Product update
We recommend AWS Application Migration Service
Identity and access management for AWS Server Migration Service
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. Administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS resources. IAM enables you to create users and groups under your AWS account. You control the permissions that users have to perform tasks using AWS resources. You can use IAM for no additional charge.
By default, users don't have permissions for AWS Server Migration Service (AWS SMS) resources and operations. You must give users permissions to interact with AWS SMS.
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center (successor to AWS Single Sign-On):
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Policy structure
An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows.
{
"Statement": [
{
"Effect": "effect
",
"Action": "action
",
"Resource": "arn
",
"Condition": {
"condition
": {
"key
":"value
"
}
}
}
]
}
There are various elements that make up a statement:
-
Effect: The effect can be
Allow
orDeny
. By default, users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows. -
Action: The action is the specific AWS SMS API action for which you are granting or denying permission.
-
Resource: The resource that's affected by the action. For AWS SMS, you must specify "*" as the resource.
-
Condition: Conditions are optional. They can be used to control when your policy is in effect.
Example policies
In an IAM policy statement, you can specify any API action from any service that supports
IAM. For AWS SMS, use the following prefix with the name of the API action: sms:
as follows.
"Action": "sms:UpdateReplicationJob"
To specify multiple actions in a single statement, separate them with commas as follows.
{
"Statement":[
{
"Effect": "Allow",
"Action": ["sms:action1", "sms:action2"],
"Resource": "*"
}
]
}
You can also specify multiple actions using wildcards. For example, you can specify all AWS SMS API actions whose name begins with the word "Get" as follows.
{
"Statement":[
{
"Effect": "Allow",
"Action": "sms:Get*",
"Resource": "*"
}
]
}
To specify all AWS SMS API actions, use the * wildcard as follows.
{
"Statement":[
{
"Effect": "Allow",
"Action": "sms:*",
"Resource": "*"
}
]
}
To prevent users from enabling automatic launch after replication, use the following statement.
It is not sufficient to omit sms:LaunchApp
from the list of allowed actions, because
with automatic launch, users do not call LaunchApp
directly.
{
"Statement":[
{
"Effect": "Deny",
"Action": "sms:LaunchApp",
"Resource": "*"
}
]
}
Predefined AWS managed policies
The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to users, based on the access to AWS that they require.