AWS Migration Hub is no longer open to new customers as of November 7, 2025. For capabilities similar to AWS Migration Hub, explore [AWS Transform](https://aws.amazon.com/transform).
# AWS Migration Hub Automation
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [Managing your AWS Migration Hub home Region](home-region.md).
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
AWS Migration Hub makes it possible to automate migration tasks. The core concept in this feature is the automation unit, which is a discrete set of actions that run automatically when you run the unit. Migration Hub provides a set of automation units, which are referred to as managed automation units. In addition to those managed units, you can create your own custom automation units. The topics in this section describe each of the managed automation units, as well as how to create custom units, and how to run any kind of automation unit.
**Topics**
+ [
# Managed AWS Migration Hub automation units
](mha-managed-units.md)
+ [
# Custom AWS Migration Hub automation units
](mha-custom-units.md)
+ [
# Automation runs in AWS Migration Hub
](mha-runs.md)
+ [
# IAM roles and permissions for AWS Migration Hub automation units
](mha-iam-roles.md)
+ [
# Associating an IAM role with an AWS Migration Hub automation unit
](associate-role-with-unit.md)
# Managed AWS Migration Hub automation units
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [Managing your AWS Migration Hub home Region](home-region.md).
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
This topic describes the automation units that AWS Migration Hub provides. These units are referred to as managed automation units. This topic also describes the prerequisites for running a managed automation unit.
## Prerequisites for running managed automation units
+ Ensure that you have created an IAM role that has the trust policy that Migration Hub needs to be able to run the unit and the permissions policy that the unit needs. For information about the required trust policy and permissions policy, see [IAM roles and permissions for AWS Migration Hub automation units](mha-iam-roles.md). After you create the required role, associate it with the automation unit. For instructions, see [Associating an IAM role with an AWS Migration Hub automation unit](associate-role-with-unit.md).
+ The following automation units all use AWS Application Migration Service. Ensure that AWS Application Migration Service is initialized in the AWS Region where you plan to run one or more of these units. For instructions, see [Initializing Application Migration Service with the console](https://docs.aws.amazon.com/mgn/latest/ug/mgn-initialize-console.html) or [Initializing AWS Application Migration Service with the API](https://docs.aws.amazon.com/mgn/latest/ug/mgn-initialize-api.html).
+ Import your inventory into AWS Application Migration Service. For instructions, see [Importing your data inventory](https://docs.aws.amazon.com/mgn/latest/ug/import-main.html).
**Topics**
+ [
## Prerequisites for running managed automation units
](#managed-units-prereqs)
+ [
## AWS-MGN-InstallReplicationAgent
](#mha-AWS-MGN-InstallReplicationAgent)
+ [
## AWS-MGN-VerifyReplicationHealth
](#mha-AWS-MGN-VerifyReplicationHealth)
+ [
## AWS-MGN-LaunchTestInstances
](#mha-AWS-MGN-LaunchTestInstances.xml)
+ [
## AWS-MGN-MarkReadyForCutover
](#mha-AWS-MGN-MarkReadyForCutover)
+ [
## AWS-MGN-TerminateTargetInstances
](#mha-AWS-TerminateTargetInstances)
+ [
## AWS-MGN-LaunchCutoverInstances
](#mha-AWS-MGN-LaunchCutoverInstances)
+ [
## AWS-MGN-FinalizeCutover
](#mha-AWS-MGN-FinalizeCutover)
+ [
## AWS-MGN-ArchiveSourceServers
](#mha-AWS-MGN-ArchiveSourceServers)
## AWS-MGN-InstallReplicationAgent
This automation unit uses the MGN connector to install AWS Replication Agent on source servers. The unit performs the following actions:
1. It registers source servers with the MGN connector.
1. It registers credentials with source servers.
1. It verifies required IAM roles exist in the account.
1. It verifies the prerequisites that are required to install the AWS Replication Agent on the source servers.
1. It installs the AWS Replication Agent agent on the source servers.
**Prerequisites:**
1. Ensure that your source servers meet the requirements for installing the AWS Replication Agent. For details, see [ Installation requirements ](https://docs.aws.amazon.com/mgn/latest/ug/installation-requirements.html).
1. **Prepare Application Migration Service import file and import it to Application Migration Service**:
+ Create an import file in the CSV format that contains the information about the servers that you want to migrate.
+ The import file must include the following fields: `mgn:account-id`, `mgn:region` , `mgn:wave:name` , `mgn:wave:tag:[KEY]` , `mgn:wave:description` , `mgn:app:name` , `mgn:app:description` , `mgn:server:user-provided-id` , `mgn:server:platform` , `mgn:server:fqdn-for-action-framework` , `mgn:launch:instance-type` , `mgn:launch:placement:tenancy` , `mgn:launch:iam-instance-profile:name` , `mgn:launch:placement:host-id` .
+ Import the CSV file to the Application Migration Service service by using the AWS Management Console, AWS CLI, or AWS SDK.
1. **Set up the MGN connector**:
+ Navigate to the MGN service in the AWS Management Console.
