AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Application Discovery

Application Discovery (service prefix: discovery) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Application Discovery

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssociateConfigurationItemsToApplication Associates one or more configuration items with an application. Write
BatchDeleteImportData Deletes one or more Migration Hub import tasks, each identified by their import ID. Each import task has a number of records, which can identify servers or applications. Write
CreateApplication Creates an application with the given name and description. Write
CreateTags Creates one or more tags for configuration items. Tags are metadata that help you categorize IT assets. This API accepts a list of multiple configuration items. Tagging
DeleteApplications Deletes a list of applications and their associations with configuration items. Write
DeleteTags Deletes the association between configuration items and one or more tags. This API accepts a list of multiple configuration items. Tagging
DescribeAgents Lists agents or the Connector by ID or lists all agents/Connectors associated with your user account if you did not specify an ID. Read
DescribeConfigurations Retrieves attributes for a list of configuration item IDs. All of the supplied IDs must be for the same asset type (server, application, process, or connection). Output fields are specific to the asset type selected. For example, the output for a server configuration item includes a list of attributes about the server, such as host name, operating system, and number of network cards. Read
DescribeContinuousExports Lists exports as specified by ID. All continuous exports associated with your user account can be listed if you call DescribeContinuousExports as is without passing any parameters. Read
DescribeExportConfigurations Retrieves the status of a given export process. You can retrieve status from a maximum of 100 processes. Read
DescribeExportTasks Retrieve status of one or more export tasks. You can retrieve the status of up to 100 export tasks. Read
DescribeImportTasks Returns an array of import tasks for your account, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more. List
DescribeTags Retrieves a list of configuration items that are tagged with a specific tag. Or retrieves a list of all tags assigned to a specific configuration item. Read
DisassociateConfigurationItemsFromApplication Disassociates one or more configuration items from an application. Write
ExportConfigurations Exports all discovered configuration data to an Amazon S3 bucket or an application that enables you to view and evaluate the data. Data includes tags and tag associations, processes, connections, servers, and system performance. Write
GetDiscoverySummary Retrieves a short summary of discovered assets. Read
ListConfigurations Retrieves a list of configuration items according to criteria you specify in a filter. The filter criteria identify relationship requirements. List
ListServerNeighbors Retrieves a list of servers which are one network hop away from a specified server. List
StartContinuousExport Start the continuous flow of agent's discovered data into Amazon Athena. Write
StartDataCollectionByAgentIds Instructs the specified agents or Connectors to start collecting data. Write
StartExportTask Export the configuration data about discovered configuration items and relationships to an S3 bucket in a specified format. Write
StartImportTask Starts an import task. The Migration Hub import feature allows you to import details of your on-premises environment directly into AWS without having to use the Application Discovery Service (ADS) tools such as the Discovery Connector or Discovery Agent. This gives you the option to perform migration assessment and planning directly from your imported data including the ability to group your devices as applications and track their migration status. Write
StopContinuousExport Stop the continuous flow of agent's discovered data into Amazon Athena. Write
StopDataCollectionByAgentIds Instructs the specified agents or Connectors to stop collecting data. Write
UpdateApplication Updates metadata about an application. Write

Resources Defined by Application Discovery

Application Discovery has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for Application Discovery

Application Discovery has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.