# Using the console to bulk migrate your policies
<a name="migrate-granularaccess-console"></a>

**Note**  
The following AWS Identity and Access Management (IAM) actions have reached the end of standard support on July 2023:  
`aws-portal` namespace
`purchase-orders:ViewPurchaseOrders`
`purchase-orders:ModifyPurchaseOrders`
If you're using AWS Organizations, you can use the [bulk policy migrator scripts](migrate-iam-permissions.md) or bulk policy migrator to update polices from your payer account. You can also use the [old to granular action mapping reference](migrate-granularaccess-iam-mapping-reference.md) to verify the IAM actions that need to be added.  
If you have an AWS account, or are a part of an AWS Organizations created on or after March 6, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

This section covers how you can use the [AWS Billing and Cost Management console](https://console.aws.amazon.com/billing/) to migrate your legacy policies from your Organizations accounts or standard accounts to the fine-grained actions in bulk. You can complete migrating your legacy policies using the console in two ways:

**Using the AWS recommended migration process**  
This is a streamlined, single-action process where you migrates legacy actions to the fine-grained actions as mapped by AWS. For more information, see [Using recommended actions to bulk migrate legacy policies](migrate-console-streamlined.md).

**Using the customized migration process**  
This process allows you to review and change the actions recommended by AWS prior to the bulk migration, as well as customize which accounts in your organization are migrated. For more information, see [Customizing actions to bulk migrate legacy policies](migrate-console-customized.md).

## Prerequisites for bulk migrating using the console
<a name="migrate-granularaccess-console-prereq"></a>

Both migration options require you to consent in the console so that AWS can recommend fine-grained actions to the legacy IAM actions you have assigned. To do this, you will need to login to your AWS account as an [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) with the following IAM actions to continue with the policy updates.

------
#### [ Management account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------
#### [ Member account or standard account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------

**Topics**
+ [

## Prerequisites for bulk migrating using the console
](#migrate-granularaccess-console-prereq)
+ [

# Using recommended actions to bulk migrate legacy policies
](migrate-console-streamlined.md)
+ [

# Customizing actions to bulk migrate legacy policies
](migrate-console-customized.md)
+ [

# Rollingback your bulk migration policy changes
](migrate-console-rollback.md)
+ [

## Confirming your migration
](#migrate-console-complete)

# Using recommended actions to bulk migrate legacy policies
<a name="migrate-console-streamlined"></a>

You can migrate all of your legacy policies by using the fine-grained actions mapped by AWS. For AWS Organizations, this applies to all legacy policies across all accounts. Once you complete your migration process, the fine-grained actions are effective. You have the option to test the bulk migration process using test accounts before committing your entire organization. For more information, see the following section.

**To migrate all of your policies using fine-grained actions mapped by AWS**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose **Confirm and migrate**.

1. Remain on the **Migration in progress** page until the migration is complete. See the status bar for progress.

1. Once the **Migration in progress** section updates to **Migration successful**, you are redirected to the **Manage new IAM actions** page.

## Testing your bulk migration
<a name="migrate-console-streamlined-test"></a>

You can test the bulk migration from legacy policies to AWS recommended fine-grained actions using test accounts before committing to migrating your entire organization. Once you complete your migration process on your test accounts, the fine-grained actions are applied to your test accounts.

**To use your test accounts for bulk migration**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose **Customize**.

1. Once the accounts and policies load in the **Migrate accounts** table, select one or more test accounts from the list of AWS accounts.

1. (Optional) To change the mapping between your legacy policy and AWS recommended fine-grained actions, choose **View default mapping**. Change the mapping, and choose **Save**.

1. Choose **Confirm and migrate**.

1. Remain on the console page until migration is complete.

# Customizing actions to bulk migrate legacy policies
<a name="migrate-console-customized"></a>

You can customize your bulk migration in various ways, instead of using the AWS recommended action for all of your accounts. You have the option to review any changes needed to your legacy policies before migrating, choose specific accounts in your Organizations to migrate at a time, and change the access range by updating the mapped fine-grained actions.

**To review your affected policies before bulk migrating**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose **Customize**.

1. Once the accounts and policies load in the **Migrate accounts** table, choose the number in the **Number of affected IAM policies** column to see the affected policies. You will also see when that policy was used last to access the Billing and Cost Management consoles.

1. Choose a policy name to open it in the IAM console to view definitions and manually update the policy.
**Notes**  
Doing this might log you out of your current account if the policy is from another member account.
You won't be redirected to the corresponding IAM page if your current account has a bulk migration in progress.

1. (Optional) Choose **View default mapping** to see the legacy policies to understand the fine-grained policy mapped by AWS.

**To migrate a select group of accounts to migrate from your organization**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose **Customize**.

1. Once the accounts and policies load in the **Migrate accounts** table, select one or more accounts to migrate.

1. Choose **Confirm and migrate**.

1. Remain on the console page until migration is complete.

**To change the access range by updating the mapped fine-grained actions**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose **Customize**.

1. Choose **View default mapping**.

1. Choose **Edit**.

1. Add or remove IAM actions for the Billing and Cost Management services you want to control access to. For more information about fine-grained actions and the access it controls, see [Mapping fine-grained IAM actions reference](migrate-granularaccess-iam-mapping-reference.md).

1. Choose **Save changes**.

The updated mapping is used for all future migrations from the account you're logged into. This can be changed at any time.

# Rollingback your bulk migration policy changes
<a name="migrate-console-rollback"></a>

You can rollback all policy changes you make during the bulk migration process safely, using the steps provided in the bulk migration tool. The rollback feature works at an account-level. You can rollback policy updates for all accounts, or specific groups of migrated accounts. However, you can't rollback changes for specific policies in an account.

**To rollback bulk migration changes**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose the **Rollback changes** tab.

1. Select any accounts to rollback. The accounts must have `Migrated` showing in the **Rollback status** column.

1. Choose **Rollback changes** button.

1. Remain on the console page until rollback is complete.

## Confirming your migration
<a name="migrate-console-complete"></a>

You can see if there are any AWS Organizations accounts that still need to migrate by using the migration tool.

**To confirm if all accounts migrated**

1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/).

1. In the search bar at the top of the page, enter **Bulk Policy Migrator**.

1. On the **Manage new IAM actions** page, choose the **Migrate accounts** tab.

All accounts have migrated successfully if the table doesn't show any remaining accounts.