AWS Application Discovery Service Identity-Based Policy Examples - AWS Application Discovery Service

AWS Application Discovery Service Identity-Based Policy Examples

By default, IAM users and roles don't have permission to create or modify Application Discovery Service resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating Policies on the JSON Tab in the IAM User Guide.

Policy Best Practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Application Discovery Service resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get Started Using AWS Managed Policies – To start using Application Discovery Service quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get Started Using Permissions With AWS Managed Policies in the IAM User Guide.

  • Grant Least Privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant Least Privilege in the IAM User Guide.

  • Enable MFA for Sensitive Operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

  • Use Policy Conditions for Extra Security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON Policy Elements: Condition in the IAM User Guide.

Granting Full Access to Application Discovery Service

The AWSApplicationDiscoveryServiceFullAccess managed policy grants the IAM user account access to the Application Discovery Service and Migration Hub APIs.

An IAM user with this policy attached to their account can configure Application Discovery Service, start and stop agents, start and stop agentless discovery, and query data from the AWS Discovery Service database. For more information about this policy, see AWS Managed (Predefined) Policies for Application Discovery Service.

Example AWSApplicationDiscoveryServiceFullAccess Policy

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mgh:*", "discovery:*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:GetRole" ], "Effect": "Allow", "Resource": "*" } ] }

Granting Access to Discovery Agents

The AWSApplicationDiscoveryAgentAccess managed policy grants the Application Discovery Agent access to register and communicate with Application Discovery Service. For more information about this policy, see AWS Managed (Predefined) Policies for Application Discovery Service.

Attach this policy to any user whose credentials are used by Application Discovery Agent.

This policy also grants the user access to Arsenal. Arsenal is an agent service that is managed and hosted by AWS. Arsenal forwards data to Application Discovery Service in the cloud.

Example AWSApplicationDiscoveryAgentAccess Policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "arsenal:RegisterOnPremisesAgent" ], "Resource": "*" } ] }

Granting AWS Agentless Discovery Connector Access

The AWSAgentlessDiscoveryService managed policy grants the AWS Agentless Discovery Connector that is running in a VMware vCenter Server the access to register, communicate with, and share connector health metrics with Application Discovery Service. For more information about this policy, see AWS Managed (Predefined) Policies for Application Discovery Service.

Example AWSAgentlessDiscoveryService Policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "awsconnector:RegisterConnector", "awsconnector:GetConnectorHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:GetUser", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::connector-platform-upgrade-info/*", "arn:aws:s3:::connector-platform-upgrade-info", "arn:aws:s3:::connector-platform-upgrade-bundles/*", "arn:aws:s3:::connector-platform-upgrade-bundles", "arn:aws:s3:::connector-platform-release-notes/*", "arn:aws:s3:::connector-platform-release-notes", "arn:aws:s3:::prod.agentless.discovery.connector.upgrade/*", "arn:aws:s3:::prod.agentless.discovery.connector.upgrade" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::import-to-ec2-connector-debug-logs/*" ] }, { "Effect": "Allow", "Action": [ "SNS:Publish" ], "Resource": "arn:aws:sns:*:*:metrics-sns-topic-for-*" }, { "Sid": "Discovery", "Effect": "Allow", "Action": [ "Discovery:*" ], "Resource": "*" }, { "Sid": "arsenal", "Effect": "Allow", "Action": [ "arsenal:RegisterOnPremisesAgent" ], "Resource": "*" } ] }

Granting permissions for Agent Data Collection

The ApplicationDiscoveryServiceContinuousExportServiceRolePolicy managed policy allows AWS Application Discovery Service to create Amazon Kinesis Data Firehose streams to transform and deliver data collected by Application Discovery Service agents to an Amazon S3 bucket in your AWS account.

In addition, this policy creates an AWS Glue Data Catalog with a new database called application_discovery_service_database and table schemas for mapping data collected by the agents.

For information about using this policy, see AWS Managed (Predefined) Policies for Application Discovery Service.

Example ApplicationDiscoveryServiceContinuousExportServiceRolePolicy

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "glue:CreateDatabase", "glue:UpdateDatabase", "glue:CreateTable", "glue:UpdateTable", "firehose:CreateDeliveryStream", "firehose:DescribeDeliveryStream", "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "firehose:DeleteDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Effect": "Allow", "Resource": "arn:aws:firehose:*:*:deliverystream/aws-application-discovery-service*" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:PutBucketLogging", "s3:PutEncryptionConfiguration" ], "Effect": "Allow", "Resource": "arn:aws:s3:::aws-application-discovery-service*" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::aws-application-discovery-service*/*" }, { "Action": [ "logs:CreateLogStream", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:log-group:/aws/application-discovery-service/firehose*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:role/AWSApplicationDiscoveryServiceFirehose", "Condition": { "StringLike": { "iam:PassedToService": "firehose.amazonaws.com" } } }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:role/service-role/AWSApplicationDiscoveryServiceFirehose", "Condition": { "StringLike": { "iam:PassedToService": "firehose.amazonaws.com" } } } ] }

Granting Permissions for Data Collection

The AWSDiscoveryContinuousExportFirehosePolicy policy is required to use Data Exploration in Amazon Athena. It allows Amazon Kinesis Data Firehose to write data collected from Application Discovery Service to Amazon S3. For information about using this policy, see Creating the AWSApplicationDiscoveryServiceFirehose Role.

Example AWSDiscoveryContinuousExportFirehosePolicy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTableVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::aws-application-discovery-service-*", "arn:aws:s3:::aws-application-discovery-service-*/*" ] }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/application-discovery-service/firehose:log-stream:*" ] } ] }