Actions, resources, and condition keys for AWS Database Migration Service - Service Authorization Reference

Actions, resources, and condition keys for AWS Database Migration Service

AWS Database Migration Service (service prefix: dms) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Database Migration Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource Grants permission to add metadata tags to DMS resources, including replication instances, endpoints, security groups, and migration tasks Tagging

Certificate

DataMigration

DataProvider

Endpoint

EventSubscription

InstanceProfile

MigrationProject

ReplicationConfig

ReplicationInstance

ReplicationSubnetGroup

ReplicationTask

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

ApplyPendingMaintenanceAction Grants permission to apply a pending maintenance action to a resource (for example, to a replication instance) Write

ReplicationInstance*

AssociateExtensionPack Grants permission to associate a extension pack Write

MigrationProject*

dms:StartExtensionPackAssociation

BatchStartRecommendations Grants permission to start the analysis of up to 20 source databases to recommend target engines for each source database Write
CancelMetadataModelAssessment Grants permission to cancel a single metadata model assessment run Write

MigrationProject*

CancelMetadataModelConversion Grants permission to cancel a single metadata model conversion run Write

MigrationProject*

CancelMetadataModelExport Grants permission to cancel a single metadata model export run Write

MigrationProject*

CancelReplicationTaskAssessmentRun Grants permission to cancel a single premigration assessment run Write

ReplicationTaskAssessmentRun*

CreateDataMigration Grants permission to create a database migration using the provided settings Write

MigrationProject*

iam:PassRole

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

CreateDataProvider Grants permission to create an data provider using the provided settings Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

iam:PassRole

CreateEndpoint Grants permission to create an endpoint using the provided settings Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

iam:PassRole

CreateEventSubscription Grants permission to create an AWS DMS event notification subscription Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

CreateFleetAdvisorCollector Grants permission to create a Fleet Advisor collector using the specified parameters Write

iam:PassRole

CreateInstanceProfile Grants permission to create an instance profile using the provided settings Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

iam:PassRole

CreateMigrationProject Grants permission to create an migration project using the provided settings Write

DataProvider*

iam:PassRole

InstanceProfile*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

CreateReplicationConfig Grants permission to create a replication config using the provided settings Write

Endpoint*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

CreateReplicationInstance Grants permission to create a replication instance using the specified parameters Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

iam:PassRole

CreateReplicationSubnetGroup Grants permission to create a replication subnet group given a list of the subnet IDs in a VPC Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

CreateReplicationTask Grants permission to create a replication task using the specified parameters Write

Endpoint*

ReplicationInstance*

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

dms:req-tag/${TagKey}

DeleteCertificate Grants permission to delete the specified certificate Write

Certificate*

DeleteConnection Grants permission to delete the specified connection between a replication instance and an endpoint Write

Endpoint*

ReplicationInstance*

DeleteDataMigration Grants permission to delete the specified database migration Write

DataMigration*

DeleteDataProvider Grants permission to delete the specified data provider Write

DataProvider*

DeleteEndpoint Grants permission to delete the specified endpoint Write

Endpoint*

DeleteEventSubscription Grants permission to delete an AWS DMS event subscription Write

EventSubscription*

DeleteFleetAdvisorCollector Grants permission to delete the specified Fleet Advisor collector Write
DeleteFleetAdvisorDatabases Grants permission to delete the specified Fleet Advisor databases Write
DeleteInstanceProfile Grants permission to delete the specified instance profile Write

InstanceProfile*

DeleteMigrationProject Grants permission to delete the specified migration project Write

MigrationProject*

DeleteReplicationConfig Grants permission to delete the specified replication config Write

ReplicationConfig*

DeleteReplicationInstance Grants permission to delete the specified replication instance Write

ReplicationInstance*

DeleteReplicationSubnetGroup Grants permission to deletes a subnet group Write

ReplicationSubnetGroup*

DeleteReplicationTask Grants permission to delete the specified replication task Write

ReplicationTask*

DeleteReplicationTaskAssessmentRun Grants permission to delete the record of a single premigration assessment run Write

ReplicationTaskAssessmentRun*

DescribeAccountAttributes Grants permission to list all of the AWS DMS attributes for a customer account Read
DescribeApplicableIndividualAssessments Grants permission to list individual assessments that you can specify for a new premigration assessment run Read

