NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # AWS managed policies for AWS Application Migration Service AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## AWS MGN updates for AWS managed policies Updates View details about updates to AWS managed policies for AWS Application Migration Service since March 1, 2021. | Change | Description | Date | | --- | --- | --- | | [AWSApplicationMigrationNetworkMigrationMultiAccount](security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationMultiAccount.md#security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationMultiAccount.title) – New policy | Created new managed policy to provide permissions to automate VMware to AWS network infrastructure migration through CloudFormation. | November 10, 2025 | | [AWSApplicationMigrationNetworkMigrationCustomResource](security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationCustomResource.md#security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationCustomResource.title) – New policy | AWS MGN added a new policy that provides permissions for Network Migration custom resource. This identity-based policy allows modification of Transit Gateway resources that were specifically created by Application Migration Service. | December 2, 2025 | | Updated the [AWSApplicationMigrationSSMAccess ](security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.md#security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.title) and [AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md#security-iam-awsmanpol-AWSApplicationMigrationFullAccess.title) policies to support changes in SSM. | Added permission to tag network instances during RunInstances. | July 3, 2025 | | [AWSApplicationMigrationServiceRolePolicy](security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.md) – Updated policy | Added permission to tag network instances during RunInstances. | March 13, 2025 | | [AWSApplicationMigrationEC2Access](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md) – Updated policy | Added permission to tag network instances during RunInstances. | February 11, 2025 | | [AWSApplicationMigrationServiceRolePolicy](security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.md) – Updated policy [AWSApplicationMigrationEC2Access](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md) – Updated policy | Created new revisions of AWSApplicationMigrationServiceRolePolicy and AWSApplicationMigrationEC2Access managed policies to support a change in authentication with EBS APIs. | January 08, 2025 | | [AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md#security-iam-awsmanpol-AWSApplicationMigrationFullAccess.title)– Updated policy | Updated the AWSApplicationMigrationFullAccess policy to support SecureString parameter type in SSM Parameters Store for post-migration framework actions. | March 10, 2024 | | [AWSApplicationMigrationServiceEc2InstancePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceEc2InstancePolicy.md#security-iam-awsmanpol-AWSApplicationMigrationServiceEc2InstancePolicy.title)– Updated policy | Created a new revision of the managed policy to support MGN in GovCloud and added SID to statements in the managed policy | December 28, 2023 | | [AWSApplicationMigrationServiceEc2InstancePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceEc2InstancePolicy.md#security-iam-awsmanpol-AWSApplicationMigrationServiceEc2InstancePolicy.title)– New policy | This policy allows installing and using the AWS Replication Agent, which is used by AWS Application Migration Service (AWS MGN) to migrate source servers that run on EC2 (cross-Region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. | August 21, 2023 | | [AWSApplicationMigrationServiceRolePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.md#security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.title)– Updated policy | Updated the AWSApplicationMigrationServiceRolePolicy with Organizations permissions to support the global view feature. | June 18, 2023 | | [AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md#security-iam-awsmanpol-AWSApplicationMigrationFullAccess.title)– Updated policy | Updated the AWSApplicationMigrationFullAccess policy to support specific automation SSM documents. | April 1, 2023 | | [AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md#security-iam-awsmanpol-AWSApplicationMigrationFullAccess.title)– Updated policy [AWSApplicationMigrationSSMAccess ](security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.md#security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.title)– Updated policy [AWSApplicationMigrationReadOnlyAccess ](security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.md#security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.title)– Created policy | Updated the AWSApplicationMigrationFullAccess policy to support both command and automation SSM documents for post-migration framework actions. Updated the AWSApplicationMigrationSSMAccess policy to support both command and automation SSM documents for the custom actions feature. Updated the AWSApplicationMigrationReadOnlyAccess policy to support the new import and export feature. | March 21, 2023 | | [AWSApplicationMigrationEC2Access ](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md#security-iam-awsmanpol-AWSApplicationMigrationEC2Access.title)– Updated