+ Follow the instructions to download and install the MGN connector on a dedicated Linux server.
+ Configure the connector to connect to the MGN service.
1. **Store source servers credentials in an AWS Secrets Manager secret**:
+ Follow the instructions described in [Register server credentials](https://docs.aws.amazon.com/mgn/latest/ug/connector-register-server-credentials.html) to create a new secret in AWS Secrets Manager that stores the credentials for the source servers.
+ Make sure to add the `AWSApplicationMigrationServiceManaged` tag to the secret.
+ The Application Migration Service service will use the stored credentials in order to connect to the source servers and perform actions on them during the migration process.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
| ConnectorArn | Application Migration Service connector ARN to use for the Application Migration Service rehost. | string | True |
| CredentialsSecretArn | Secret ARN containing the credentials for the source servers in scope. | string | True |
## AWS-MGN-VerifyReplicationHealth
Run this unit after you install the replication agent on the source servers.
After you install the replication agent on the source machines, you monitor the status of data replication and resolve issues like permissions or network performance. This managed unit retries every 10 minutes until the status of every server in the wave changes to Continuous Data Replication.
Depending on the amount of data to replicate on the provided source servers, replication can take several days.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-LaunchTestInstances
After you add all of your source servers and configure their launch settings, you are ready to launch one test instance per source server. To verify that your applications can function properly within the AWS environment, it is crucial that you test the migration of your source servers to AWS before you initiate a cutover.
Before you run this automation unit, ensure that ReplicationStatus is healthy.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-MarkReadyForCutover
After you launch your test instances, go to the Amazon EC2 console and use SSH or RDP to connect to your test instances and ensure that the instances are functioning correctly. If you are done with your testing and are ready for cutover, you can finalize the test. This will change your migration lifecycle status of your source servers to Ready for cutover, indicating that all testing is complete and that these servers are now ready for cutover.
Before you run this automation unit, make sure that you have finished your testing and that you are ready for cutover.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-TerminateTargetInstances
This automation unit starts and verifies the completion of an Application Migration Service job that terminates launched Amazon EC2 test and cutover instances.
This unit does not work for any source server whose lifecycle state is TESTING, CUTTING\$1OVER, or CUTOVER.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-LaunchCutoverInstances
After you finalize the testing of all of your source servers, you are ready for cutover. The cutover will migrate your source servers to the cutover instances on AWS.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-FinalizeCutover
After you perform a successful cutover and complete the migration, this automation unit changes the migration lifecycle status of your source servers to Cutover complete. This status indicates that the migration was successful. This unit also stops data replication and causes all replicated data to be discarded. All AWS resources used for data replication will be terminated.
To ensure that your cutover instances are functioning correctly after you launch them, go to the Amazon EC2 console and use SSH or RDP to connect to the instances. Validate connectivity, and perform acceptance tests for your application.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
## AWS-MGN-ArchiveSourceServers
This automation unit archives source servers by removing them from the main AWS Application Migration Service (Application Migration Service) source servers page. Archiving allows you to focus on source servers that haven't yet been cut over.
Ensure that the servers that you plan to archive have launched cutover instances.
### Inputs
| Parameter name | Description | Type | Required? |
| --- | --- | --- | --- |
| WaveARN | Application Migration Service wave ARN | string | True |
| ApplicationARNs | List of Application Migration Service application ARNs. | array | False |
# Custom AWS Migration Hub automation units
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [Managing your AWS Migration Hub home Region](home-region.md).
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
This topic describes how to create a custom automation unit. For information about how to run an automation unit, see [Automation runs in AWS Migration Hub](mha-runs.md).
**To create a custom automation unit**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, under **Automation**, choose **Automation units**.
1. Choose **Create custom unit**.
1. Enter a unique name for the unit.
1. For the runtime target, specify the ARN of one of the following:
+ An AWS-owned Systems Manager automation document. For information, see [Systems Manager Automation runbook reference](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-runbook-reference.html).
+ Your own Systems Manager automation. For information, see [Authoring Automation runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-authoring-runbooks.html).
+ A Lambda function. For information, see [Create your first Lambda function](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html).
1. AWS does not use the values that you enter for the optional fields **Runtime services**, **Description**, and **Prerequisites** other than for display purposes. The purpose of these three fields is to allow you to document your custom automation unit. After you create the unit, you can see the values that you entered for these three fields in the unit's details page.
1. Choose **Next**.
1. To add an input to the automation unit, choose **Add input**.
1. Specify a name and a type for this input. Optionally, you can also enter a description and a format in the form of a regular expression.
1. The default is for the new input to be required. To make this input optional, clear the **This input is required** checkbox.
1. To specify more inputs for the custom unit, choose **Add input** again, and then follow the previous steps for each additional input.
1. In the **IAM role - *optional*** section, specify an IAM role that has the trust policy that Migration Hub needs to run the unit, and the permissions policy that your custom unit needs to perform its actions. To learn how to create such a role, see [IAM role and policies for custom automation units](mha-iam-roles.md#iam-custom-automation-units).