ReplicationInstance

ReplicationTask

DescribeCertificates Grants permission to provide a description of the certificate Read
DescribeConnections Grants permission to describe the status of the connections that have been made between the replication instance and an endpoint Read
DescribeConversionConfiguration Grants permission to return information about DMS Schema Conversion project configuration Read

MigrationProject*

DescribeDataMigrations Grants permission to return information about database migrations for your account in the specified region Read
DescribeDataProviders [permission only] Grants permission to list the AWS DMS attributes for a data providers. Note. This action should be added along with ListDataProviders, but does not currently authorize the described Schema Conversion operation Read

DataProvider

dms:ListDataProviders

DescribeEndpointSettings Grants permission to return the possible endpoint settings available when you create an endpoint for a specific database engine Read
DescribeEndpointTypes Grants permission to return information about the type of endpoints available Read
DescribeEndpoints Grants permission to return information about the endpoints for your account in the current region Read
DescribeEngineVersions Grants permission to return information about the available versions for DMS replication instances Read
DescribeEventCategories Grants permission to list categories for all event source types, or, if specified, for a specified source type Read
DescribeEventSubscriptions Grants permission to list all the event subscriptions for a customer account Read
DescribeEvents Grants permission to list events for a given source identifier and source type Read
DescribeExtensionPackAssociations [permission only] Grants permission to list the AWS DMS attributes for extension packs. Note. This action should be added along with ListExtensionPacks, but does not currently authorize the described Schema Conversion operation Read

MigrationProject*

dms:ListExtensionPacks

DescribeFleetAdvisorCollectors Grants permission to return a paginated list of Fleet Advisor collectors in your account based on filter settings Read
DescribeFleetAdvisorDatabases Grants permission to return a paginated list of Fleet Advisor databases in your account based on filter settings Read
DescribeFleetAdvisorLsaAnalysis Grants permission to return a paginated list of descriptions of large-scale assessment (LSA) analyses produced by your Fleet Advisor collectors Read
DescribeFleetAdvisorSchemaObjectSummary Grants permission to return a paginated list of descriptions of schemas discovered by your Fleet Advisor collectors based on filter settings Read
DescribeFleetAdvisorSchemas Grants permission to return a paginated list of schemas discovered by your Fleet Advisor collectors based on filter settings Read
DescribeInstanceProfiles [permission only] Grants permission to list the AWS DMS attributes for a instance profiles. Note. This action should be added along with ListInstanceProfiles, but does not currently authorize the described Schema Conversion operation Read

InstanceProfile

dms:ListInstanceProfiles

DescribeMetadataModelAssessments [permission only] Grants permission to list the AWS DMS attributes for metadata model assessments. Note. This action should be added along with ListMetadataModelAssessments, but does not currently authorize the described Schema Conversion operation Read

MigrationProject*

dms:ListMetadataModelAssessments

DescribeMetadataModelConversions [permission only] Grants permission to list the AWS DMS attributes for a metadata model conversions. Note. This action should be added along with ListMetadataModelConversions, but does not currently authorize the described Schema Conversion operation Read

MigrationProject*

dms:ListMetadataModelConversions

DescribeMetadataModelExportsAsScript [permission only] Grants permission to list the AWS DMS attributes for a metadata model exports. Note. This action should be added along with ListMetadataModelExports, but does not currently authorize the described Schema Conversion operation Read

MigrationProject*

dms:ListMetadataModelExports

DescribeMetadataModelExportsToTarget [permission only] Grants permission to list the AWS DMS attributes for a metadata model exports. Note. This action should be added along with ListMetadataModelExports, but does not currently authorize the described Schema Conversion operation Read

MigrationProject*

dms:ListMetadataModelExports

DescribeMetadataModelImports Grants permission to return information about start metadata model import operations for a migration project Read

MigrationProject*

DescribeMigrationProjects [permission only] Grants permission to list the AWS DMS attributes for a migration projects. Note. This action should be added along with ListMigrationProjects, but does not currently authorize the described Schema Conversion operation Read

