AWS managed policy: AWSApplicationMigrationEC2Access
You can attach the AWSApplicationMigrationEC2Access policy to your IAM
identities.
This policy allows Amazon EC2 operations required to use AWS Application Migration Service (AWS MGN) to launch the migrated servers as EC2 instances. Attach this policy to your users or roles. This policy is only intended to be used for the MGN console.
Permissions details
This policy includes the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AWSApplicationMigrationConversionServerRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeImages", "ec2:DescribeVolumes" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:RequestTag/AWSApplicationMigrationServiceManaged": "false" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteLaunchTemplate" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "aws:RequestTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateSnapshot" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:RequestTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:DetachVolume", "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "ec2:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Null": { "ec2:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateSecurityGroup", "CreateVolume", "CreateSnapshot", "RunInstances", "CreateLaunchTemplate" ] }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:ModifyVolume" ], "Resource": [ "arn:aws:ec2:*:*:volume/*" ], "Condition": { "Null": { "ec2:ResourceTag/AWSApplicationMigrationServiceManaged": "false" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Effect": "Allow", "Action": "ssm:ListCommands", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "ssm.amazonaws.com" } } } ] }
