AWS Migration Hub is no longer open to new customers as of November 7, 2025. For capabilities similar to AWS Migration Hub, explore [AWS Transform](https://aws.amazon.com/transform). # Identity and access management in AWS Migration Hub Identity and Access Management Access to AWS Migration Hub requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Migration Hub ProgressUpdateStream or an Amazon EC2 instance. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and Migration Hub to help secure your resources by controlling who can access them: + [Authentication](#authentication) + [Access control](#access-control) ## Authentication You can access AWS as any of the following types of identities: + **AWS account root user** When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. + **IAM users and groups** An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. + **IAM role** An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful in the following situations: + **Federated user access** – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see [ Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see [ Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*. + **AWS service access** – A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. + **Applications running on Amazon EC2** – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see [Use an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) in the *IAM User Guide*. ## Access control You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access AWS Migration Hub resources. For example, you must have permissions to create a Migration Hub API type, `ProgressUpdateStream`, to use the AWS Application Discovery Service, and to use AWS migration tools. The following sections describe how to manage permissions for AWS Migration Hub. + [AWS Migration Hub roles and policies](policy-templates.md) + [AWS Migration Hub API Permissions: Actions and Resources Reference](migrationhub-api-permissions-ref.md) + [AWS Migration Hub Authentication and Access Control Explained](auth-and-access-explained.md) # AWS Migration Hub roles and policies Roles & Policies Access to AWS Migration Hub requires credentials that AWS can use to authenticate your requests as well as have permissions to access AWS resources. The following sections demonstrate how the various permissions policies can be attached to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform actions on AWS Migration Hub resources. The various types of permission policies referenced in this section have been explained in [Using Identity-Based Policies (IAM Policies) for AWS Migration Hub](auth-and-access-explained.md#access-control-identity-based). If you have not yet read that section, it is recommended that you do to gain a thorough understanding of the different types of polices before proceeding to use the policy templates in this section. The policy templates have been organized in the following hierarchy as shown below. You can click on any policy to go directly to its template. **Topics** + [ # New user IAM setup for AWS Migration Hub ](new-customer-setup.md) + [ # Custom Policies for Migration Tools when using AWS Migration Hub ](customer-managed-vendor.md) # New user IAM setup for AWS Migration Hub New User IAM Setup This section provides an overview of the AWS managed policies that can be used with AWS Migration Hub and instructions on how to use them. ## Managed policies and roles Managed policies and roles The following are the AWS managed policies that can be used with Migration Hub: + **AWSMigrationHubFullAccess** – Grants access to the Migration Hub console and API/CLI for non-administrative IAM users. + **AWSMigrationHubDiscoveryServiceFullAccess** – Used by the **migrationhub-discovery** role, the policy grants permission to allow the Migration Hub service to call Application Discovery Service. You only need to use the `migrationhub-discovery` role if you use the AWS Command Line Interface (AWS CLI) or the AWS Migration Hub API without ever using the Migration Hub console. For more information about AWSMigrationHubDiscoveryServiceFullAccess, see [AWSMigrationHubDiscoveryServiceFullAccess](https://docs.aws.amazon.com/application-discovery/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSApplicationDiscoveryServiceFullAccess) in the *Application Discovery Service User Guide*. + **AWSMigrationHubDMSAccess** – Used by the **migrationhub-dms** role, the policy grants permission for Migration Hub to receive notifications from the AWS Database Migration Service migration tool. If you want to grant Migration Hub rights to non-admin IAM users, see [Migration Hub Service API and Console Managed Access](#api-console-access-managed). If you want to authorize (that is, connect) AWS migration tools, see [AWS Database Migration Service (AWS DMS)](#dms-managed). ### Migration Hub Service API and Console Managed Access Console & API Managed Access An administrator can create users and grant them permission to access the Migration Hub console using managed policies. **To grant permissions to an IAM user to access the Migration Hub console** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Create an IAM user. For information about creating an IAM user, see [Create an IAM user](setting-up.md#setting-up-iam). 