AWSDMSServerlessServiceRolePolicy AmazonDMSCloudWatchLogsRole AWSDMSFleetAdvisorServiceRolePolicy Policy updates

Amazon managed policies for Amazon Database Migration Service

Topics

Amazon managed policy: AWSDMSServerlessServiceRolePolicy
Amazon managed policy: AmazonDMSCloudWatchLogsRole
Amazon managed policy: AWSDMSFleetAdvisorServiceRolePolicy
Amazon DMS updates to Amazon managed policies

Amazon managed policy: AWSDMSServerlessServiceRolePolicy

This policy is attached to the AWSServiceRoleForDMSServerless role, which allows Amazon DMS to perform actions on your behalf. For more information, see Service-linked role for Amazon DMS Serverless.

This policy grants contributor permissions that allow Amazon DMS to manage replication resources.

Permissions details

This policy includes the following permissions.

dms – Allows principals to interact with Amazon DMS resources.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "id0",
            "Effect": "Allow",
            "Action": [
                "dms:CreateReplicationInstance",
                "dms:CreateReplicationTask"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "dms:req-tag/ResourceCreatedBy": "DMSServerless"
                }
            }
        },
        {
            "Sid": "id1",
            "Effect": "Allow",
            "Action": [
                "dms:DescribeReplicationInstances",
                "dms:DescribeReplicationTasks"
            ],
            "Resource": "*"
        },
        {
            "Sid": "id2",
            "Effect": "Allow",
            "Action": [
                "dms:StartReplicationTask",
                "dms:StopReplicationTask",
                "dms:DeleteReplicationTask",
                "dms:DeleteReplicationInstance"
            ],
            "Resource": [
                "arn:aws:dms:*:*:rep:*",
                "arn:aws:dms:*:*:task:*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/ResourceCreatedBy": "DMSServerless"
                }
            }
        },
        {
            "Sid": "id3",
            "Effect": "Allow",
            "Action": [
                "dms:TestConnection",
                "dms:DeleteConnection"
            ],
            "Resource": [
                "arn:aws:dms:*:*:rep:*",
                "arn:aws:dms:*:*:endpoint:*"
            ]
        }
    ]
}

Amazon managed policy: AmazonDMSCloudWatchLogsRole

This policy is attached to the dms-cloudwatch-logs-role role, which allows Amazon DMS to perform actions on your behalf. For more information, see Using service-linked roles for Amazon DMS.

This policy grants contributor permissions that allow Amazon DMS to publish replication logs to CloudWatch logs.

Permissions details

This policy includes the following permissions.

logs – Allows principals to publish logs to CloudWatch Logs. This permission is required so that Amazon DMS can use CloudWatch to display replication logs.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDescribeOnAllLogGroups",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowDescribeOfAllLogStreamsOnDmsTasksLogGroup",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:dms-tasks-*",
                "arn:aws:logs:*:*:log-group:dms-serverless-replication-*"
            ]
        },
        {
            "Sid": "AllowCreationOfDmsLogGroups",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:dms-tasks-*",
                "arn:aws:logs:*:*:log-group:dms-serverless-replication-*:log-stream:"
            ]
        },
        {
            "Sid": "AllowCreationOfDmsLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:dms-tasks-*:log-stream:dms-task-*",
                "arn:aws:logs:*:*:log-group:dms-serverless-replication-*:log-stream:dms-serverless-*"
            ]
        },
        {
            "Sid": "AllowUploadOfLogEventsToDmsLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:dms-tasks-*:log-stream:dms-task-*",
                "arn:aws:logs:*:*:log-group:dms-serverless-replication-*:log-stream:dms-serverless-*"
            ]
        }
    ]
}

Amazon managed policy: AWSDMSFleetAdvisorServiceRolePolicy

You can't attach AWSDMSFleetAdvisorServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon DMS Fleet Advisor to perform actions on your behalf. For more information, see Using service-linked roles for Amazon DMS.

This policy grants contributor permissions that allow Amazon DMS Fleet Advisor to publish Amazon CloudWatch metrics.

Permissions details

This policy includes the following permissions.

cloudwatch – Allows principals to publish metric data points to Amazon CloudWatch. This permission is required so that Amazon DMS Fleet Advisor can use CloudWatch to display charts with database metrics.


{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Resource": "*",
        "Action": "cloudwatch:PutMetricData",
        "Condition": {
            "StringEquals": {
                "cloudwatch:namespace": "AWS/DMS/FleetAdvisor"
            }
        }
    }
}

Amazon DMS updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon DMS since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon DMS Document history page.

Change	Description	Date
AWSDMSServerlessServiceRolePolicy – New policy	Amazon DMS added the `AWSDMSServerlessServiceRolePolicy` role to allow Amazon DMS to create and manage services on your behalf, such as publishing Amazon CloudWatch metrics.	May 22, 2023
AmazonDMSCloudWatchLogsRole – Change	Amazon DMS added the ARN for serverless resources to each of the permissions granted, to allow uploading Amazon DMS replication logs from serverless replication configurations to CloudWatch Logs.	May 22, 2023
AWSDMSFleetAdvisorServiceRolePolicy – New policy	Amazon DMS Fleet Advisor added a new policy to allow publishing metric data points to Amazon CloudWatch.	March 6, 2023
Amazon DMS started tracking changes	Amazon DMS started tracking changes for its Amazon managed policies.	March 6, 2023

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Cross-service confused deputy prevention

Compliance validation