Creating the required IAM roles Creating the templates

Initializing AWS Application Migration Service with the API

In order to use AWS Application Migration Service (Application Migration Service), the service must first be initialized for any AWS Region in which you plan to use Application Migration Service.

You can initialize the service via the console or via the API.

During the initialization process:

The required IAM roles and policies will be created.
The required templates are configured.

You can initialize AWS Application Migration Service through the API. This option allows you to automate service initialization through a script when initializing multiple accounts.

You can also initialize Application Migration Service using the console. For more information, see Initializing Application Migration Service with the console.

To initialize the service via the API, take the following steps:

Create the required IAM roles.
Create the replication template and launch template.

Note
You must complete both steps to finalize the service initialization process.

Creating the required IAM roles

To initialize Application Migration Service with the API, create the following IAM roles through the IAM CreateRoleAPI. Learn more about creating IAM roles in the AWS IAM documentation. Creation of each role must include the following parameters:

Role name	Trusted entities
	Principal	Action	Condition
AWSApplicationMigrationReplicationServerRole	"ec2.amazonaws.com"	"sts:AssumeRole"	-
AWSApplicationMigrationConversionServerRole	"ec2.amazonaws.com"	"sts:AssumeRole"	-
AWSApplicationMigrationMGHRole	"mgn.amazonaws.com"	"sts:AssumeRole"	-
AWSApplicationMigrationLaunchInstanceWithDrsRole	"ec2.amazonaws.com"	"sts:AssumeRole"	-
AWSApplicationMigrationLaunchInstanceWithSsmRole	"ec2.amazonaws.com"	"sts:AssumeRole"	-
AWSApplicationMigrationAgentRole	"mgn.amazonaws.com"	["sts:AssumeRole", "sts:SetSourceIdentity"]	{"StringLike": {"sts:SourceIdentity": "s-*", "aws:SourceAccount": "<SOURCE-ACCOUNT-ID>"}

Example using the AWS Command Line Interface without a source identity:


aws iam create-role --path "/service-role/" --role-name AWSApplicationMigrationReplicationServerRole --assume-role-policy-document 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

After the roles have been created, attach the following AWS managed policies to the roles through the IAM AttachRolePolicy API. Learn more about adding and removing IAM identity permissions in the AWS IAM documentation.

Example of attach policy, aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSApplicationMigrationReplicationServerPolicy --role-name AWSApplicationMigrationReplicationServerRole

Example using the AWS CLI with a source identity:


aws iam create-role --path "/service-role/" --role-name AWSApplicationMigrationAgentRole --assume-role-policy-document
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "mgn.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:SetSourceIdentity"
      ],
      "Condition": {
        "StringLike": {
          "sts:SourceIdentity": "s-*",
          "aws:SourceAccount": "<SOURCE-ACCOUNT-ID>"
        }
      }
    }
  ]
}

Attach Managed Policy AWSApplicationMigrationReplicationServerPolicy to Role AWSApplicationMigrationReplicationServerRole
Attach Managed Policy AWSApplicationMigrationConversionServerPolicy to Role AWSApplicationMigrationConversionServerRole
Attach Managed Policy AWSApplicationMigrationMGHAccess to Role AWSApplicationMigrationMGHRole
Attach Managed Policies AmazonSSMManagedInstanceCore and AWSElasticDisasterRecoveryEc2InstancePolicy to Role AWSApplicationMigrationLaunchInstanceWithDrsRole
Attach Managed Policy AmazonSSMManagedInstanceCore to Role AWSApplicationMigrationLaunchInstanceWithSsmRole
Attach Managed Policy AWSApplicationMigrationAgentPolicy_v2 to Role AWSApplicationMigrationAgentRole

Once the policies are attached to the roles, run the aws mgn initialize-service command. This will automatically create the service-llnked role, create instance profiles, add Roles to Instance Profiles, and will finish service initialization.

Learn more about AWS Application Migration Service roles and managed policies.

Creating the templates

To finalize the initialization process, you will need to create the replication template and launch template by running the following commands:

aws mgn create-replication-configuration-template

aws mgn create-launch-configuration-template

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Initializing with the console

Configuring the templates

Initializing AWS Application Migration Service with the API

Note

Creating the required IAM roles

Creating the templates