Creating required IAM resources for homogeneous data migrations in Amazon DMS
To run homogeneous data migrations, you must create an IAM policy and an IAM role in your account to interact with other Amazon services. In this section, you create these required IAM resources.
Topics
Creating an IAM policy for homogeneous data migrations in Amazon DMS
To access your databases and to migrate data, Amazon DMS creates a serverless environment for homogeneous data migrations. In this environment, Amazon DMS requires access to VPC peering, route tables, security groups, and other Amazon resources. Also, Amazon DMS stores logs, metrics, and progress for each data migration in Amazon CloudWatch. To create a data migration project, Amazon DMS needs access to these services.
In this step, you create an IAM policy that provides Amazon DMS with access to Amazon EC2 and CloudWatch resources. Next, create an IAM role and attach this policy.
To create an IAM policy for homogeneous data migrations in Amazon DMS
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Policies.
Choose Create policy.
In the Create policy page, choose the JSON tab.
Paste the following JSON into the editor.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribePrefixLists", "logs:DescribeLogGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:*:*:vpc/L-0EA8095F" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:dms-data-migration-*:log-stream:dms-data-migration-*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateRoute", "ec2:DeleteRoute" ], "Resource": "arn:aws:ec2:*:*:route-table/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:vpc-peering-connection/*", "arn:aws:ec2:*:*:vpc/*" ] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group-rule/*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group/*" }, { "Effect": "Allow", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions" ], "Resource": "arn:aws:ec2:*:*:vpc-peering-connection/*" }, { "Effect": "Allow", "Action": "ec2:AcceptVpcPeeringConnection", "Resource": "arn:aws:ec2:*:*:vpc/*" } ] }
Choose Next: Tags and Next: Review.
Enter
HomogeneousDataMigrationsPolicy
for Name*, and choose Create policy.
Creating an IAM role for homogeneous data migrations in Amazon DMS
In this step, you create an IAM role that provides Amazon DMS with access to Amazon Secrets Manager, Amazon EC2, and CloudWatch.
To create an IAM role for homogeneous data migrations in Amazon DMS
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. In the navigation pane, choose Roles.
Choose Create role.
On the Select trusted entity page, for Trusted entity type, choose Amazon Service. For Use cases for other Amazon services, choose DMS.
Select the DMS check box and choose Next.
On the Add permissions page, choose HomogeneousDataMigrationsPolicy that you created before. Also, choose SecretsManagerReadWrite. Choose Next.
On the Name, review, and create page, enter
HomogeneousDataMigrationsRole
for Role name, and choose Create role.On the Roles page, enter
HomogeneousDataMigrationsRole
for Role name. Choose HomogeneousDataMigrationsRole.On the HomogeneousDataMigrationsRole page, choose the Trust relationships tab. Choose Edit trust policy.
On the Edit trust policy page, paste the following JSON into the editor, replacing the existing text.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "dms-data-migrations.amazonaws.com", "dms.
your_region
.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }In the preceding example, replace
your_region
with the name of your Amazon Web Services Region.The preceding resource-based policy provides Amazon DMS service principals with permissions to perform tasks according to the Amazon managed SecretsManagerReadWrite and customer managed HomogeneousDataMigrationsPolicy policies.
Choose Update policy.