Service-linked roles for Amazon SMS - Amazon Server Migration Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Product update

We recommend Amazon Application Migration Service (Amazon MGN) as the primary migration service for lift-and-shift migrations. If Amazon MGN is unavailable in a specific Amazon Region, you can use the Amazon SMS APIs through March 2023.

Service-linked roles for Amazon SMS

Amazon SMS uses a service-linked role for the permissions that it requires to call other Amazon services on your behalf. For more information, see Using Service-Linked Roles in the IAM User Guide.

Before the introduction of a service-linked role for Amazon SMS, you were required to create two IAM roles to grant Amazon SMS the permissions that it needs. These roles are no longer required to use Amazon SMS. However, they are documented here for completeness. For more information, see Legacy IAM roles for Amazon SMS.

Permissions granted by the service-linked role

Amazon SMS uses the service-linked role named AWSServiceRoleForSMS to enable Amazon SMS to manage your replication jobs.

AWSServiceRoleForSMS trusts the sms.amazonaws.com service principal to assume the role.

The role permissions policy allows Amazon SMS to complete the following actions on the specified resources:

  • Use specific Amazon SMS actions to create and manage replication jobs

  • Use specific Amazon CloudFormation actions to create and manage arn:aws:cloudformation:*:*:stack/sms-app-*/*

  • Use specific Amazon EC2 actions to manage snapshots and images, launch instances, and manage instances that meet the following tag condition: ec2:ResourceTag/aws:cloudformation:stack-id": "arn:aws:cloudformation:*:*:stack/sms-app-*/*

  • Use specific Amazon Systems Manager actions to run scripts on your instances

  • Use iam:GetRole on all resources and iam:PassRole on arn:aws:cloudformation:*:*:stack/sms-app-*/*

  • Use specific Amazon S3 actions to create and manage arn:aws:s3:::sms-app-*

Create the service-linked role

You can create this service-linked role manually by using the following Amazon CLI create-service-linked-role command to create AWSServiceRoleForSMS.

aws iam create-service-linked-role --aws-service-name sms.amazonaws.com

Edit the service-linked role

You can edit the description of AWSServiceRoleForSMS using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Amazon SMS, we recommend that you delete the AWSServiceRoleForSMS role. The service-linked role can only be deleted in the following conditions:

  • The service-linked role is not being used by an active replication job

  • The service-linked role is not being used by an application that has an associated active replication job

  • The service-linked role is not being used by an application that has an associated Amazon CloudFormation stack

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

After you delete the AWSServiceRoleForSMS role, Amazon SMS creates the role again if you start a replication job.