MGNConnectorInstallerRole AWSApplicationMigrationConnectorManagementRole

Permissions

In order to use the MGN connector, you must have the required permissions.

For security best practices, it is recommended that the MGN connector will be accessed only by allowed personnel and will have the required OS patches. It is also recommended that the servers to which the MGN connector connects, will have all the required OS patches.

If you configure outputting logs to S3, it is recommended to apply S3 bucket security practices - following AWS official reference to S3 security practices

You need to create the following IAM roles:

MGNConnectorInstallerRole

The MGNConnectorInstallerRole role is used to install the Connector. The user or identity that installs the Connector will require permission to assume this role. To create the role:

Create a policy from the following JSON:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "mgn:CreateConnector",
                "mgn:TagResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Name the policy MGNConnectorInstallerPolicy
Create a role with your account as the trusted entity. Alternatively use a custom trust policy that will grant the user or identity that will install the Connector, permission to assume this role.
Attach the MGNConnectorInstallerPolicy policy to the Permission policies.
Name the role MGNConnectorInstallerRole

AWSApplicationMigrationConnectorManagementRole

The AWSApplicationMigrationConnectorManagementRole role is the role that is initially assumed by the Connector. To create the role:

After replacing ACCOUNT-ID with your account number, create a policy from the following JSON:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "Null": {
                    "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false"
                }
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:*:secret:*",
            "Effect": "Allow"
        }
    ]
}

In order for the MGN connector to send logs to S3, append the following statement to the above policy:


{
    "Action": [
        "s3:GetObject",
        "s3:PutObject"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

In order for the MGN connector to send logs to CloudWatch, append the following statement to the above policy:


{
    "Effect": "Allow",
    "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
    ],
    "Resource": "*"
}

Name the policy MgnConnectorPolicy

Create a role with the following trust relationship:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Attach the following policies:
1. AmazonSSMManagedInstanceCore
2. MgnConnectorPolicy
Name the role AWSApplicationMigrationConnectorManagementRole

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture overview when using MGN connector

Setup instructions