1. After the user is created, choose the Permissions tab and then choose **Add Permissions**. 1. Choose **Attach existing policies directly**. 1. Select **AWSMigrationHubFullAccess** from the list of policies. You can use the search box to find the policy or to filter the list. 1. Choose **Next: Review**. 1. Choose **Add permission**. ### migrationhub-discovery role migrationhub-discovery role Migration Hub requires access to the Application Discovery Service on your behalf. If you use the AWS Migration Hub console, permissions to access Application Discovery Service are granted by the `AWSServiceRoleForMigrationHub` service linked role. For more information, see [Using Roles to Connect Migration Hub to Application Discovery Service](using-service-linked-roles-discovery-service-role.md). However, if you never use the Migration Hub console but you want to use the AWS Command Line Interface (AWS CLI) or the AWS Migration Hub API, you need to manually add the `migrationhub-discovery` role—which contains [AWSMigrationHubDiscoveryServiceFullAccess](https://docs.aws.amazon.com//application-discovery/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSApplicationDiscoveryServiceFullAccess)—to your AWS account. **To create the `migrationhub-discovery` role** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, under **Access management**, choose **Roles**. 1. Choose **Create role**. 1. Choose **AWS service**. 1. Under **Use case for other AWS services **, choose **Migration Hub** from the dropdown, and then select **Migration Hub**. 1. Choose **Next**. 1. To attach the managed policy, select **AWSApplicationDiscoveryServiceFullAccess** from the list of policies on the **Add permissions** page. You can use the search box to find the policy or to filter the list. 1. Choose **Next**. 1. You must enter **migrationhub-discovery** for the **Role name**. 1. Choose **Create role**. Optionally, you can modify the role after you create it. **To modify the trust policy used by the `migrationhub-discovery` role** 1. In the navigation pane, under **Access management**, choose **Roles**. 1. Choose the **migrationhub-discovery** name from the list of roles. You can use the search box to find the role or to filter the list. 1. Choose the **Trust relationships** tab and then choose **Edit trust policy**. 1. You can modify the trust policy under **Trusted entities**. For example, you can add an optional `Condition` *block* as show in the following example policy. You can use it to limit the scope of the policy. You can delete the block from the policy if you don't need it. If you use the `Condition` block, you must add the ID of your AWS account and the AWS Region code for the Region where the resource resides to the policy, which are shown in *red*. For example, `123456789012` is an example of an account ID and `us-east-2` is an example of a Region. 1. Choose **Update Policy**. ### Migration tools managed policies Migration tools managed policies This section describes AWS managed policies that are used with migration tools. #### AWS Database Migration Service (AWS DMS) DMS The **AWSMigrationHubDMSAccess** AWS managed policy grants permissions to allow Migration Hub to receive notifications from the AWS DMS migration tool. The following procedure describes how to create the `migrationhub-dms` role that uses the **AWSMigrationHubDMSAccess** policy. **To create the `migrationhub-dms` role** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, under **Access management**, choose **Roles**. 1. Choose **Create role**. 1. Choose **AWS service**. 1. Under **Use case for other AWS services **, choose **Migration Hub** from the dropdown, and then select **Migration Hub**. 1. Choose **Next**. 1. To attach the managed policy, select **AWSMigrationHubDMSAccess** from the list of policies on the **Add permissions** page. You can use the search box to find the policy or to filter the list. 1. Choose **Next**. 1. You must enter **migrationhub-dms** for the **Role name**. 