListExtensionPacks | Grants permission to list the AWS DMS attributes for a extension packs | Read |
dms:DescribeExtensionPackAssociations |
||
| ListInstanceProfiles | Grants permission to list the AWS DMS attributes for a instance profiles | Read |
dms:DescribeInstanceProfiles |
||
| ListMetadataModelAssessmentActionItems | Grants permission to list the AWS DMS attributes for a metadata model assessment action items. Note. Despite this action requires StartMetadataModelImport, the latter does not currently authorize the described Schema Conversion operation | Read |
dms:StartMetadataModelImport |
||
| ListMetadataModelAssessments | Grants permission to list the AWS DMS attributes for a metadata model assessments | Read |
dms:DescribeMetadataModelAssessments |
||
| ListMetadataModelConversions | Grants permission to list the AWS DMS attributes for a metadata model conversions | Read |
dms:DescribeMetadataModelConversions |
||
| ListMetadataModelExports | Grants permission to list the AWS DMS attributes for a metadata model exports | Read |
dms:DescribeMetadataModelExportsAsScript dms:DescribeMetadataModelExportsToTarget |
||
| ListMigrationProjects | Grants permission to list the AWS DMS attributes for a migration projects. Note. Despite this action requires DescribeMigrationProjects and DescribeConversionConfiguration, both required actions do not currently authorize the described Schema Conversion operation | Read |
dms:DescribeConversionConfiguration dms:DescribeMigrationProjects |
||
| ListTagsForResource | Grants permission to list all tags for an AWS DMS resource | Read | |||
| ModifyConversionConfiguration [permission only] | Grants permission to update a conversion configuration. Note. This action should be added along with UpdateConversionConfiguration, but does not currently authorize the described Schema Conversion operation | Write |
dms:UpdateConversionConfiguration |
||
| ModifyDataMigration | Grants permission to modify the specified database migration | Write |
iam:PassRole |
||
| ModifyDataProvider [permission only] | Grants permission to modify the specified data provider. Note. This action should be added along with UpdateDataProvider, but does not currently authorize the described Schema Conversion operation | Write |
dms:UpdateDataProvider iam:PassRole |
||
| ModifyEndpoint | Grants permission to modify the specified endpoint | Write |
iam:PassRole |
||
| ModifyEventSubscription | Grants permission to modify an existing AWS DMS event notification subscription | Write | |||
| ModifyFleetAdvisorCollector [permission only] | Grants permission to modify the name and description of the specified Fleet Advisor collector | Write | |||
| ModifyFleetAdvisorCollectorStatuses [permission only] | Grants permission to modify the status of the specified Fleet Advisor collector | Write | |||
| ModifyInstanceProfile [permission only] | Grants permission to modify the specified instance profile. Note. This action should be added along with UpdateInstanceProfile, but does not currently authorize the described Schema Conversion operation | Write |
dms:UpdateInstanceProfile iam:PassRole |
||
| ModifyMigrationProject [permission only] | Grants permission to modify the specified migration project. Note. This action should be added along with UpdateMigrationProject, but does not currently authorize the described Schema Conversion operation | Write |
dms:UpdateMigrationProject iam:PassRole |
||
| ModifyReplicationConfig | Grants permission to modify the specified replication config | Write | |||
| ModifyReplicationInstance | Grants permission to modify the replication instance to apply new settings | Write | |||
| ModifyReplicationSubnetGroup | Grants permission to modify the settings for the specified replication subnet group | Write | |||
| ModifyReplicationTask | Grants permission to modify the specified replication task | Write | |||
| MoveReplicationTask | Grants permission to move the specified replication task to a different replication instance | Write | |||
| RebootReplicationInstance | Grants permission to reboot a replication instance. Rebooting results in a momentary outage, until the replication instance becomes available again | Write | |||
| RefreshSchemas | Grants permission to populate the schema for the specified endpoint | Write | |||
| ReloadReplicationTables | Grants permission to reload the target database table with the source for a replication | Write | |||
| ReloadTables | Grants permission to reload the target database table with the source data | Write | |||
| RemoveTagsFromResource | Grants permission to remove metadata tags from a DMS resource | Tagging | |||
| RunFleetAdvisorLsaAnalysis | Grants permission to run a large-scale assessment (LSA) analysis on every Fleet Advisor collector in your account | Write | |||
| StartDataMigration | Grants permission to start the database migration | Write | |||
| StartExtensionPackAssociation [permission only] | Grants permission to associate an extension pack. Note. This action should be added along with AssociateExtensionPack, but does not currently authorize the described Schema Conversion operation | Write |
dms:AssociateExtensionPack |
||
| StartMetadataModelAssessment | Grants permission to start a new assessment of metadata model | Write | |||
