Legacy IAM roles for Amazon SMS - Amazon Server Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Product update

We recommend Amazon Application Migration Service (Amazon MGN) as the primary migration service for lift-and-shift migrations. If Amazon MGN is unavailable in a specific Amazon Region, you can use the Amazon SMS APIs through March 2023.

Legacy IAM roles for Amazon SMS

Before the introduction of AWSServiceRoleForSMS, you would have been required to create a service role and a launch role to grant Amazon SMS the permissions that it needs. It is no longer necessary for you to create these roles.

Configure a service role for Amazon SMS

Use the following procedure to create an IAM role that grants permissions to Amazon SMS to place migrated resources into your Amazon EC2 account.

To create the IAM role for Amazon SMS

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. Under Choose the service that will use this role, choose SMS, Next: Permissions.

  4. Under Attached permissions policies, confirm that the policy ServerMigrationServiceRole is visible and choose Next: Review.

  5. Under Review, for Role name, enter sms.

    Note

    Alternatively, you can apply a different name. However, you must then specify the role name explicitly each time that you create a replication job or an application.

  6. Choose Create role. You should now see the sms role in the list of available roles.

  7. For additional security controls, context keys such as aws:SourceAccount and aws:SourceArn can be added to the trust policy for this newly created role. SMS will publish the sourceAccount and sourceArn keys as specified in the example below to assume this role.

    { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "sms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": “<YOUR_AWS_ACCOUNT_ID>“ }, "ArnLike": { "aws:SourceArn": "arn:aws:sms:*:<YOUR_AWS_ACCOUNT_ID>:*" } } } }

Configure a launch role for Amazon SMS

If you plan to launch applications, you need an Amazon SMS launch role. You assign this role using the PutAppLaunchConfiguration API. When the LaunchApp API is called, the role is used by Amazon CloudFormation.

To create a launch role for Amazon SMS

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. Under Choose the service that will use this role, choose CloudFormation, Next: Permissions.

  4. Under Attached permissions policies, confirm that the policy ServerMigrationServiceLaunchRole is visible and choose Next: Review.

  5. Under Review, for Role name, enter sms-launch.

    Note

    Alternatively, you can apply a different name. However, you must then specify the role name explicitly each time that you create a launch configuration for an application.

  6. Choose Create role. You should now see the sms-launch role in the list of available roles.