NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # Managing access using policies Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ## Identity-based policies Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as a user, role, or group. These policies control what actions that identity can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the IAM User Guide. Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see[Managed policies and inline policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline) in the IAM User Guide. # Using identity-based policies By default, users and roles don't have permission to create or modify AWS Application Migration Service resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions. To understand how to attach policies to a user or group, learn about [adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). To learn how to create an IAM identity-based policy using example JSON policy documents, see [Creating policies on the JSON tab in the IAM User Guide.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) **Topics** + [ # Customer-managed policies in AWS MGN ](customer_managed_policies_mgn.md) + [ # Restrict permission to act on a source server associated with given AWS vCenter client ](restrict-to-vcenter-client.md) + [ # Network Migration API permissions ](network-migration-api-permissions.md) # Customer-managed policies in AWS MGN You can create your own custom IAM policies to allow permissions for AWS Application Migration Service actions and resources. You can attach these custom policies to the users, roles, or groups that require those permissions. You can also create your own custom IAM policies for integration between AWS Application Migration Service and other AWS services. The next few topics provide example of the IAM policies which grants permission for various AWS Application Migration Service actions. Use them to limit AWS Application Migration Service access for your users and roles. # Restrict permission to act on a source server associated with given AWS vCenter client To restrict access to source servers associated with a given AWS vCenter client, use the condition element ` mgn:VcenterClientId ` condition key. The following example demonstrates a policy that allows an AWS vCenter client to call the ` mgn:UpdateAgentSourcePropertiesForMgn ` action only on a source server associated with the calling AWS vCenter client. # Network Migration API permissions The Network Migration APIs allow you to automate the migration of network infrastructure from VMware to AWS. To use these APIs, attach both the [AWSApplicationMigrationNetworkMigrationMultiAccount](security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationMultiAccount.md#security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationMultiAccount.title) managed policy and the following custom policy to your IAM identity. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Tags", "Effect": "Allow", "Action": [ "mgn:TagResource" ], "Resource": [ "arn:aws:mgn:*:*:network-migration-definition/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSTransform", "mgn:CreateAction": [ "CreateNetworkMigrationDefinition" ] } } }, { "Sid": "CreateMethod", "Effect": "Allow", "Action": [ "mgn:CreateNetworkMigrationDefinition" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSTransform" } } }, { "Sid": "ResourceMethods", "Effect": "Allow", "Action": [ "mgn:UpdateNetworkMigrationDefinition", "mgn:StartNetworkMigrationMapping", "mgn:StartNetworkMigrationCodeGeneration", "mgn:StartNetworkMigrationDeployment", "mgn:StartNetworkMigrationAnalysis" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSTransform" } } }, { "Sid": "ReadonlyMethods", "Effect": "Allow", "Action": [ "mgn:GetNetworkMigrationDefinition" ], "Resource": [ "arn:aws:mgn:*:*:network-migration-definition/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSTransform" } } }, { "Sid": "DeleteExistingNetworkMigrationDefinition", "Effect": "Allow", "Action": [ "mgn:DeleteNetworkMigrationDefinition" ], "Resource": [ "arn:aws:mgn:*:*:network-migration-definition/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSTransform" } } }, { "Sid": "ReadOnly", "Effect": "Allow", "Action": [ "mgn:ListNetworkMigrationDefinitions", "mgn:ListNetworkMigrationExecutions", "mgn:ListNetworkMigrationMapperSegments", "mgn:ListNetworkMigrationMappings", "mgn:ListNetworkMigrationMapperSegmentConstructs", "mgn:ListNetworkMigrationCodeGenerationSegments", "mgn:ListNetworkMigrationCodeGenerations", "mgn:ListNetworkMigrationDeployedStacks", "mgn:ListNetworkMigrationDeployments", "mgn:ListNetworkMigrationAnalysisResults", "mgn:ListNetworkMigrationAnalyses", "mgn:GetNetworkMigrationMapperSegmentConstruct" ], "Resource": [ "*" ] }, { "Sid": "MGNNetworkMigrationUpdate", "Effect": "Allow", "Action": [ "mgn:UpdateNetworkMigrationMapperSegment", "mgn:StartNetworkMigrationMappingUpdate", "mgn:ListNetworkMigrationMappingUpdates" ], "Resource": [ "arn:aws:mgn:*:*:network-migration-definition/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSTransform" } } }, { "Sid": "MGNImportFileEnrichment", "Effect": "Allow", "Action": [ "mgn:StartImportFileEnrichment", "mgn:ListImportFileEnrichments" ], "Resource": [ "*" ] }, { "Sid": "S3Bucket", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketTagging", "s3:GetBucketPublicAccessBlock", "s3:GetBucketLocation", "s3:CreateBucket", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration" ], "Resource": "arn:aws:s3:::*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Sid": "S3BucketObject", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:GetObjectAttributes", "s3:PutObject", "s3:AbortMultipartUpload", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::*/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Sid": "MGNNetworkAnalysis", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInsightsPath", "ec2:StartNetworkInsightsAnalysis", "ec2:DeleteNetworkInsightsPath", "ec2:DeleteNetworkInsightsAnalysis", "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:network-insights-path/*", "arn:aws:ec2:*:*:network-insights-analysis/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "mgn.amazonaws.com" ] } } }, { "Sid": "EC2DescribeNoCondition", "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute" ], "Resource": "*" }, { "Sid": "MGNServiceQuota", "Effect": "Allow", "Action": "servicequotas:GetServiceQuota", "Resource": "arn:aws:servicequotas:*:*:vpc/L-2AFB9258", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "mgn.amazonaws.com" } } }, { "Sid": "EC2GetSubnetCidrReservations", "Effect": "Allow", "Action": "ec2:GetSubnetCidrReservations", "Resource": "*" }, { "Sid": "TirosForNetworkInsights", "Effect": "Allow", "Action": [ "tiros:CreateQuery", "tiros:GetQueryAnswer", "tiros:GetQueryExplanation" ], "Resource": "*" } ] } ``` ------ ## Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy. ## Access control lists (ACLs) Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*. ## Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ## Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.