Actions, resources, and condition keys for AWS Application Migration Service - Service Authorization Reference

Actions, resources, and condition keys for AWS Application Migration Service

AWS Application Migration Service (service prefix: mgn) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Application Migration Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreateVolumeSnapshotGroupForMgn [permission only] Grants permission to create volume snapshot group Write

SourceServerResource*

BatchDeleteSnapshotRequestForMgn [permission only] Grants permission to batch delete snapshot request Write
ChangeServerLifeCycleState Grants permission to change source server life cycle state Write

SourceServerResource*

CreateLaunchConfigurationTemplate Grants permission to create launch configuration template Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateReplicationConfigurationTemplate Grants permission to create replication configuration template Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateVcenterClientForMgn [permission only] Grants permission to create vcenter client Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteJob Grants permission to delete job Write

JobResource*

DeleteLaunchConfigurationTemplate Grants permission to delete launch configuration template Write

LaunchConfigurationTemplateResource*

DeleteReplicationConfigurationTemplate Grants permission to delete replication configuration template Write

ReplicationConfigurationTemplateResource*

DeleteSourceServer Grants permission to delete source server Write

SourceServerResource*

DeleteVcenterClient Grants permission to delete vcenter client Write

VcenterClientResource*

DescribeJobLogItems Grants permission to describe job log items Read

JobResource*

DescribeJobs Grants permission to describe jobs List
DescribeLaunchConfigurationTemplates Grants permission to describe launch configuration template List
DescribeReplicationConfigurationTemplates Grants permission to describe replication configuration template List
DescribeReplicationServerAssociationsForMgn [permission only] Grants permission to describe replication server associations Read
DescribeSnapshotRequestsForMgn [permission only] Grants permission to describe snapshots requests Read
DescribeSourceServers Grants permission to describe source servers List
DescribeVcenterClients Grants permission to describe vcenter clients List
DisconnectFromService Grants permission to disconnect source server from service Write

SourceServerResource*

FinalizeCutover Grants permission to finalize cutover Write

SourceServerResource*

GetAgentCommandForMgn [permission only] Grants permission to get agent command Read

SourceServerResource*

GetAgentConfirmedResumeInfoForMgn [permission only] Grants permission to get agent confirmed resume info Read

SourceServerResource*

GetAgentInstallationAssetsForMgn [permission only] Grants permission to get agent installation assets Read
GetAgentReplicationInfoForMgn [permission only] Grants permission to get agent replication info Read

SourceServerResource*

GetAgentRuntimeConfigurationForMgn [permission only] Grants permission to get agent runtime configuration Read

SourceServerResource*

GetAgentSnapshotCreditsForMgn [permission only] Grants permission to get agent snapshots credits Read

SourceServerResource*

GetChannelCommandsForMgn [permission only] Grants permission to get channel commands Read
GetLaunchConfiguration Grants permission to get launch configuration Read

SourceServerResource*

GetReplicationConfiguration Grants permission to get replication configuration Read

SourceServerResource*

GetVcenterClientCommandsForMgn [permission only] Grants permission to get vcenter client commands Read

VcenterClientResource*

InitializeService Grants permission to initialize service Write

iam:AddRoleToInstanceProfile

iam:CreateInstanceProfile

iam:CreateServiceLinkedRole

iam:GetInstanceProfile

IssueClientCertificateForMgn Grants permission to issue a client certificate Write

SourceServerResource

ListTagsForResource Grants permission to list tags for a resource Read
MarkAsArchived Grants permission to mark source server as archived Write

SourceServerResource*

NotifyAgentAuthenticationForMgn [permission only] Grants permission to notify agent authentication Write

SourceServerResource*

NotifyAgentConnectedForMgn [permission only] Grants permission to notify agent is connected Write

SourceServerResource*

NotifyAgentDisconnectedForMgn [permission only] Grants permission to notify agent is disconnected Write

SourceServerResource*

NotifyAgentReplicationProgressForMgn [permission only] Grants permission to notify agent replication progress Write

SourceServerResource*

NotifyVcenterClientStartedForMgn [permission only] Grants permission to notify vcenter client started Write

VcenterClientResource*

RegisterAgentForMgn [permission only] Grants permission to register agent Write

aws:RequestTag/${TagKey}

aws:TagKeys

RetryDataReplication Grants permission to retry replication Write

SourceServerResource*

SendAgentLogsForMgn [permission only] Grants permission to send agent logs Write

SourceServerResource*

SendAgentMetricsForMgn [permission only] Grants permission to send agent metrics Write

