Step 1: Create an IAM user for Agentless Collector

To use Agentless Collector, in the AWS account that you used in Sign in to the Migration Hub console and choose a home Region, you must create an AWS Identity and Access Management (IAM) user. Then, set up this IAM user to use the following AWS managed policy AWSApplicationDiscoveryAgentlessCollectorAccess. You attach this IAM policy when you create the IAM user.

To use the database and analytics data collection module, create two customer managed IAM policies. These policies provide access your Amazon S3 bucket and the AWS DMS API. For more information, see Create a customer managed policy in the IAM User Guide.

Use the following JSON code to create the DMSCollectorPolicy policy.


{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"dms:DescribeFleetAdvisorCollectors",
			"dms:ModifyFleetAdvisorCollectorStatuses",
			"dms:UploadFileMetadataList"
		],
		"Resource": "*"
	}]
}

Use the following JSON code to create the FleetAdvisorS3Policy policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*",
                "s3:DeleteObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name",
                "arn:aws:s3:::bucket_name/*"
            ]
        }
    ]
}

In the preceding example, replace bucket_name with the name of the Amazon S3 bucket that you created in the prerequisites step.

We recommend that you create a non-administrative IAM user to use with Agentless Collector. When creating non-administrative IAM users, follow the security best practice Grant Least Privilege, granting users minimum permissions.

To create a non-administrator IAM user to use with Agentless Collector

In AWS Management Console, navigate to the IAM console, using the AWS account that you used to set the home Region in Sign in to the Migration Hub console and choose a home Region.
Create a non-administrator IAM user by following the instructions for creating a user with the console as described in Creating an IAM user in your AWS account in the IAM User Guide.

While following the instructions in the IAM User Guide:
- When on the step about selecting the type of access, select Programmatic access. Note, while not recommended, only select AWS Management Console access if you plan to use the same IAM user credentials for accessing the AWS console.
- When on the step about the Set permission page, choose the option to Attach existing policies to user directly. Then select the AWSApplicationDiscoveryAgentlessCollectorAccess AWS managed policy from the list of policies.
  
  Next, select the DMSCollectorPolicy and FleetAdvisorS3Policy customer managed IAM policies.
- When on the step about viewing the user's access keys (access key IDs and secret access keys), follow the guidance in the Important note about saving the user's new access key ID and secret access key in a safe and secure place. You'll need these access keys in Step 5: Configure Agentless Collector.
  
  It's an AWS security best practice to rotate access keys. For information about rotating keys, see Rotate access keys regularly for use cases that require long-term credentials in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prerequisites

Step 2: Download the collector