DataProvider

dms:ListMigrationProjects

InstanceProfile

MigrationProject

DescribeOrderableReplicationInstances Grants permission to return information about the replication instance types that can be created in the specified region Read
DescribePendingMaintenanceActions Grants permission to return information about pending maintenance actions Read
DescribeRecommendationLimitations Grants permission to return a paginated list of descriptions of limitations for recommendations of target AWS engines Read
DescribeRecommendations Grants permission to return a paginated list of descriptions of target engine recommendations for your source databases Read
DescribeRefreshSchemasStatus Grants permission to returns the status of the RefreshSchemas operation Read

Endpoint*

DescribeReplicationConfigs Grants permission to describe replication configs Read
DescribeReplicationInstanceTaskLogs Grants permission to return information about the task logs for the specified task Read

ReplicationInstance*

aws:ResourceTag/${TagKey}

aws:TagKeys

DescribeReplicationInstances Grants permission to return information about replication instances for your account in the current region Read
DescribeReplicationSubnetGroups Grants permission to return information about the replication subnet groups Read
DescribeReplicationTableStatistics Grants permission to describe replication table statistics Read

ReplicationConfig*

DescribeReplicationTaskAssessmentResults Grants permission to return the latest task assessment results from Amazon S3 Read

ReplicationTask

DescribeReplicationTaskAssessmentRuns Grants permission to return a paginated list of premigration assessment runs based on filter settings Read

ReplicationInstance

ReplicationTask

ReplicationTaskAssessmentRun

DescribeReplicationTaskIndividualAssessments Grants permission to return a paginated list of individual assessments based on filter settings Read

ReplicationTask

ReplicationTaskAssessmentRun

DescribeReplicationTasks Grants permission to return information about replication tasks for your account in the current region Read
DescribeReplications Grants permission to describe replications Read
DescribeSchemas Grants permission to return information about the schema for the specified endpoint Read

Endpoint*

DescribeTableStatistics Grants permission to return table statistics on the database migration task, including table name, rows inserted, rows updated, and rows deleted Read

ReplicationTask*

DisassociateExtensionPack Grants permission to disassociate a extension pack Write

MigrationProject*

ExportMetadataModelAssessment Grants permission to export the specified metadata model assessment Write

MigrationProject

GetMetadataModel Grants permission to list all of the AWS DMS attributes for a metadata model. Note. Despite this action requires StartMetadataModelImport, the latter does not currently authorize the described Schema Conversion operation Read

MigrationProject

dms:StartMetadataModelImport

ImportCertificate Grants permission to upload the specified certificate Write

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

ListDataProviders Grants permission to list the AWS DMS attributes for a data providers Read

DataProvider

dms:DescribeDataProviders

ListExtensionPacks Grants permission to list the AWS DMS attributes for a extension packs Read

MigrationProject

dms:DescribeExtensionPackAssociations

ListInstanceProfiles Grants permission to list the AWS DMS attributes for a instance profiles Read

InstanceProfile

dms:DescribeInstanceProfiles

ListMetadataModelAssessmentActionItems Grants permission to list the AWS DMS attributes for a metadata model assessment action items. Note. Despite this action requires StartMetadataModelImport, the latter does not currently authorize the described Schema Conversion operation Read

MigrationProject

dms:StartMetadataModelImport

ListMetadataModelAssessments Grants permission to list the AWS DMS attributes for a metadata model assessments Read

MigrationProject

dms:DescribeMetadataModelAssessments

ListMetadataModelConversions Grants permission to list the AWS DMS attributes for a metadata model conversions Read

MigrationProject

dms:DescribeMetadataModelConversions

ListMetadataModelExports Grants permission to list the AWS DMS attributes for a metadata model exports Read

MigrationProject

dms:DescribeMetadataModelExportsAsScript

dms:DescribeMetadataModelExportsToTarget

ListMigrationProjects Grants permission to list the AWS DMS attributes for a migration projects. Note. Despite this action requires DescribeMigrationProjects and DescribeConversionConfiguration, both required actions do not currently authorize the described Schema Conversion operation Read

DataProvider

dms:DescribeConversionConfiguration

dms:DescribeMigrationProjects

InstanceProfile

MigrationProject

ListTagsForResource Grants permission to list all tags for an AWS DMS resource Read

Certificate

DataMigration

DataProvider

Endpoint

EventSubscription

InstanceProfile

MigrationProject

ReplicationConfig

ReplicationInstance

ReplicationSubnetGroup

ReplicationTask

ModifyConversionConfiguration [permission only] Grants permission to update a conversion configuration. Note. This action should be added along with UpdateConversionConfiguration, but does not currently authorize the described Schema Conversion operation Write