SourceServerResource*

SendChannelCommandResultForMgn [permission only] Grants permission to send channel command result Write
SendClientLogsForMgn [permission only] Grants permission to send client logs Write
SendClientMetricsForMgn [permission only] Grants permission to send client metrics Write
SendVcenterClientCommandResultForMgn [permission only] Grants permission to send vcenter client command result Write

VcenterClientResource*

SendVcenterClientLogsForMgn [permission only] Grants permission to send vcenter client logs Write

VcenterClientResource*

SendVcenterClientMetricsForMgn [permission only] Grants permission to send vcenter client metrics Write

VcenterClientResource*

StartCutover Grants permission to start cutover Write

SourceServerResource*

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateLaunchTemplate

ec2:CreateLaunchTemplateVersion

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteLaunchTemplateVersions

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypes

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:ModifyLaunchTemplate

ec2:ReportInstanceStatus

ec2:RevokeSecurityGroupEgress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

mgn:ListTagsForResource

aws:RequestTag/${TagKey}

aws:TagKeys

StartReplication Grants permission to start replication Write

SourceServerResource*

StartTest Grants permission to start test Write

SourceServerResource*

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateLaunchTemplate

ec2:CreateLaunchTemplateVersion

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteLaunchTemplateVersions

ec2:DeleteSnapshot

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstanceStatus

ec2:DescribeInstanceTypes

ec2:DescribeInstances

ec2:DescribeLaunchTemplateVersions

ec2:DescribeLaunchTemplates

ec2:DescribeSecurityGroups

ec2:DescribeSnapshots

ec2:DescribeSubnets

ec2:DescribeVolumes

ec2:DetachVolume

ec2:ModifyInstanceAttribute

ec2:ModifyLaunchTemplate

ec2:ReportInstanceStatus

ec2:RevokeSecurityGroupEgress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

iam:PassRole

mgn:ListTagsForResource

aws:RequestTag/${TagKey}

aws:TagKeys

TagResource Grants permission to assign a resource tag Tagging

JobResource

LaunchConfigurationTemplateResource

ReplicationConfigurationTemplateResource

SourceServerResource

VcenterClientResource

aws:RequestTag/${TagKey}

mgn:CreateAction

aws:TagKeys

TerminateTargetInstances Grants permission to terminate target instances Write

SourceServerResource*

ec2:DeleteVolume

ec2:DescribeInstances

ec2:DescribeVolumes

ec2:TerminateInstances

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

JobResource

LaunchConfigurationTemplateResource

ReplicationConfigurationTemplateResource

SourceServerResource

VcenterClientResource

aws:TagKeys

UpdateAgentBacklogForMgn [permission only] Grants permission to update agent backlog Write

SourceServerResource*

UpdateAgentConversionInfoForMgn [permission only] Grants permission to update agent conversion info Write

SourceServerResource*

UpdateAgentReplicationInfoForMgn [permission only] Grants permission to update agent replication info Write

SourceServerResource*

UpdateAgentReplicationProcessStateForMgn [permission only] Grants permission to update agent replication process state Write

SourceServerResource*

UpdateAgentSourcePropertiesForMgn [permission only] Grants permission to update agent source properties Write

SourceServerResource*

UpdateLaunchConfiguration Grants permission to update launch configuration Write

SourceServerResource*

UpdateLaunchConfigurationTemplate Grants permission to update launch configuration Write

LaunchConfigurationTemplateResource*

UpdateReplicationConfiguration Grants permission to update replication configuration Write

SourceServerResource*

UpdateReplicationConfigurationTemplate Grants permission to update replication configuration template Write

ReplicationConfigurationTemplateResource*

UpdateSourceServerReplicationType Grants permission to update source server replication type Write

SourceServerResource*

VerifyClientRoleForMgn Grants permission to verify client role Read

Resource types defined by AWS Application Migration Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
JobResource arn:${Partition}:mgn:${Region}:${Account}:job/${JobID}

aws:ResourceTag/${TagKey}

ReplicationConfigurationTemplateResource arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}

aws:ResourceTag/${TagKey}

LaunchConfigurationTemplateResource arn:${Partition}:mgn:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}

aws:ResourceTag/${TagKey}

VcenterClientResource arn:${Partition}:mgn:${Region}:${Account}:vcenter-client/${VcenterClientID}

aws:ResourceTag/${TagKey}

SourceServerResource arn:${Partition}:mgn:${Region}:${Account}:source-server/${SourceServerID}

aws:ResourceTag/${TagKey}

Condition keys for AWS Application Migration Service

AWS Application Migration Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by presence of tag keys in the request ArrayOfString
mgn:CreateAction Filters access by the name of a resource-creating API action String