AWS Managed (Predefined) Policies for Application Discovery Service
An AWS managed policy is an AWS Identity and Access Management (IAM) policy that is created and administered by AWS. Managed policies are predefined to provide permissions for common use cases. For more information about managed policies, see Managed Policies and Inline Policies in the IAM User Guide.
The AWS managed policies listed in this topic are used to control access to AWS Application Discovery Service. An administrator AWS account by default inherits all the policies required for accessing Application Discovery Service.
If your account is a non-administrative account, to access Application Discovery Service, you need to request that your administrator add one or more of the following managed policies to your IAM user account. For information about how to attach managed policies to an account, see Creating an IAM Non-Administrative User.
- AWSApplicationDiscoveryServiceFullAccess
-
The
AWSApplicationDiscoveryServiceFullAccess
policy grants an IAM user account access to the Application Discovery Service and Migration Hub APIs.An IAM user account with this policy attached can configure Application Discovery Service, start and stop agents, start and stop agentless discovery, and query data from the AWS Discovery Service database. For an example of this policy, see Granting full access to Application Discovery Service.
- AWSApplicationDiscoveryAgentAccess
-
The
AWSApplicationDiscoveryAgentAccess
policy grants the Application Discovery Agent access to register and communicate with Application Discovery Service.You attach this policy to any user whose credentials are used by Application Discovery Agent.
This policy also grants the user access to Arsenal. Arsenal is an agent service that is managed and hosted by AWS. Arsenal forwards data to Application Discovery Service in the cloud. For an example of this policy, see Granting access to discovery agents.
- AWSAgentlessDiscoveryService
-
The
AWSAgentlessDiscoveryService
policy grants the AWS Agentless Discovery Connector that is running in your VMware vCenter Server access to register, communicate with, and share connector health metrics with Application Discovery Service.You attach this policy to any user whose credentials are used by the connector.
For an example of this policy, see Granting AWS agentless Discovery Connector access.
- ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
-
If your IAM account has the
AWSApplicationDiscoveryServiceFullAccess
policy attached,ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
is automatically attached to your account when you turn on Data Exploration in Amazon Athena.This policy allows AWS Application Discovery Service to create Amazon Kinesis Data Firehose streams to transform and deliver data collected by AWS Application Discovery Service agents to an Amazon S3 bucket in your AWS account.
In addition, this policy creates an AWS Glue Data Catalog with a new database called application_discovery_service_database and table schemas for mapping data collected by the agents. For an example of this policy, see Granting permissions for agent data collection.
- AWSDiscoveryContinuousExportFirehosePolicy
-
The
AWSDiscoveryContinuousExportFirehosePolicy
policy is required to use Data Exploration in Amazon Athena. It allows Amazon Kinesis Data Firehose to write data collected from Application Discovery Service to Amazon S3. For information about using this policy, see Creating the AWSApplicationDiscoveryServiceFirehose Role. For an example of this policy, see Granting permissions for data exploration.
Creating the AWSApplicationDiscoveryServiceFirehose Role
An administrator attaches managed policies to your IAM user account. When using the
AWSDiscoveryContinuousExportFirehosePolicy
policy, the administrator
must first create a role named
AWSApplicationDiscoveryServiceFirehose with Kinesis Data Firehose as a trusted
entity and then attach the AWSDiscoveryContinuousExportFirehosePolicy
policy to the role, as shown in the following procedure.
To create the AWSApplicationDiscoveryServiceFirehose IAM role
-
In the IAM console, choose Roles on the navigation pane.
-
Choose Create Role.
-
Choose Kinesis.
-
Choose Kinesis Firehose as your use case.
-
Choose Next: Permissions.
-
Under Filter Policies search for AWSDiscoveryContinuousExportFirehosePolicy.
-
Select the box beside AWSDiscoveryContinuousExportFirehosePolicy, and then choose Next: Review.
-
Enter AWSApplicationDiscoveryServiceFirehose as the role name, and then choose Create role.