MigrationProject*

dms:UpdateConversionConfiguration

ModifyDataMigration Grants permission to modify the specified database migration Write

DataMigration*

iam:PassRole

ModifyDataProvider [permission only] Grants permission to modify the specified data provider. Note. This action should be added along with UpdateDataProvider, but does not currently authorize the described Schema Conversion operation Write

DataProvider*

dms:UpdateDataProvider

iam:PassRole

ModifyEndpoint Grants permission to modify the specified endpoint Write

Endpoint*

iam:PassRole

Certificate

ModifyEventSubscription Grants permission to modify an existing AWS DMS event notification subscription Write
ModifyFleetAdvisorCollector [permission only] Grants permission to modify the name and description of the specified Fleet Advisor collector Write
ModifyFleetAdvisorCollectorStatuses [permission only] Grants permission to modify the status of the specified Fleet Advisor collector Write
ModifyInstanceProfile [permission only] Grants permission to modify the specified instance profile. Note. This action should be added along with UpdateInstanceProfile, but does not currently authorize the described Schema Conversion operation Write

InstanceProfile*

dms:UpdateInstanceProfile

iam:PassRole

ModifyMigrationProject [permission only] Grants permission to modify the specified migration project. Note. This action should be added along with UpdateMigrationProject, but does not currently authorize the described Schema Conversion operation Write

MigrationProject*

dms:UpdateMigrationProject

iam:PassRole

ModifyReplicationConfig Grants permission to modify the specified replication config Write

ReplicationConfig*

ModifyReplicationInstance Grants permission to modify the replication instance to apply new settings Write

ReplicationInstance*

ModifyReplicationSubnetGroup Grants permission to modify the settings for the specified replication subnet group Write
ModifyReplicationTask Grants permission to modify the specified replication task Write

ReplicationTask*

MoveReplicationTask Grants permission to move the specified replication task to a different replication instance Write

ReplicationInstance*

ReplicationTask*

RebootReplicationInstance Grants permission to reboot a replication instance. Rebooting results in a momentary outage, until the replication instance becomes available again Write

ReplicationInstance*

RefreshSchemas Grants permission to populate the schema for the specified endpoint Write

Endpoint*

ReplicationInstance*

ReloadReplicationTables Grants permission to reload the target database table with the source for a replication Write

ReplicationConfig*

ReloadTables Grants permission to reload the target database table with the source data Write

ReplicationTask*

RemoveTagsFromResource Grants permission to remove metadata tags from a DMS resource Tagging

Certificate

DataMigration

DataProvider

Endpoint

EventSubscription

InstanceProfile

MigrationProject

ReplicationConfig

ReplicationInstance

ReplicationSubnetGroup

ReplicationTask

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

RunFleetAdvisorLsaAnalysis Grants permission to run a large-scale assessment (LSA) analysis on every Fleet Advisor collector in your account Write
StartDataMigration Grants permission to start the database migration Write

DataMigration*

StartExtensionPackAssociation [permission only] Grants permission to associate an extension pack. Note. This action should be added along with AssociateExtensionPack, but does not currently authorize the described Schema Conversion operation Write

MigrationProject*

dms:AssociateExtensionPack

StartMetadataModelAssessment Grants permission to start a new assessment of metadata model Write

MigrationProject*

StartMetadataModelConversion Grants permission to start a new conversion of metadata model Write

MigrationProject*

StartMetadataModelExportAsScript [permission only] Grants permission to start a new export of metadata model as script. Note. This action should be added along with StartMetadataModelExportAsScripts, but does not currently authorize the described Schema Conversion operation Write

MigrationProject*

dms:StartMetadataModelExportAsScripts

StartMetadataModelExportAsScripts Grants permission to start a new export of metadata model as script Write

MigrationProject*

dms:StartMetadataModelExportAsScript

StartMetadataModelExportToTarget Grants permission to start a new export of metadata model to target Write

MigrationProject*

StartMetadataModelImport Grants permission to start a new import of metadata model Write

MigrationProject*

StartRecommendations Grants permission to start the analysis of your source database to provide recommendations of target engines Write
StartReplication Grants permission to start a replication Write