1. Choose **Create role**. # Custom Policies for Migration Tools when using AWS Migration Hub Custom Policies for Migration Tools This is an example role for use by a integrated partner or developer when using the AWS Migration Hub API or CLI. ## Integrated Partner Role Policy Role Policy ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mgh:CreateProgressUpdateStream" ], "Effect": "Allow", "Resource": "arn:aws:mgh:us-west-2:111122223333:progressUpdateStream/vendor_name" }, { "Action": [ "mgh:AssociateCreatedArtifact", "mgh:DescribeMigrationTask", "mgh:DisassociateCreatedArtifact", "mgh:ImportMigrationTask", "mgh:ListCreatedArtifacts", "mgh:NotifyMigrationTaskState", "mgh:PutResourceAttributes", "mgh:NotifyApplicationState", "mgh:DescribeApplicationState", "mgh:AssociateDiscoveredResource", "mgh:DisassociateDiscoveredResource", "mgh:ListDiscoveredResources" ], "Effect": "Allow", "Resource": "arn:aws:mgh:us-west-2:111122223333:progressUpdateStream/vendor_name/*" }, { "Action": [ "mgh:ListMigrationTasks", "mgh:GetHomeRegion" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ ## Integrated Partner Policy Trust Policy Trust Policy ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] } ``` ------ # AWS Migration Hub API Permissions: Actions and Resources Reference API Permissions Reference When you are setting up [Access control](auth-and-access-control.md#access-control) and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each Migration Hub API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field, and you specify the resource value in the policy's `Resource` field. **Note** To specify an action, use the `mgh:` prefix followed by the API operation name (for example, `mgh:CreateProgressUpdateStream`). Use the scroll bars to see the rest of the table. **AWS Migration Hub API and Required Permissions for Actions** | Migration Hub API Operations | Required Permissions (API Actions) | Resources | | --- | --- | --- | | [AssociateCreatedArtifact](http://docs.aws.amazon.com/migrationhub/latest/ug/API_AssociateCreatedArtifact.html) | mgh:AssociateCreatedArtifact | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [AssociateDiscoveredResource](http://docs.aws.amazon.com/migrationhub/latest/ug/API_AssociateDiscoveredResource.html) | mgh:AssociateDiscoveredResource | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [CreateProgressUpdateStream](http://docs.aws.amazon.com/migrationhub/latest/ug/API_CreateProgressUpdateStream.html) | mgh:CreateProgressUpdateStream | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id | | [DeleteProgressUpdateStream](http://docs.aws.amazon.com/migrationhub/latest/ug/API_DeleteProgressUpdateStream.html) | mgh:DeleteProgressUpdateStream | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id | | [DescribeApplicationState](http://docs.aws.amazon.com/migrationhub/latest/ug/API_DescribeApplicationState.html) | mgh:DescribeApplicationState | \$1 | | [DescribeMigrationTask](http://docs.aws.amazon.com/migrationhub/latest/ug/API_DescribeMigrationTask.html) | mgh:DescribeMigrationTask | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [DisassociateCreatedArtifact](http://docs.aws.amazon.com/migrationhub/latest/ug/API_DisassociateCreatedArtifact.html) | mgh:DisassociateCreatedArtifact | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [DisassociateDiscoveredResource](http://docs.aws.amazon.com/migrationhub/latest/ug/API_DisassociateDiscoveredResource.html) | mgh:DisassociateDiscoveredResource | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [ImportMigrationTask](http://docs.aws.amazon.com/migrationhub/latest/ug/API_ImportMigrationTask.html) | mgh:ImportMigrationTask | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [ListCreatedArtifacts](http://docs.aws.amazon.com/migrationhub/latest/ug/API_ListCreatedArtifacts.html) | mgh:ListCreatedArtifacts | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [ListDiscoveredResources](http://docs.aws.amazon.com/migrationhub/latest/ug/API_ListDiscoveredResources.html) | mgh:ListDiscoveredResources | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [ListMigrationTasks](http://docs.aws.amazon.com/migrationhub/latest/ug/API_ListMigrationTasks.html) | mgh:ListMigrationTasks | \$1 | | [ListProgressUpdateStreams](http://docs.aws.amazon.com/migrationhub/latest/ug/API_ListProgressUpdateStreams.html) | mgh:ListProgressUpdateStreams | \$1 | | [NotifyApplicationState](http://docs.aws.amazon.com/migrationhub/latest/ug/API_NotifyApplicationState.html) | mgh:NotifyApplicationState | \$1 | | [NotifyMigrationTaskState](http://docs.aws.amazon.com/migrationhub/latest/ug/API_NotifyMigrationTaskState.html) | mgh:NotifyMigrationTaskState | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | | [PutResourceAttributes](http://docs.aws.amazon.com/migrationhub/latest/ug/API_PutResourceAttributes.html) | mgh:PutResourceAttributes | arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id or arn:aws:mgh:region:account-id:ProgressUpdateStreamName/resource-id/\$1 | **AWS Migration Hub Home Region API and Required Permissions for Actions** | Migration Hub API