policy | Updated the AWSApplicationMigrationEC2Access policy to support: DescribeSnapshots, DescribeImages, DescribeVolumes. | January 29, 2023 | | [AWSApplicationMigrationEC2Access ](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md#security-iam-awsmanpol-AWSApplicationMigrationEC2Access.title)– Updated policy [AWSApplicationMigrationReadOnlyAccess ](security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.md#security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.title)– Updated policy [AWSApplicationMigrationSSMAccess ](security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.md#security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.title)– Created policy | Updated the AWSApplicationMigrationEC2Access policy to support: CreateLaunchTemplate, DeleteLaunchTemplate. Updated the AWSApplicationMigrationReadOnlyAccess policy to support: DescribeLaunchConfigurationTemplates, ListSourceServerActions, ListTemplateActions, ListApplications, ListWaves. Created new AWSApplicationMigrationSSMAccess policy to support new custom actions feature. | November 28, 2022 | | [AWSApplicationMigrationAgentPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy.title)– Updated policy [AWSApplicationMigrationAgentInstallationPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentInstallationPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationAgentInstallationPolicy.title)– Updated policy | Updated the AWSApplicationMigrationAgentPolicy policy and the AWSApplicationMigrationAgentInstallationPolicy policy to support sending additional metrics during the agent installation process. | September 20, 2022 | | [AWSApplicationMigrationAgentInstallationPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentInstallationPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationAgentInstallationPolicy.title)– New policy | AWS MGN added a new policy. This policy allows installing the AWS Replication Agent, which is used with Application Migration Service to migrate source servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. The installed AWS Replication Agent will communicate with Application Migration Service using the recommended strong authentication method. | June 15, 2022 | | [AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md#security-iam-awsmanpol-AWSApplicationMigrationFullAccess.title)– Updated policy | Updated the AWSApplicationMigrationFullAccess policy to to support the Post Migration Framework. | May 16, 2022 | | [AWSApplicationMigrationAgentPolicy\$1v2 ](security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy_v2.md#security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy_v2.title)– New policy | AWS Application Migration Service added a new policy. This policy allows using the AWS Replication Agent, which is used with AWS Application Migration Service to migrate source servers to AWS. We do not recommend that you attach this policy to your users or roles. | May 10, 2022 | | [AWSApplicationMigrationReadOnlyAccess ](security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.md#security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.title)– Updated policy | Updated the AWSApplicationMigrationReadOnlyAccess policy to include service quotas. | April 3, 2022 | | [AWSApplicationMigrationEC2Access ](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md) – Updated policy | Updated the AWSApplicationMigrationEC2Access policy to add additional permissions and restrict certain existing permissions. This policy is only intended to be used for the AWS MGN console. The restriction prevents certain requests from being called directly by the calling identity, whilst enabling an AWS Application Migration Service (AWS MGN) to make the request to EC2 on behalf of the calling identity. | March 2, 2022 | | [AWSApplicationMigrationServiceRolePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.md#security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.title)– Updated policy | AWS Application Migration Service added a new policy to allow AWS Application Migration Service to manage AWS resources on your behalf. | December 15, 2021 | | [AWSApplicationMigrationVCenterClientPolicy ](security-iam-awsmanpol-AWSApplicationMigrationVCenterClientPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationVCenterClientPolicy.title)– New policy | AWS Application Migration Service added a new policy that allows the installation and usage of the AWS vCenter Appliance. | November 7, 2021 | | [AWSApplicationMigrationAgentPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy.title)– New policy | AWS Application Migration Service added a new policy to allow the installation of the AWS Replication Agent on source servers. | April 18, 2021 | | [AWSApplicationMigrationConversionServerPolicy ](security-iam-awsmanpol-AWSApplicationMigrationConversionServerPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationConversionServerPolicy.title)– New policy | AWS Application Migration Service added a new policy that allows AWS Application Migration Service to communicate with the service. | April 18, 2021 | | [AWSApplicationMigrationMGHAccess ](security-iam-awsmanpol-AWSApplicationMigrationMGHAccess.md#security-iam-awsmanpol-AWSApplicationMigrationMGHAccess.title)– New policy | AWS Application Migration Service