Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
AWSApplicationMigrationNetworkMigrationMultiAccount
Deskripsi: Menyediakan izin untuk mengotomatisasi VMware migrasi infrastruktur AWS jaringan melalui CloudFormation
AWSApplicationMigrationNetworkMigrationMultiAccountadalah kebijakan yang AWS dikelola.
Menggunakan kebijakan ini
Anda dapat melampirkan AWSApplicationMigrationNetworkMigrationMultiAccount ke pengguna, grup, dan peran Anda.
Rincian kebijakan
-
Jenis: kebijakan AWS terkelola
-
Waktu pembuatan: 10 November 2025, 09:04 UTC
-
Waktu telah diedit: 10 November 2025, 09:04 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSApplicationMigrationNetworkMigrationMultiAccount
Versi kebijakan
Versi kebijakan: v1 (default)
Versi default kebijakan adalah versi yang menentukan izin untuk kebijakan tersebut. Saat pengguna atau peran dengan kebijakan membuat permintaan untuk mengakses AWS sumber daya, AWS periksa versi default kebijakan untuk menentukan apakah akan mengizinkan permintaan tersebut.
Dokumen kebijakan JSON
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "EC2CFNReadonlyPrefixList", "Effect" : "Allow", "Action" : [ "ec2:GetManagedPrefixListEntries" ], "Resource" : [ "arn:aws:ec2:*:*:prefix-list/*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "NetworkAnalyzer", "Effect" : "Allow", "Action" : [ "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeNetworkInterfaces" ], "Resource" : [ "*" ] }, { "Sid" : "CreatePermissionsByCFNNACL", "Effect" : "Allow", "Action" : [ "ec2:ReplaceNetworkAclAssociation" ], "Resource" : [ "arn:aws:ec2:*:*:network-acl/*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByCFNNACLSN", "Effect" : "Allow", "Action" : [ "ec2:ReplaceNetworkAclAssociation" ], "Resource" : [ "arn:aws:ec2:*:*:subnet/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "EC2CFNReadonly", "Effect" : "Allow", "Action" : [ "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeHosts", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplates", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInsightsAnalyses", "ec2:DescribeNetworkInsightsPaths", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGateways", "ec2:DescribeVolumes", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations" ], "Resource" : [ "*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "MGNCFNDescribe", "Effect" : "Allow", "Action" : [ "cloudformation:DescribeStacks", "cloudformation:ListStacks" ], "Resource" : "arn:aws:cloudformation:*:*:stack/Nmd*" }, { "Sid" : "CFNCreate", "Effect" : "Allow", "Action" : [ "cloudformation:CreateStack" ], "Resource" : "arn:aws:cloudformation:*:*:stack/Nmd*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService", "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "CFNOperations", "Effect" : "Allow", "Action" : [ "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:UpdateTerminationProtection", "cloudformation:DescribeStackResources", "cloudformation:GetTemplateSummary", "cloudformation:ListStackResources", "cloudformation:DescribeStackEvents" ], "Resource" : "arn:aws:cloudformation:*:*:stack/Nmd*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "CFNProvision", "Effect" : "Allow", "Action" : [ "ec2:AllocateAddress" ], "Resource" : [ "arn:aws:ec2:*:*:elastic-ip/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "AnalyzerEC2PutResourcePolicy", "Effect" : "Allow", "Action" : [ "ec2:PutResourcePolicy" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "AnalyzerEC2ResourceOperations", "Effect" : "Allow", "Action" : [ "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "AnalyzerEC2ResourceSgTag", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "AnalyzerEC2RequestSgTag", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "AnalyzerEC2SecurityGroupTags", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService", "ec2:CreateAction" : [ "CreateSecurityGroup" ] } } }, { "Sid" : "EC2TagCFNSG", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByCFN", "Effect" : "Allow", "Action" : [ "ec2:CreateSecurityGroup" ], "Resource" : [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByResourceTag", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateSubnet", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateNatGateway", "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayVpcAttachment", "ec2:CreateTransitGatewayRoute", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInsightsPath" ], "Resource" : [ "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:transit-gateway-route-table/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:network-insights-path/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:elastic-ip/*" ], "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AllowCreateTGWVpcAttachmentSameOrg", "Effect" : "Allow", "Action" : [ "ec2:CreateTransitGatewayVpcAttachment" ], "Resource" : [ "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*" ], "Condition" : { "StringEquals" : { "aws:ResourceOrgID" : "${aws:PrincipalOrgID}" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CFNProvisionNetworking", "Effect" : "Allow", "Action" : [ "ec2:CreateInternetGateway", "ec2:CreateVpc", "ec2:CreateTransitGateway" ], "Resource" : [ "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:transit-gateway/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "CreatePermissionsByRequestTagNetworking", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkAcl", "ec2:CreateSubnet", "ec2:CreateRouteTable" ], "Resource" : [ "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByRequestTagRouting", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkAclEntry", "ec2:CreateRoute" ], "Resource" : [ "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:route-table/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByRequestTagNAT", "Effect" : "Allow", "Action" : [ "ec2:CreateNatGateway" ], "Resource" : [ "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:elastic-ip/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByRequestTagTransitGateway", "Effect" : "Allow", "Action" : [ "ec2:CreateTransitGatewayRouteTable", "ec2:CreateTransitGatewayRoute" ], "Resource" : [ "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:transit-gateway-route-table/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByRequestTagTGWAttachment", "Effect" : "Allow", "Action" : [ "ec2:CreateTransitGatewayVpcAttachment" ], "Resource" : [ "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreatePermissionsByRequestTagNetworkInterface", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "DeleteENI", "Effect" : "Allow", "Action" : [ "ec2:DeleteNetworkInterface" ], "Resource" : [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } }, { "Sid" : "CreatePermissionsByRequestTagInsights", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInsightsPath" ], "Resource" : [ "arn:aws:ec2:*:*:network-insights-path/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "EC2TagCFN", "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : [ "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:transit-gateway-policy-table/*", "arn:aws:ec2:*:*:transit-gateway-connect-peer/*", "arn:aws:ec2:*:*:transit-gateway-route-table/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*", "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:network-insights-path/*", "arn:aws:ec2:*:*:network-insights-access-scope-analysis/*", "arn:aws:ec2:*:*:network-insights-access-scope/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:elastic-ip/*", "arn:aws:ec2:*:*:network-insights-analysis/*", "arn:aws:ec2:*:*:vpc/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService", "ec2:CreateAction" : [ "CreateTransitGatewayVpcAttachment", "CreateTransitGatewayRouteTableAnnouncement", "CreateTransitGatewayRouteTable", "CreateTransitGatewayRoute", "CreateTransitGatewayPrefixListReference", "CreateTransitGatewayPolicyTable", "CreateTransitGatewayPeeringAttachment", "CreateTransitGatewayConnectPeer", "CreateTransitGatewayConnect", "CreateTransitGateway", "CreateInternetGateway", "CreateNatGateway", "CreateSubnet", "CreateNetworkAcl", "CreateRouteTable", "CreateNetworkInterface", "CreateNetworkInsightsPath", "CreateNetworkInsightsAccessScope", "CreateLaunchTemplate", "AllocateAddress", "StartNetworkInsightsAnalysis", "CreateVpc" ] } } }, { "Sid" : "deployerWorkload", "Effect" : "Allow", "Action" : [ "ssm:GetParameters" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/network-migration/*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "putParameter", "Effect" : "Allow", "Action" : [ "ssm:PutParameter", "ssm:AddTagsToResource" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/network-migration/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService", "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "deleteParameter", "Effect" : "Allow", "Action" : [ "ssm:DeleteParameter", "ssm:PutResourcePolicy", "ssm:DeleteResourcePolicy", "ssm:ListTagsForResource", "ssm:GetResourcePolicies" ], "Resource" : [ "arn:aws:ssm:*:*:parameter/network-migration/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "ramTAgReource", "Effect" : "Allow", "Action" : [ "ram:TagResource" ], "Resource" : "arn:aws:ram:*:*:resource-share/*", "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService", "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreateResourceShareTransitGateway", "Effect" : "Allow", "Action" : [ "ram:CreateResourceShare" ], "Resource" : "arn:aws:ram:*:*:resource-share/*", "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] }, "Bool" : { "ram:RequestedAllowsExternalPrincipals" : "false" } } }, { "Sid" : "AssociateResourceShare", "Effect" : "Allow", "Action" : [ "ram:AssociateResourceShare" ], "Resource" : "arn:aws:ram:*:*:resource-share/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService", "ram:RequestedResourceType" : [ "ec2:TransitGateway", "ssm:Parameter" ] }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreateResourceShareWithResourceTag", "Effect" : "Allow", "Action" : [ "ram:DeleteResourceShare", "ram:DisassociateResourceShare", "ram:UpdateResourceShare" ], "Resource" : "arn:aws:ram:*:*:resource-share/*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AllowGetResourceShares", "Effect" : "Allow", "Action" : [ "ram:GetResourceShares" ], "Resource" : "arn:aws:ram:*:*:resource-share/*" }, { "Sid" : "CreateCustomResourceLogGroup", "Effect" : "Allow", "Action" : [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : [ "arn:aws:logs:*:*:log-group:/aws/lambda/network-migration-modify-tgw*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreateCustomResourceLambda", "Effect" : "Allow", "Action" : [ "lambda:CreateFunction", "lambda:TagResource" ], "Resource" : [ "arn:aws:lambda:*:*:function:network-migration*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService", "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "GetCustomResource", "Effect" : "Allow", "Action" : [ "lambda:GetFunction" ], "Resource" : [ "arn:aws:lambda:*:*:function:network-migration*" ], "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "OperationsCustomResourceLambda", "Effect" : "Allow", "Action" : [ "lambda:AddPermission", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction" ], "Resource" : [ "arn:aws:lambda:*:*:function:network-migration*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "CreateRoleCustomResource", "Effect" : "Allow", "Action" : [ "iam:CreateRole", "iam:TagRole" ], "Resource" : "arn:aws:iam::*:role/Nmd*modifyTransitGateway*", "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "AWSApplicationMigrationService", "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "PassGetRoleCustomResource", "Effect" : "Allow", "Action" : [ "iam:GetRole" ], "Resource" : "arn:aws:iam::*:role/Nmd*modifyTransitGateway*", "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "PassRoleCustomResource", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "arn:aws:iam::*:role/Nmd*modifyTransitGateway*", "Condition" : { "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] }, "StringEquals" : { "iam:PassedToService" : "lambda.amazonaws.com" } } }, { "Sid" : "OperationsRoleCustomResource", "Effect" : "Allow", "Action" : [ "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource" : "arn:aws:iam::*:role/Nmd*modifyTransitGateway*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AttachCustomResourceRole", "Effect" : "Allow", "Action" : [ "iam:AttachRolePolicy" ], "Resource" : "arn:aws:iam::*:role/Nmd*modifyTransitGateway*", "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ArnEquals" : { "iam:PolicyARN" : [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", "arn:aws:iam::aws:policy/AWSApplicationMigrationNetworkMigrationCustomResource" ] }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "MGNCFNBasedResourcesProvision", "Effect" : "Allow", "Action" : [ "ec2:AcceptTransitGatewayVpcAttachment", "ec2:AssociateNatGatewayAddress", "ec2:AssociateRouteTable", "ec2:AssociateSubnetCidrBlock", "ec2:AssociateTransitGatewayRouteTable", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteInternetGateway", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteNatGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteNetworkInsightsAnalysis", "ec2:DeleteNetworkInsightsPath", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTransitGateway", "ec2:DeleteTransitGatewayRoute", "ec2:DeleteTransitGatewayRouteTable", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DetachInternetGateway", "ec2:DetachVolume", "ec2:DisableTransitGatewayRouteTablePropagation", "ec2:DisassociateNatGatewayAddress", "ec2:DisassociateRouteTable", "ec2:DisassociateTransitGatewayRouteTable", "ec2:EnableTransitGatewayRouteTablePropagation", "ec2:ModifyInstanceAttribute", "ec2:ModifyLaunchTemplate", "ec2:ModifySubnetAttribute", "ec2:ModifyTransitGateway", "ec2:ModifyTransitGatewayVpcAttachment", "ec2:ModifyVolume", "ec2:ModifyVpcAttribute", "ec2:RejectTransitGatewayVpcAttachment", "ec2:ReleaseAddress", "ec2:ReplaceNetworkAclAssociation", "ec2:ReplaceNetworkAclEntry", "ec2:ReplaceRoute", "ec2:ReplaceTransitGatewayRoute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:SearchTransitGatewayRoutes", "ec2:StartNetworkInsightsAnalysis" ], "Resource" : [ "arn:aws:ec2:*:*:transit-gateway/*", "arn:aws:ec2:*:*:transit-gateway-policy-table/*", "arn:aws:ec2:*:*:transit-gateway-connect-peer/*", "arn:aws:ec2:*:*:transit-gateway-route-table/*", "arn:aws:ec2:*:*:transit-gateway-attachment/*", "arn:aws:ec2:*:*:internet-gateway/*", "arn:aws:ec2:*:*:natgateway/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:route-table/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:network-insights-path/*", "arn:aws:ec2:*:*:network-insights-access-scope-analysis/*", "arn:aws:ec2:*:*:network-insights-access-scope/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:elastic-ip/*", "arn:aws:ec2:*:*:network-insights-analysis/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" }, "ForAnyValue:StringEquals" : { "aws:CalledVia" : [ "cloudformation.amazonaws.com" ] } } }, { "Sid" : "AnalyzerENIResourceTag", "Effect" : "Allow", "Action" : [ "ec2:CreateNetworkInterface" ], "Resource" : [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition" : { "StringEquals" : { "aws:ResourceTag/CreatedBy" : "AWSApplicationMigrationService" } } } ] }
Pelajari selengkapnya