Operations | Required Permissions (API Actions) | Resources | | --- | --- | --- | | [CreateHomeRegionControl](https://docs.aws.amazon.com/migrationhub-home-region/latest/APIReference/API_CreateHomeRegionControl.html) | mgh:CreateHomeRegionControl | \$1 | | [DescribeHomeRegionControls](https://docs.aws.amazon.com/migrationhub-home-region/latest/APIReference/API_DescribeHomeRegionControls.html) | mgh:DescribeHomeRegionControls | \$1 | | [GetHomeRegion](https://docs.aws.amazon.com/migrationhub-home-region/latest/APIReference/API_GetHomeRegion.html) | mgh:GetHomeRegion | \$1 | ## Related Topics + [Access control](auth-and-access-control.md#access-control) # AWS Migration Hub Authentication and Access Control Explained Authentication & Access Explained ## Overview of Managing Access Permissions to Your Resources Overview of Managing Access Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles), as well as attaching permissions policies to resources. **Note** An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources. **Topics** + [ ### AWS Migration Hub Resources and Operations ](#access-control-resources) + [ ### Understanding Resource Ownership ](#access-control-resource-ownership) + [ ### Managing Access to Resources ](#access-control-manage-access-intro) + [ ### Specifying Policy Elements: Actions, Effects, and Principals ](#specify-policy-elements) + [ ### Specifying Conditions in a Policy ](#specifying-conditions) ### AWS Migration Hub Resources and Operations In AWS Migration Hub, the primary resource is a Migration Hub *ProgressUpdateStream*. This resource has an unique Amazon Resource Name (ARN) associated with it as shown in the following table. **** | Resource Type | ARN Format | | --- | --- | | ProgressUpdateStream | arn:aws:mgh:*region*:*account-id*:ProgressUpdateStreamName:*resource-name* | AWS Migration Hub provides a set of operations to work with the Migration Hub resources. For a list of available operations, see [Actions](API_Operations.md). ### Understanding Resource Ownership A *resource owner* is the AWS account that created the resource. That is, the resource owner is the AWS account of the *principal entity* (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works: + If you use the root account credentials of your AWS account to create a Migration Hub ProgressUpdateStream, your AWS account is the owner of the resource (in Migration Hub, the resource is a ProgressUpdateStream). + If you create an IAM user in your AWS account and grant permissions to create a Migration Hub ProgressUpdateStream to that user, the user can create a ProgressUpdateStream. However, your AWS account, to which the user belongs, owns the ProgressUpdateStream resource. + If you create an IAM role in your AWS account with permissions to create a Migration Hub ProgressUpdateStream, anyone who can assume the role can create a ProgressUpdateStream. Your AWS account, to which the role belongs, owns the ProgressUpdateStream resource. ### Managing Access to Resources A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies. **Note** This section discusses using IAM in the context of AWS Migration Hub. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. Policies attached to an IAM identity are referred to as *identity-based* policies (IAM polices) and policies attached to a resource are referred to as *resource-based* policies. AWS Migration Hub *does not support resource-based policies*, see [Resource-Based Policies](#access-control-manage-access-resource-based). **Topics** + [ #### Identity-Based Policies (IAM Policies) ](#access-control-manage-access-identity-based) + [ #### Resource-Based Policies ](#access-control-manage-access-resource-based) #### Identity-Based Policies (IAM Policies) You can attach policies to IAM identities. For example, you can do the following: + **Attach a permissions policy to a user or a group in your account** – An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create a Migration Hub resource. + **Attach a permissions policy to a role (grant cross-account permissions)** – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions. For example, the administrator in Account A can create a role to grant cross-account permissions to another AWS account (for example, Account B) or an AWS service as follows: 1. Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on resources in Account A. 1. Account A administrator attaches a trust policy to the role identifying Account B as the principal who can assume the role. 1. Account B administrator can then delegate permissions to assume the role to any users in Account B. Doing this allows users in Account B to create or access resources in Account A. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permissions to assume the role. For more information about using IAM to delegate permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*. The following is an example policy that grants permissions for the Migration Hub action `mgh:NotifyMigrationTaskState` on all resources. For more information about using identity-based policies with Migration Hub, see [Using Identity-Based Policies (IAM Policies) for AWS Migration Hub](#access-control-identity-based). For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*. #### Resource-Based Policies Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Migration Hub does not support resource-based policies. However, keep in mind that you will still see references made to resources. This is because there is a difference between *resource-based* permissions and *resource-level* permissions. Resource-based permissions are permissions that attach directly to a resource, whereas a resource-level permission simply specifies, within an identity-based permission, on which resource a user or a role can perform actions on. Therefore, when references to resources are made discussing Migration Hub permissions, it is within this context of *resource-level* permissions. ### Specifying Policy Elements: Actions, Effects, and Principals For each Migration Hub resource, the service defines a set of API operations. To grant permissions for these API operations, Migration Hub defines a set of actions that you can specify in a policy. Some API operations can require permissions for more than one action in order to perform the API operation. For more information about resources and API operations, see [AWS Migration Hub Resources and Operations](#access-control-resources) and Migration Hub [Actions](API_Operations.md). The following are the most basic policy elements: + **Resource** – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information, see [AWS Migration Hub Resources and Operations](#access-control-resources). + **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, you can use `mgh:AssociateDiscoveredResource` to allow the user permission to perform the Migration Hub `AssociateDiscoveredResource` operation. + **Effect** – You specify the effect, either allow or deny, when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access. + **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Migration Hub doesn't support resource-based policies. To learn more about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. For a table showing all of the AWS Migration Hub API actions and the resources that they apply to, see [AWS Migration Hub API Permissions: Actions and Resources Reference](migrationhub-api-permissions-ref.md). ### Specifying Conditions in a Policy When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) in the *IAM User Guide*. To express conditions, you use predefined condition keys. There are no condition keys specific to Migration Hub. However, there are AWS-wide condition keys that you can use as appropriate. For a complete list of AWS-wide keys, see [Available Keys for Conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. ## Using Identity-Based Policies (IAM Policies) for AWS Migration Hub Using Identity-Based Policies (IAM Policies) This topic provides explanations of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). **Important** We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS Migration Hub resources. For more information, see [Overview of Managing Access Permissions to Your Resources](#access-control-overview). The sections in this topic cover the following: + [Permissions Required to Use the AWS Migration Hub Console and API](#console-required-permissions) + [AWS Managed (Predefined) Policies for AWS Migration Hub](#access-policy-examples-aws-managed) + [AWS Migration Hub Trust Policies](#access-policy-examples-aws-trust) The following shows an example of a permissions policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "mgh:AssociateCreatedArtifact", "mgh:NotifyApplicationState", "mgh:ListDiscoveredResources" ], "Effect": "Allow", "Resource": "arn:aws:mgh:us-west-2:111122223333:ProgressUpdateStreamName/DMS/*" } ] } ``` ------ Next, you must define a trust policy that authorizes the migration tool, in this example, AWS Database Migration Service (DMS), to assume the role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "dms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ This policy is implemented in two parts, the permission policy and the trust policy: + The permission policy grants permissions for the Migration Hub actions (`mgh:AssociateCreatedArtifact`, `mgh:NotifyApplicationState`, and `mgh:ListDiscoveredResources`) on any resources identified by the Amazon Resource Name (ARN) for the AWS DMS migration tool. The wildcard character (\$1) specified at the end of the resource name