Initializing AWS MGN via the console - Application Migration Service
IAM role creationAdditional policies

Initializing AWS MGN via the console

AWS Application Migration Service (AWS MGN) must be initialized upon first use from within the AWS MGN console by creating a replication template.

Once you create the replication template, the initialization process takes place automatically.

Important

The AWS Application Migration Service can only be initialized by the IAM user with the "AdministratorAccess" managed policy attached in your AWS Account.

IAM role creation

During initialization the following IAM roles will be created.

  1. AWSServiceRoleForApplicationMigrationService

  2. AWSApplicationMigrationReplicationServerRole

  3. AWSApplicationMigrationConversionServerRole

  4. AWSApplicationMigrationMGHRole

  5. AWSApplicationMigrationLaunchInstanceWithDrsRole

  6. AWSApplicationMigrationLaunchInstanceWithSsmRole

  7. AWSApplicationMigrationAgentRole

Learn more about AWS Application Migration Service roles and managed policies.

Additional policies

You can create roles with granular permission for AWS Application Migration Service. The service comes with the following predefined managed IAM policies:

  • AWSApplicationMigrationFullAccess – This policy provides permissions to all public APIs of AWS AWS Application Migration Service (AWS MGN), as well as permissions to read KMS key information.

  • AWSApplicationMigrationEC2Access – This policy allows Amazon EC2 operations required to use AWS Application Migration Service (AWS MGN) to launch the migrated servers as EC2 instances.

  • AWSApplicationMigrationSSMAccess – This policy allows Amazon SSM operations required to use AWS Application Migration Service (AWS MGN) to run SSM documents post migration of source servers.

  • AWSApplicationMigrationReadOnlyAccess – The read-only policy allows the user to view all data available in the AWS MGN console but does not allow them to modify any data or perform any actions. This policy also includes several EC2 read-only permissions.

  • AWSApplicationMigrationAgentPolicy – This policy allows a user to install the AWS Replication Agent. Learn more about installing the AWS Replication Agent.

  • AWSApplicationMigrationAgentInstallationPolicy – This policy allows a user to install the AWS Replication Agent. Learn more about installing the AWS Replication Agent.

  • AWSApplicationMigrationServiceEc2InstancePolicy – This policy allows installing and using the AWS Replication Agent, which is used by AWS Application Migration Service (AWS MGN) to migrate source servers that run on EC2 (cross-Region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances.

You can find all of these policies in the IAM Console.

Important

You must attach the AWSApplicationMigrationFullAccess and the AWSApplicationMigrationEC2Access policies to your users and roles in order to be able to launch test and cutover instances and to complete a full migration cycle with AWS MGN.