1. Review the details that you entered for the unit, and then choose **Create automation unit**.
# Automation runs in AWS Migration Hub
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [.](home-region.md)
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
An automation run is an execution of a managed or custom automation unit. You can run the same automation unit more than once. You can manually specify the same input values or different input values for the different runs of an automation unit. You can also create duplicate runs. A duplicate run uses the same input values that you specified for the run from which you created the duplicate.
**To start an automation run**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, under **Automate**, choose **Automation units**.
1. Choose the name of the automation unit that you want to run.
1. On the details page of the automation unit, in the **Service role** section, choose **Attach role**.
1. At the top of the page, choose **Run automation**.
**To view automation runs**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, under **Automate**, choose **Automation runs**.
1. To see the details of an automation run, choose the name of the run in the table that lists all runs.
**To create a duplicate run**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, under **Automate**, choose **Automation runs**.
1. Choose the name of the run in the table that lists all runs.
1. On the automation run's details page, choose **Create duplicate run**.
# IAM roles and permissions for AWS Migration Hub automation units
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [Managing your AWS Migration Hub home Region](home-region.md).
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
To run an automation unit, you must associate with it an IAM role with a trust policy and a permissions policy that depend on the kind of unit (custom or managed) and on the actions that the unit performs.
**Warning**
This IAM role allows Migration Hub to execute automation units on your behalf. By specifying a service role, you define the specific actions that can be performed during an automation run, which may differ from the permissions of the user that creates or runs the automation unit. A user with the following four permissions can perform any actions in your AWS account.
mgh:CreateAutomationUnit
mgh:AssociateAutomationUnitRole
mgh:CreateAutomationRun
iam:PassRole
To minimize security risks, apply strict least-privilege permissions to service roles, and carefully review and audit automation unit roles. For more information, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the *IAM User Guide*.
**Topics**
+ [
## IAM role and policies for managed automation units
](#mha-mgn-rehost-role)
+ [
## IAM role and policies for custom automation units
](#iam-custom-automation-units)
## IAM role and policies for managed automation units
For managed automation units, create an IAM role and give the role any name that you want. Attach the following trust policy to the role. For information about how to create an IAM role with this trust policy, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ssm.amazonaws.com", "migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
Attach the following permissions policy to the role.
## IAM role and policies for custom automation units
For custom automation units, create an IAM role and give the role any name that you want. The trust policy and permissions policy that you must attach to the IAM role depend on your implementation of the unit, as described in the following sections. For information about how to create an IAM role with one of these trust policies, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html).
**Topics**
+ [
### IAM policies for custom automation units that use an AWS Systems Manager document as their target
](#iam-custom-units-ssm)
+ [
### IAM policies for custom automation units that use an AWS Lambda as their target
](#iam-custom-units-lambda)
### IAM policies for custom automation units that use an AWS Systems Manager document as their target
If your custom unit uses an AWS Systems Manager document as its target, then the IAM role that you attach to the unit must have the following trust policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ssm.amazonaws.com", "migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
You must also attach to the IAM role a permissions policy that has at least the permissions that are in the following policy. Add to this policy any permissions that the custom unit needs in order to perform its actions.
### IAM policies for custom automation units that use an AWS Lambda as their target
For a custom automation unit that uses an AWS Lambda function as its target, you must attach the following trust policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["migrationhub.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
You must also attach to the IAM role a permissions policy that has at least the permissions that are in the following policy. Add to this policy any permissions that the custom unit needs in order to perform its actions.
# Associating an IAM role with an AWS Migration Hub automation unit
**Note**
The AWS Migration Hub Automation feature is in preview release. It is available in US East (N. Virginia). To use this feature, you must set your AWS Region to US East (N. Virginia). You must also set the AWS Migration Hub home Region to US East (N. Virginia). For instructions on how to set the AWS Migration Hub home Region, see [Managing your AWS Migration Hub home Region](home-region.md).
This is pre-release documentation. Both the AWS Migration Hub Automation feature and the documentation are subject to change.
To run an automation unit, you must associate with it one of the IAM roles that are described in [IAM roles and permissions for AWS Migration Hub automation units](mha-iam-roles.md). This topic describes how to associate a role with a unit.
**To associate a role with one or more managed units**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, expand **Automate**, and choose **Service permissions**.
1. In the list of automation units, select the units with which you want to associate a role.
1. Choose **Associate role**.
1. In the pop-up window, select a role from the drop-down list, and then choose **Associate role**.
**To associate an IAM role with a custom unit**
1. Sign in to the AWS Management Console and open the Migration Hub console at [https://console.aws.amazon.com/migrationhub/](https://console.aws.amazon.com/migrationhub/).
1. In the left navigation pane, expand **Automate**, and choose **Automation units**.
1. In the list of units, choose the name of the custom unit. This action opens the details page for that unit.
1. In the **IAM role association** section, choose **Associate role**.
1. In the pop-up window, select a role from the drop-down list, and then choose **Associate role**.