means that the migration tool can act on any migration tasks the tool creates under the particular ProgressUpdateStream name. + The trust policy authorizes the AWS DMS migration tool to assume the role's permission policy. Migration Hub policies always require a trust policy to be associated with them. For a table showing all of the AWS Migration Hub API actions and the resources and conditions that they apply to, see [AWS Migration Hub API Permissions: Actions and Resources Reference](migrationhub-api-permissions-ref.md). ### Permissions Required to Use the AWS Migration Hub Console and API The AWS Migration Hub console provides an integrated environment for users and APIs to create Migration Hub resources and to manage migrations. The console provides many features and workflows that require specific permissions in order to access. The best way to implement these permissions is through managed policies. See [Console & API Managed Access](new-customer-setup.md#api-console-access-managed). In addition, there are API-specific permissions documented in [AWS Migration Hub API Permissions: Actions and Resources Reference](migrationhub-api-permissions-ref.md). #### AWS Managed (Predefined) Policies for AWS Migration Hub AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. The following AWS managed policies, which you can attach to users in your account, are specific to Migration Hub and are grouped by use case scenario: + **AWSMigrationHubDiscoveryAccess** – Grants permission to allow the Migration Hub service to call Application Discovery Service. + **AWSMigrationHubFullAccess** – Grants access to the Migration Hub console and API/CLI for a user who's not an administrator. + **AWSMigrationHubDMSAccess** – Grants permission for Migration Hub to receive notifications from the AWS Database Migration Service migration tool. **Note** You can review these permissions policies by signing in to the IAM console and searching for these specific policies there. You can also create your own custom IAM policies to allow permissions for Migration Hub actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. ### AWS Migration Hub Trust Policies A trust policy simply authorizes the principal to assume, or use, the role's permission policy. A principal can be an AWS account (the "root" user), an IAM user, or a role. In Migration Hub, the trust policy must be manually added to the permission policy. Therefore, each IAM role requires two separate policies that must be created for it: + A permissions policy, which defines what actions and resources the principal is allowed to use. + A trust policy, which specifies who is allowed to assume the role (the trusted entity, or principal). # Using Service-Linked Roles for Migration Hub Using Service-Linked Roles AWS Migration Hub uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Migration Hub. Service-linked roles are predefined by Migration Hub and include all the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up Migration Hub easier because you don't have to manually add the necessary permissions. Migration Hub defines the permissions of its service-linked roles, and the services that can assume its roles. The permissions include the trust policy and the permissions policy, which cannot be attached to any other IAM entity. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. **Topics** + [ # Using Roles to Connect Migration Hub to Application Discovery Service ](using-service-linked-roles-discovery-service-role.md) + [ # Using Roles to Connect Migration Hub to AWS DMS ](using-service-linked-roles-dms-service-role.md) # Using Roles to Connect Migration Hub to Application Discovery Service Application Discovery Service Role Migration Hub uses the service-linked role named **AWSServiceRoleForMigrationHub**. The role allows Migration Hub to call the Application Discovery Service on your behalf. This enables AWS Migration Hub to match migration tracking updates to servers and applications that you've discovered. ## Service-Linked Role Permissions for Migration Hub The AWSServiceRoleForMigrationHub service-linked role trusts the following services to assume the role: + `migrationhub.amazonaws.com` The role permissions policy is as follows: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "discovery:ListConfigurations", "discovery:DescribeConfigurations" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:image/*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": "aws:migrationhub:source-id" } } }, { "Effect": "Allow", "Action": "dms:AddTagsToResource", "Resource": [ "arn:aws:dms:*:*:endpoint:*" ], "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": "aws:migrationhub:source-id" } } } ] } ``` ------ To allow an IAM entity such as a user, group, or role, to create, edit, or delete a service-linked role, configure permissions that allow it. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a Service-Linked Role for Migration Hub You're not required to manually create a service-linked role. When you access the Migration Hub console, Migration Hub creates the service-linked role for you. **Important** This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared). ### Creating a Service-Linked Role in Migration Hub (Console) Use the Migration Hub console to create this service-linked role. Open a web browser and navigate to the Migration Hub console at [console.aws.amazon.com/migrationhub](https://console.aws.amazon.com/migrationhub). You can also use the IAM console to create a service-linked role for use with the AWS CLI or the AWS API. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this role and then want to create it again, use the same process. When you access the Migration Hub console, Migration Hub creates the service-linked role for you again. ## Editing a Service-Linked Role for Migration Hub Migration Hub does not allow you to edit the AWSServiceRoleForMigrationHub service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a Service-Linked Role for Migration Hub ### Manually Delete the Service-Linked Role Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMigrationHub service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for Migration Hub Service-Linked Roles Migration Hub supports using service-linked roles in the US West (Oregon) AWS Region, where the service is available. # Using Roles to Connect Migration Hub to AWS DMS AWS DMS Role Migration Hub uses the service-linked role named **AWSServiceRoleForMigrationHubDMSAccess** – Allows AWS Database Migration Service (AWS DMS) to send migration tracking information from any supported AWS Region to Migration Hub in US West (Oregon). ## Service-Linked Role Permissions for Migration Hub The AWSServiceRoleForMigrationHubDMSAccess service-linked role trusts the following services to assume the role: + `dms.amazonaws.com` The role permissions policy is as follows: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mgh:CreateProgressUpdateStream", "Resource": "arn:aws:mgh:*:*:progressUpdateStream/DMS" }, { "Effect": "Allow", "Action": [ "mgh:DescribeMigrationTask", "mgh:AssociateDiscoveredResource", "mgh:ListDiscoveredResources", "mgh:ImportMigrationTask", "mgh:ListCreatedArtifacts", "mgh:DisassociateDiscoveredResource", "mgh:AssociateCreatedArtifact", "mgh:NotifyMigrationTaskState", "mgh:DisassociateCreatedArtifact", "mgh:PutResourceAttributes" ], "Resource": "arn:aws:mgh:*:*:progressUpdateStream/DMS/migrationTask/*" }, { "Effect": "Allow", "Action": [ "mgh:ListMigrationTasks", "mgh:NotifyApplicationState", "mgh:DescribeApplicationState" ], "Resource": "*" } ] } ``` ------ To allow an IAM entity such as a user, group, or role to create, edit, or delete a service-linked role, configure permissions to allow this. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a Service-Linked Role for Migration Hub You're not required to manually create a service-linked role. When you connect to AWS DMS in the Migration Hub console, Migration Hub creates the service-linked role for you. **Important** This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. To learn more, see [A New Role Appeared in My IAM Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared). ### Creating a Service-Linked Role in Migration Hub (Console) Use the Migration Hub console to create a service-linked role. **To create a service-linked role (console)** 1. Open a web browser and navigate to the Migration Hub console at [console.aws.amazon.com/migrationhub](https://console.aws.amazon.com/migrationhub). 1. From the left navigation, under **Migrate** choose **Tools****** 1. Scroll down to **Database migration tools**. 1. In the **Database Migration Service** box, choose **Connect**. You can also use the IAM console to create a service-linked role for use with the AWS CLI or the AWS API. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, and want need to create it again, use the same process. When you connect to AWS DMS in the Migration Hub console, Migration Hub creates the service-linked role for you again. ## Editing a Service-Linked Role for Migration Hub Migration Hub does not allow you to edit the AWSServiceRoleForMigrationHubDMSAccess service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a Service-Linked Role for Migration Hub ### Manually Delete the Service-Linked Role Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMigrationHubDMSAccess service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for Migration Hub Service-Linked Roles Migration Hub supports using service-linked roles in the US West (Oregon) AWS Region, where the service is available.