AWS Source Environments

Describes the format used to store credentials for AWS source environments.

AWS uses IAM policies to control access to AWS resources and APIs. For more information on AWS authorization, see Actions, resources, and condition keys for AWS services and review Best practices for managing AWS access keys.

AWS IAM policies must be created first to describe the exact permissions necessary for asset discovery and replication. If not all regions are going to be migrated, then consider limiting the access with condition keys and specify only those that are going to be migrated.

After creating policies, they need to be attached to a user and that user needs to have an access key created for the service to use. See AWS Managing access keys for IAM users.

The following table lists the IAM AWS policies created for each AWS service. These policies contain the corresponding IAM permissions as described in the table.

Required IAM Permissions for Discovery

AWS Service Access Level AWS Action AWS Resource Type Supported Condition Keys
Amazon EC2 List DescribeInstances * ec2:Region
List DescribeInstanceTypes * ec2:Region
List DescribeVolumes * ec2:Region
AWS Cost Explorer Read GetCostAndUsageWithResources *
Amazon CloudWatch Read GetMetricData *
Read GetMetricStatistics *
Note

  • For a JSON version of the table above, see aws-ocm-discovery-policy.json
  • AWS Cost Explorer and Amazon CloudWatch are only required if cost estimation and sizing recommendations are intended to be used as part of a migration plan.
  • An Amazon CloudWatch agent needs to be configured on each instance to collect more precise and advanced performance metrics.

Required IAM Permissions for Replication

AWS Service Access Level AWS Action AWS Resource Type Supported Condition Keys
Amazon EC2 List DescribeInstances * ec2:Region
List DescribeSnapshots * ec2:Region
List DescribeVolumes * ec2:Region
Write CreateSnapshots instance, snapshot, volume
Write CreateTags instance, snapshot, volume
EBS Read ListChangedBlocks snapshot
Read ListSnapshotBlocks snapshot
Read GetSnapshotBlock snapshot
Note

AWS Credentials Format

The following format is used to store credentials used for AWS source environments:
{"accessKeyId":"<KEY_ID_VALUE>","secretAccessKey":"<ACCESS_KEY_VALUE>"}

AWS Credentials Usage

For AWS source environments, discovery and replication tasks are performed by different serivce components. Discovery tasks are run by the Oracle Cloud Migrations discovery service and replication tasks are run by the Hydration agents. Access to credentials is validated using IAM policies at the begining of each discovery or replication operation. See AWS Service Policies for more information.