AWS Source Environments
Describes the format used to store credentials for AWS source environments.
AWS uses IAM policies to control access to AWS resources and APIs. For more information on AWS authorization, see Actions, resources, and condition keys for AWS services and review Best practices for managing AWS access keys.
AWS IAM policies must be created first to describe the exact permissions necessary for asset discovery and replication. If not all regions are going to be migrated, then consider limiting the access with condition keys and specify only those that are going to be migrated.
After creating policies, they need to be attached to a user and that user needs to have an access key created for the service to use. See AWS Managing access keys for IAM users.
The following table lists the IAM AWS policies created for each AWS service. These policies contain the corresponding IAM permissions as described in the table.
Required IAM Permissions for Discovery
| AWS Service | Access Level | AWS Action | AWS Resource Type | Supported Condition Keys |
|---|---|---|---|---|
| Amazon EC2 | List | DescribeInstances | * | ec2:Region |
| List | DescribeInstanceTypes | * | ec2:Region | |
| List | DescribeVolumes | * | ec2:Region | |
| AWS Cost Explorer | Read | GetCostAndUsageWithResources | * | |
| Amazon CloudWatch | Read | GetMetricData | * | |
| Read | GetMetricStatistics | * |
- For a JSON version of the table above, see
aws-ocm-discovery-policy.json - AWS Cost Explorer and Amazon CloudWatch are only required if cost estimation and sizing recommendations are intended to be used as part of a migration plan.
- An Amazon CloudWatch agent needs to be configured on each instance to collect more precise and advanced performance metrics.
Required IAM Permissions for Replication
| AWS Service | Access Level | AWS Action | AWS Resource Type | Supported Condition Keys |
|---|---|---|---|---|
| Amazon EC2 | List | DescribeInstances | * | ec2:Region |
| List | DescribeSnapshots | * | ec2:Region | |
| List | DescribeVolumes | * | ec2:Region | |
| Write | CreateSnapshots | instance, snapshot, volume | ||
| Write | CreateTags | instance, snapshot, volume | ||
| EBS | Read | ListChangedBlocks | snapshot | |
| Read | ListSnapshotBlocks | snapshot | ||
| Read | GetSnapshotBlock | snapshot |
AWS Credentials Format
{"accessKeyId":"<KEY_ID_VALUE>","secretAccessKey":"<ACCESS_KEY_VALUE>"}AWS Credentials Usage
For AWS source environments, discovery and replication tasks are performed by different serivce components. Discovery tasks are run by the Oracle Cloud Migrations discovery service and replication tasks are run by the Hydration agents. Access to credentials is validated using IAM policies at the begining of each discovery or replication operation. See AWS Service Policies for more information.