ReplicationConfig*

StartReplicationTask Grants permission to start the replication task Write

ReplicationTask*

StartReplicationTaskAssessment Grants permission to start the replication task assessment for unsupported data types in the source database Write

ReplicationTask*

StartReplicationTaskAssessmentRun Grants permission to start a new premigration assessment run for one or more individual assessments of a migration task Write

ReplicationTask*

iam:PassRole

StopDataMigration Grants permission to stop the database migration Write

DataMigration*

StopReplication Grants permission to stop a replication Write

ReplicationConfig*

StopReplicationTask Grants permission to stop the replication task Write

ReplicationTask*

TestConnection Grants permission to test the connection between the replication instance and the endpoint Read

Endpoint*

ReplicationInstance*

UpdateConversionConfiguration Grants permission to update a conversion configuration Write

MigrationProject*

dms:ModifyConversionConfiguration

UpdateDataProvider Grants permission to update the specified data provider Write

DataProvider*

dms:ModifyDataProvider

UpdateInstanceProfile Grants permission to update the specified instance profile Write

InstanceProfile*

dms:ModifyInstanceProfile

UpdateMigrationProject Grants permission to update the specified migration project Write

MigrationProject*

dms:ModifyMigrationProject

UpdateSubscriptionsToEventBridge Grants permission to migrate DMS subcriptions to Eventbridge Write
UploadFileMetadataList [permission only] Grants permission to upload files to your Amazon S3 bucket Write

Resource types defined by AWS Database Migration Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
Certificate arn:${Partition}:dms:${Region}:${Account}:cert:*

aws:ResourceTag/${TagKey}

dms:cert-tag/${TagKey}

DataProvider arn:${Partition}:dms:${Region}:${Account}:data-provider:*

aws:ResourceTag/${TagKey}

dms:data-provider-tag/${TagKey}

DataMigration arn:${Partition}:dms:${Region}:${Account}:data-migration:*

aws:ResourceTag/${TagKey}

dms:data-migration-tag/${TagKey}

Endpoint arn:${Partition}:dms:${Region}:${Account}:endpoint:*

aws:ResourceTag/${TagKey}

dms:endpoint-tag/${TagKey}

EventSubscription arn:${Partition}:dms:${Region}:${Account}:es:*

aws:ResourceTag/${TagKey}

dms:es-tag/${TagKey}

InstanceProfile arn:${Partition}:dms:${Region}:${Account}:instance-profile:*

aws:ResourceTag/${TagKey}

dms:instance-profile-tag/${TagKey}

MigrationProject arn:${Partition}:dms:${Region}:${Account}:migration-project:*

aws:ResourceTag/${TagKey}

dms:migration-project-tag/${TagKey}

ReplicationConfig arn:${Partition}:dms:${Region}:${Account}:replication-config:*

aws:ResourceTag/${TagKey}

dms:replication-config-tag/${TagKey}

ReplicationInstance arn:${Partition}:dms:${Region}:${Account}:rep:*

aws:ResourceTag/${TagKey}

dms:rep-tag/${TagKey}

ReplicationSubnetGroup arn:${Partition}:dms:${Region}:${Account}:subgrp:*

aws:ResourceTag/${TagKey}

dms:subgrp-tag/${TagKey}

ReplicationTask arn:${Partition}:dms:${Region}:${Account}:task:*

aws:ResourceTag/${TagKey}

dms:task-tag/${TagKey}

ReplicationTaskAssessmentRun arn:${Partition}:dms:${Region}:${Account}:assessment-run:*
ReplicationTaskIndividualAssessment arn:${Partition}:dms:${Region}:${Account}:individual-assessment:*

Condition keys for AWS Database Migration Service

AWS Database Migration Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the presence of tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
dms:cert-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for Certificate String
dms:data-migration-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for DataMigration String
dms:data-provider-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for DataProvider String
dms:endpoint-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for Endpoint String
dms:es-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for EventSubscription String
dms:instance-profile-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for InstanceProfile String
dms:migration-project-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for MigrationProject String
dms:rep-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for ReplicationInstance String
dms:replication-config-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for ReplicationConfig String
dms:req-tag/${TagKey} Filters access by the presence of tag key-value pairs in the given request String
dms:subgrp-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for ReplicationSubnetGroup String
dms:task-tag/${TagKey} Filters access by the presence of tag key-value pairs in the request for ReplicationTask String