added a new policy to allow AWS Application Migration Service access to your account's AWS Migration Hub | April 18, 2021 | | [AWSApplicationMigrationReplicationServerPolicy ](security-iam-awsmanpol-AWSApplicationMigrationReplicationServerPolicy.md#security-iam-awsmanpol-AWSApplicationMigrationReplicationServerPolicy.title)– New policy | AWS Application Migration Service added a new policy to allow the AWS Application Migration Service replication servers to communicate with the service, create and manage resources on your behalf. | April 7, 2021 | | AWS MGN started tracking changes | AWS Application Migration Service started tracking changes for AWS managed policies. | April 7, 2021 | **Topics** + [ ## AWS MGN updates for AWS managed policies ](#security-iam-awsmanpol-updates) + [ # AWS managed policy: AWSApplicationMigrationServiceRolePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceRolePolicy.md) + [ # AWS managed policy: AWSApplicationMigrationConversionServerPolicy ](security-iam-awsmanpol-AWSApplicationMigrationConversionServerPolicy.md) + [ # AWS managed policy: AWSApplicationMigrationReplicationServerPolicy ](security-iam-awsmanpol-AWSApplicationMigrationReplicationServerPolicy.md) + [ # AWS managed policy: AWSApplicationMigrationAgentPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy.md) + [ # AWS managed policy: AWSApplicationMigrationMGHAccess ](security-iam-awsmanpol-AWSApplicationMigrationMGHAccess.md) + [ # AWS managed policy: AWSApplicationMigrationFullAccess ](security-iam-awsmanpol-AWSApplicationMigrationFullAccess.md) + [ # AWS managed policy: AWSApplicationMigrationEC2Access ](security-iam-awsmanpol-AWSApplicationMigrationEC2Access.md) + [ # AWS managed policy: AWSApplicationMigrationSSMAccess ](security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.md) + [ # AWS managed policy: AWSApplicationMigrationReadOnlyAccess ](security-iam-awsmanpol-AWSApplicationMigrationReadOnlyAccess.md) + [ # AWS managed policy: AWSApplicationMigrationVCenterClientPolicy ](security-iam-awsmanpol-AWSApplicationMigrationVCenterClientPolicy.md) + [ # AWS managed policy: AWSApplicationMigrationAgentInstallationPolicy ](security-iam-awsmanpol-AWSApplicationMigrationAgentInstallationPolicy.md) + [ # AWS managed policy: AWSApplicationMigrationAgentPolicy\$1v2 ](security-iam-awsmanpol-AWSApplicationMigrationAgentPolicy_v2.md) + [ # AWS managed policy: AWSApplicationMigrationServiceEc2InstancePolicy ](security-iam-awsmanpol-AWSApplicationMigrationServiceEc2InstancePolicy.md) + [ # AWS managed policy: AWSApplicationMigrationNetworkMigrationMultiAccount ](security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationMultiAccount.md) + [ # AWS managed policy: AWSApplicationMigrationNetworkMigrationCustomResource ](security-iam-awsmanpol-AWSApplicationMigrationNetworkMigrationCustomResource.md) # AWS managed policy: AWSApplicationMigrationServiceRolePolicy AWSApplicationMigrationServiceRolePolicy This policy is attached to the AWS MGN [AWSServiceRoleForApplicationMigrationService](using-service-linked-roles.md) service-linked role (SLR). This policy allows AWS Application Migration Service to manage AWS resources on your behalf. **Permissions details** To view the policy permission details see [AWSApplicationMigrationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationServiceRolePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationConversionServerPolicy AWSApplicationMigrationConversionServerPolicy This policy is attached to the AWS Application Migration Service conversion server’s instance role. This policy allows the AWS Application Migration Service (AWS MGN) conversion server, which are EC2 instances launched by AWS Application Migration Service, to communicate with the AWS MGN service. An IAM role with this policy is attached (as an EC2 Instance Profile) by AWS MGN to the AWS MGN Conversion Servers, which are automatically launched and terminated by AWS MGN, when needed. We do not recommend that you attach this policy to your users or roles. AWS MGN conversion servers are used by AWS Application Migration Service when users choose to launch test or cutover instances using the AWS MGN console, CLI, or API. **Permissions details** To view the policy permission details see [AWSApplicationMigrationConversionServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationConversionServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationReplicationServerPolicy AWSApplicationMigrationReplicationServerPolicy This policy is attached to the AWS Application Migration Service replication server’s instance role. This policy allows the AWS Application Migration Service (AWS MGN) Replication Servers, which are EC2 instances launched by AWS Application Migration Service - to communicate with the AWS MGN service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 Instance Profile) by AWS Application Migration Service to the AWS MGN replication servers which are automatically launched and terminated by AWS MGN, as needed. AWS MGN Replication Servers are used to facilitate data replication from your external servers to AWS, as part of the migration process managed using AWS MGN. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSApplicationMigrationReplicationServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationReplicationServerPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationAgentPolicy AWSApplicationMigrationAgentPolicy You can attach the `AWSApplicationMigrationAgentPolicy` policy to your IAM identities. This policy allows installing and using the AWS Replication Agent, which is used with AWS Application Migration Service (AWS MGN) to migrate external servers to AWS. Attach this policy to your users whose credentials you provide when installing the AWS replication agent. **Permissions details** To view the policy permission details see [AWSApplicationMigrationAgentPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationAgentPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationMGHAccess AWSApplicationMigrationMGHAccess This policy allows AWS Application Migration Service (AWS MGN) to send metadata about the progress of servers being migrated using AWS MGN to AWS Migration Hub (MGH). AWS MGN automatically creates an IAM role with this policy attached and assumes this role. We do not recommend that you attach this policy to your users or roles. Migration-progress data is only sent after the AWS "home region” is set in AWS MGH. If the Home AWS Region is different than the AWS Region into which a server is being migrated, this data will be sent cross-region. To stop AWS MGN from sending this metadata to AWS MGH, detach it from your users or roles. **Permissions details** To view the policy permission details see [AWSApplicationMigrationMGHAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationMGHAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationFullAccess AWSApplicationMigrationFullAccess You can attach the `AWSApplicationMigrationFullAccess` policy to your IAM identities. This policy provides permissions to all public APIs of AWS Application Migration Service (AWS MGN), as well as permissions to read KMS key, License Manager, Resource Groups, Elastic Load Balancing, IAM, and EC2 information. This policy should only be granted to an administrator or a power-user. **Important** You must attach the [AWSApplicationMigrationFullAccess](https://docs.aws.amazon.com/en_us/mgn/latest/ug/security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html) and the [AWSApplicationMigrationEC2Access](https://docs.aws.amazon.com/en_us/mgn/latest/ug/security-iam-awsmanpol-AWSApplicationMigrationEC2Access.html) policies to your users and roles to enable them to launch test and cutover instances and to complete a full migration cycle with AWS MGN. **Permissions details** To view the policy permission details see [AWSApplicationMigrationFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationFullAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationEC2Access AWSApplicationMigrationEC2Access You can attach the `AWSApplicationMigrationEC2Access` policy to your IAM identities. This policy allows Amazon EC2 operations required to use AWS Application Migration Service (AWS MGN) to launch the migrated servers as EC2 instances. Attach this policy to your users or roles. This policy is only intended to be used for the MGN console. **Permissions details** To view the policy permission details see [AWSApplicationMigrationEC2Access](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationEC2Access.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationSSMAccess AWSApplicationMigrationSSMAccess You can attach the `AWSApplicationMigrationSSMAccess` policy to your IAM identities. This policy allows Amazon SSM operations required to use AWS Application Migration Service (AWS MGN) to run SSM documents post migration of source servers. Attach this policy to your users or roles. This policy is only intended to be used for the AWS MGN console. **Permissions details** To view the policy permission details see [AWSApplicationMigrationSSMAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationSSMAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationReadOnlyAccess AWSApplicationMigrationReadOnlyAccess You can attach the `AWSApplicationMigrationReadOnlyAccess` policy to your IAM identities. The Read-Only policy allows a user to This policy provides permissions to all read-only public APIs of AWS Application Migration Service (AWS MGN), as well as some read-only APIs of other AWS services that are required in order to make full read-only use of the AWS MGN console. It does not allow them to perform any actions, such as initialize the service, replicate servers, or launch servers in AWS. This policy can be granted to a user in a support role. Attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSApplicationMigrationReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationReadOnlyAccess.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationVCenterClientPolicy AWSApplicationMigrationVCenterClientPolicy You can attach the `AWSApplicationMigrationVCenterClientPolicy` policy to your IAM identities. This policy allows installing and using the AWS VCenter Client, which is used with AWS Application Migration Service (AWS MGN) to migrate external servers to AWS. Attach this policy to your users or roles whose credentials you provide when installing the AWS VCenter Client. **Permissions details** To view the policy permission details see [AWSApplicationMigrationVCenterClientPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationVCenterClientPolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationAgentInstallationPolicy AWSApplicationMigrationAgentInstallationPolicy This policy allows installing the AWS Replication Agent, which is used with AWS Application Migration Service to migrate source servers to AWS. Attach this policy to your users or roles whose credentials you provide during the installation step of the AWS Replication Agent. The installed AWS Replication Agent will communicate with Application Migration Service using the recommended strong authentication method. **Permissions details** To view the policy permission details see [AWSApplicationMigrationAgentInstallationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationAgentInstallationPolicy) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationAgentPolicy\$1v2 AWSApplicationMigrationAgentPolicy\$1v2 This policy allows using the AWS Replication Agent, which is used with AWS Application Migration Service to migrate source servers to AWS. We do not recommend that you attach this policy to your users or roles. **Permissions details** To view the policy permission details see [AWSApplicationMigrationAgentPolicy\$1v2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationAgentPolicy_v2.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationServiceEc2InstancePolicy AWSApplicationMigrationServiceEc2InstancePolicy This policy allows installing and using the AWS Replication Agent, which is used by AWS Application Migration Service (AWS MGN) to migrate source servers that run on EC2 (cross-Region or cross-AZ). An IAM role with this policy should be attached (as an EC2 Instance Profile) to the EC2 Instances. **Permissions details** To view the policy permission details see [AWSApplicationMigrationServiceEc2InstancePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationServiceEc2InstancePolicy.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationNetworkMigrationMultiAccount AWSApplicationMigrationNetworkMigrationMultiAccount You can attach the `AWSApplicationMigrationNetworkMigrationMultiAccount` policy to your IAM identities. This identity-based policy enables AWS Application Migration Service (MGN) to create, modify, and manage network infrastructure components through CloudFormation. The policy grants permissions necessary for: 1. **Network Resource Management:** Creating and managing VPCs, subnets, route tables, and network ACLs; configuring Transit Gateways and their attachments; managing security groups and their rules; setting up NAT Gateways and Internet Gateways; handling network interfaces and elastic IPs 1. **CloudFormation Operations:** Creating and managing stacks with prefix [Nmd\$1]; describing stack resources and events; updating and deleting stacks 1. **Resource Sharing:** Managing RAM (Resource Access Manager) resource shares; sharing Transit Gateways across accounts within the same organization 1. **Custom Resources:** Creating and managing Lambda functions with prefix [network-migration\$1]; managing IAM roles with prefix [Nmd\$1modifyTransitGateway\$1]; creating and managing CloudWatch log groups The policy enforces security through resource tagging requirements (CreatedBy: AWSApplicationMigrationService), conditional checks ensuring operations are called via CloudFormation, organization-level controls for cross-account resource sharing, and specific resource-level permissions for critical network components. This policy grants both programmatic and console access required for AWS Application Migration Service to orchestrate network infrastructure deployment and management through CloudFormation. **Permissions details** To view the policy permission details see [AWSApplicationMigrationNetworkMigrationMultiAccount](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationNetworkMigrationMultiAccount.html) in the AWS Managed Policy Reference Guide. # AWS managed policy: AWSApplicationMigrationNetworkMigrationCustomResource AWSApplicationMigrationNetworkMigrationCustomResource Allows modification of Transit Gateway resources created by Application Migration Service. You can attach the `AWSApplicationMigrationNetworkMigrationCustomResource` policy to your IAM identities. This identity-based policy allows modification of Transit Gateway resources that were specifically created by Application Migration Service. The policy grants permission to modify Transit Gateways and their route tables, but only if they are tagged with `[CreatedBy: AWSApplicationMigrationService]`. This restriction ensures that only resources created by the migration service can be modified, providing targeted control over Transit Gateway infrastructure during migration processes. The policy grants the permissions necessary to complete these actions programmatically from the AWS API or AWS CLI. The policy is particularly useful for: + Managing Transit Gateway configurations during application migration + Ensuring only migration service-created resources can be modified + Maintaining control over network infrastructure changes during migration processes **Permissions details** To view the policy permission details see [AWSApplicationMigrationNetworkMigrationCustomResource](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSApplicationMigrationNetworkMigrationCustomResource.html) in the AWS Managed Policy Reference Guide.