| StartMetadataModelConversion | Grants permission to start a new conversion of metadata model | Write | |||
| StartMetadataModelExportAsScript [permission only] | Grants permission to start a new export of metadata model as script. Note. This action should be added along with StartMetadataModelExportAsScripts, but does not currently authorize the described Schema Conversion operation | Write |
dms:StartMetadataModelExportAsScripts |
||
| StartMetadataModelExportAsScripts | Grants permission to start a new export of metadata model as script | Write |
dms:StartMetadataModelExportAsScript |
||
| StartMetadataModelExportToTarget | Grants permission to start a new export of metadata model to target | Write | |||
| StartMetadataModelImport | Grants permission to start a new import of metadata model | Write | |||
| StartRecommendations | Grants permission to start the analysis of your source database to provide recommendations of target engines | Write | |||
| StartReplication | Grants permission to start a replication | Write | |||
| StartReplicationTask | Grants permission to start the replication task | Write | |||
| StartReplicationTaskAssessment | Grants permission to start the replication task assessment for unsupported data types in the source database | Write | |||
| StartReplicationTaskAssessmentRun | Grants permission to start a new premigration assessment run for one or more individual assessments of a migration task | Write |
iam:PassRole |
||
| StopDataMigration | Grants permission to stop the database migration | Write | |||
| StopReplication | Grants permission to stop a replication | Write | |||
| StopReplicationTask | Grants permission to stop the replication task | Write | |||
| TestConnection | Grants permission to test the connection between the replication instance and the endpoint | Read | |||
| UpdateConversionConfiguration | Grants permission to update a conversion configuration | Write |
dms:ModifyConversionConfiguration |
||
| UpdateDataProvider | Grants permission to update the specified data provider | Write |
dms:ModifyDataProvider |
||
| UpdateInstanceProfile | Grants permission to update the specified instance profile | Write |
dms:ModifyInstanceProfile |
||
| UpdateMigrationProject | Grants permission to update the specified migration project | Write |
dms:ModifyMigrationProject |
||
| UpdateSubscriptionsToEventBridge | Grants permission to migrate DMS subcriptions to Eventbridge | Write | |||
| UploadFileMetadataList [permission only] | Grants permission to upload files to your Amazon S3 bucket | Write |
Resource types defined by AWS Database Migration Service
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| Certificate |
arn:${Partition}:dms:${Region}:${Account}:cert:*
|
|
| DataProvider |
arn:${Partition}:dms:${Region}:${Account}:data-provider:*
|
|
| DataMigration |
arn:${Partition}:dms:${Region}:${Account}:data-migration:*
|
|
| Endpoint |
arn:${Partition}:dms:${Region}:${Account}:endpoint:*
|
|
| EventSubscription |
arn:${Partition}:dms:${Region}:${Account}:es:*
|
|
| InstanceProfile |
arn:${Partition}:dms:${Region}:${Account}:instance-profile:*
|
|
| MigrationProject |
arn:${Partition}:dms:${Region}:${Account}:migration-project:*
|
|
| ReplicationConfig |
arn:${Partition}:dms:${Region}:${Account}:replication-config:*
|
|
| ReplicationInstance |
arn:${Partition}:dms:${Region}:${Account}:rep:*
|
|
| ReplicationSubnetGroup |
arn:${Partition}:dms:${Region}:${Account}:subgrp:*
|
|
| ReplicationTask |
arn:${Partition}:dms:${Region}:${Account}:task:*
|
|
| ReplicationTaskAssessmentRun |
arn:${Partition}:dms:${Region}:${Account}:assessment-run:*
|
|
| ReplicationTaskIndividualAssessment |
arn:${Partition}:dms:${Region}:${Account}:individual-assessment:*
|
Condition keys for AWS Database Migration Service
AWS Database Migration Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the presence of tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
| dms:assessment-run-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for AssessmentRun | String |
| dms:cert-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for Certificate | String |
| dms:data-migration-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for DataMigration | String |
| dms:data-provider-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for DataProvider | String |
| dms:endpoint-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for Endpoint | String |
| dms:es-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for EventSubscription | String |
| dms:individual-assessment-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for IndividualAssessment | String |
| dms:instance-profile-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for InstanceProfile | String |
| dms:migration-project-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for MigrationProject | String |
| dms:rep-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for ReplicationInstance | String |
| dms:replication-config-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for ReplicationConfig | String |
| dms:req-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the given request | String |
| dms:subgrp-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for ReplicationSubnetGroup | String |
| dms:task-tag/${TagKey} | Filters access by the presence of tag key-value pairs in the request for ReplicationTask | String |
