Permissions
In order to use MGN connector, you must have the required permissions in IAM.
For security best practices, it is recommended that the MGN connector will be accessed only by allowed personnel and will have the required OS patches. It is also recommended that the servers to which the MGN connector connects, will have all the required OS patches.
If you configure outputting logs to S3, first create an Amazon S3 bucket. it is recommended to apply S3 bucket security practices - following AWS official reference to S3 security practices
Refer to the next section to deploy permissions using a CloudFormation template.
Alternatively, in order to create the permissions manually, create the following IAM roles:
Create permissions manually
MGNConnectorInstallerRole
The MGNConnectorInstallerRole role is used to install the Connector. The user or identity that installs the Connector will require permission to assume this role.
To create the role:
-
Create a policy from the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mgn:TagResource" ], "Resource": "arn:aws:mgn:*:*:connector/*", "Effect": "Allow", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Action": [ "mgn:CreateConnector", ], "Resource": "*", "Effect": "Allow" }, ] } -
Name the policy MGNConnectorInstallerPolicy.
-
Create a role with your account as the trusted entity. Alternatively use a custom trust policy that will grant the user or identity that will install the Connector, permission to assume this role.
-
Attach the MGNConnectorInstallerPolicy policy to the Permission policies.
-
Name the role MGNConnectorInstallerRole.
AWSApplicationMigrationConnectorManagementRole
The AWSApplicationMigrationConnectorManagementRole role is the role that is initially assumed by the Connector.
To create the role:
-
After replacing ACCOUNT-ID with your account number, and AWS_REGION with the connector region, create a policy from the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID", "Effect": "Allow" }, { "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } }, "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": ["arn:aws:s3:::aws-application-migration-service-AWS_REGION/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::amazon-ssm-AWS_REGION/*"], "Effect": "Allow" } ] } -
If you have created an S3 bucket for SSM logging, replace LOGS-BUCKET with the bucket name and append the following statements to the above policy:
{ "Action": "s3:PutObject", "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" } -
In order for the MGN connector to send logs to CloudWatch, append the following statement to the above policy:
{ "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" } -
Name the policy MgnConnectorPolicy
-
Create a role with the following trust relationship:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Attach the following policies:
-
AmazonSSMManagedInstanceCore
-
MgnConnectorPolicy
-
-
Name the role AWSApplicationMigrationConnectorManagementRole
Deploying permissions using CloudFormation template
Alternatively, see the previous section to deploy these permissions manually.
-
To configure the required IAM roles and policies, after replacing the described parameters, save the following AWS CloudFormation JSON template to a text file called
aws-mgn-connector-iam-principals.jsonon your local system:-
Replace ACCOUNT-ID with your account number.
-
Replace ROLE-NAME with the user role that serves as the trusted entity to assume MGNConnectorInstallerRole role and install the connector.
-
Replace AWS_REGION with the connector region.
-
Replace LOGS-BUCKET with S3 logs bucket name. Remove the relevant item from the statement if you have not set up outputting logs to S3.
{ "Resources": { "MGNConnectorInstallerRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT-ID:ROLE-NAME" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyName": "MGNConnectorInstallerPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mgn:TagResource", "Resource": "arn:aws:mgn:*:*:connector/*", "Condition": { "StringEquals": { "mgn:CreateAction": "CreateConnector" } } }, { "Effect": "Allow", "Action": "mgn:CreateConnector", "Resource": "*" } ] } } ] } }, "AWSApplicationMigrationConnectorManagementRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "Policies": [ { "PolicyName": "MgnConnectorPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "*" }, { "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::aws-application-migration-service-AWS_REGION/latest/source-automation-client/linux/ssaf-client/ssaf_client", "arn:aws:s3:::AWS_REGION/*"], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::LOGS-BUCKET/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/AWSApplicationMigrationConnectorSharingRole_ACCOUNT-ID", }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } } ] } } ] } } } } -
-
Create a stack:
