Identity and access management for Amazon Server Migration Service - Amazon Server Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Product update

We recommend Amazon Application Migration Service (Amazon MGN) as the primary migration service for lift-and-shift migrations. If Amazon MGN is unavailable in a specific Amazon Region, you can use the Amazon SMS APIs through March 2023.

Identity and access management for Amazon Server Migration Service

Amazon Identity and Access Management (IAM) is an Amazon service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon resources. IAM enables you to create users and groups under your Amazon account. You control the permissions that users have to perform tasks using Amazon resources. You can use IAM for no additional charge.

By default, IAM users don't have permissions for Amazon Server Migration Service (Amazon SMS) resources and operations. To allow IAM users to manage Amazon SMS resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions.

When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more information, see Policies and Permissions in the IAM User Guide guide.

Policy structure

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows.

{ "Statement": [ { "Effect": "effect", "Action": "action", "Resource": "arn", "Condition": { "condition": { "key":"value" } } } ] }

There are various elements that make up a statement:

  • Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action: The action is the specific Amazon SMS API action for which you are granting or denying permission.

  • Resource: The resource that's affected by the action. For Amazon SMS, you must specify "*" as the resource.

  • Condition: Conditions are optional. They can be used to control when your policy is in effect.

Example policies

In an IAM policy statement, you can specify any API action from any service that supports IAM. For Amazon SMS, use the following prefix with the name of the API action: sms: as follows.

"Action": "sms:UpdateReplicationJob"

To specify multiple actions in a single statement, separate them with commas as follows.

{ "Statement":[ { "Effect": "Allow", "Action": ["sms:action1", "sms:action2"], "Resource": "*" } ] }

You can also specify multiple actions using wildcards. For example, you can specify all Amazon SMS API actions whose name begins with the word "Get" as follows.

{ "Statement":[ { "Effect": "Allow", "Action": "sms:Get*", "Resource": "*" } ] }

To specify all Amazon SMS API actions, use the * wildcard as follows.

{ "Statement":[ { "Effect": "Allow", "Action": "sms:*", "Resource": "*" } ] }

To prevent users from enabling automatic launch after replication, use the following statement. It is not sufficient to omit sms:LaunchApp from the list of allowed actions, because with automatic launch, users do not call LaunchApp directly.

{ "Statement":[ { "Effect": "Deny", "Action": "sms:LaunchApp", "Resource": "*" } ] }

Predefined Amazon managed policies

The managed policies created by Amazon grant the required permissions for common use cases. You can attach these policies to your IAM users, based on the access to Amazon that they require.