AWS managed policies for Migration Hub Strategy Recommendations - Migration Hub Strategy Recommendations

AWS managed policies for Migration Hub Strategy Recommendations

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AWSMigrationHubStrategyConsoleFullAccess

You can attach the AWSMigrationHubStrategyConsoleFullAccess policy to your IAM identities.

The AWSMigrationHubStrategyConsoleFullAccess policy grants an IAM user account full access to the Strategy Recommendations service through the AWS Management Console.

Permissions details

This policy includes the following permissions.

  • migrationhub-strategy – Allows the IAM user account full access to Strategy Recommendations.

  • s3 – Allows the IAM user account to create and read from the S3 buckets used by Strategy Recommendations.

  • secretsmanager – Allows the IAM user account to list secrets access in the Secrets Manager.

  • discovery – Allows the IAM user account access to get discovery summary in Application Discovery Service.

  • iam – Allows a service-linked role to be created for the IAM user account, which is a requirement for using Strategy Recommendations.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "migrationhub-strategy:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy", "s3:PutBucketVersioning", "s3:PutLifecycleConfiguration" ], "Resource": "arn:aws:s3:::migrationhub-strategy-*" }, { "Effect": "Allow", "Action": [ "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "discovery:GetDiscoverySummary" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "migrationhub-strategy.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/migrationhub-strategy.amazonaws.com/AWSMigrationHubStrategyServiceRolePolicy*" } ] }

AWS managed policy: AWSMigrationHubStrategyCollector

You can attach the AWSMigrationHubStrategyCollector policy to your IAM identities.

The AWSMigrationHubStrategyCollector policy grants an IAM user account access to the Strategy Recommendations service, read/write access to the S3 buckets that are related to the service, Amazon API Gateway access to upload logs and metrics to AWS, and AWS Secrets Manager access to fetch credentials.

Permissions details

This policy includes the following permissions.

  • s3 – Allows the IAM user account write access to the S3 buckets used by Strategy Recommendations.

  • migrationhub-strategy – Allows the IAM user account access to register and send messages to Strategy Recommendations.

  • execute-api – Allows the IAM user account to access Amazon API Gateway to upload logs and metrics to AWS.

  • secretsmanager – Allows the IAM user account to access secrets in the Secrets Manager that are used by Strategy Recommendations.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::migrationhub-strategy-*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "execute-api:Invoke", "execute-api:ManageConnections" ], "Resource": [ "arn:aws:execute-api:*:*:*/prod/*/put-log-data", "arn:aws:execute-api:*:*:*/prod/*/put-metric-data" ] }, { "Effect": "Allow", "Action": [ "migrationhub-strategy:RegisterCollector", "migrationhub-strategy:GetAntiPattern", "migrationhub-strategy:GetMessage", "migrationhub-strategy:SendMessage", "migrationhub-strategy:ListAntiPatterns", "migrationhub-strategy:ListJarArtifacts" ], "Resource": "arn:aws:migrationhub-strategy:*:*:*" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:migrationhub-strategy-*" } ] }

Strategy Recommendations updates to AWS managed policies

View details about updates to AWS managed policies for Strategy Recommendations since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Strategy Recommendations Document history page.

Change Description Date

AWSMigrationHubStrategyConsoleFullAccess – New policy made available at launch

AWSMigrationHubStrategyConsoleFullAccess grants an IAM user account full access to the Strategy Recommendations service through the AWS Management Console.

October 25, 2021

AWSMigrationHubStrategyCollector – New policy made available at launch

AWSMigrationHubStrategyCollector grants an IAM user account access to the Strategy Recommendations service and read/write access to the S3 buckets that are related to the service. It also grants Amazon API Gateway access to upload logs and metrics to AWS, and AWS Secrets Manager access to fetch credentials.

October 25, 2021

AWSMigrationHubStrategyServiceRolePolicy – New policy made available at launch

The AWSMigrationHubStrategyServiceRolePolicy service-linked role policy provides access to AWS Migration Hub and AWS Application Discovery Service. This policy also grants permissions for storing reports in Amazon Simple Storage Service (Amazon S3).

October 25, 2021

Strategy Recommendations started tracking changes

Strategy Recommendations started tracking changes for its AWS managed policies.

October 25, 2021