AWS Security ChangesHomeSearch

AWS mgn documentation change

Service: mgn · 2025-05-01 · Documentation low

File: mgn/latest/ug/predefined-post-launch-actions.md

Summary

Updated verb tenses and grammatical structure for clarity, consolidated policy requirements for SSM access, clarified CloudWatch agent dependency on policies, restructured Windows upgrade documentation, and standardized security permission descriptions.

Security assessment

The changes primarily improve documentation clarity and structure. While they emphasize required IAM policies (like AWSApplicationMigrationSSMAccess) and API permissions for SSM automation, there is no evidence these changes address a specific security vulnerability. The updates reinforce security best practices by clarifying permission requirements but do not indicate remediation of a security incident.

Diff

diff --git a/mgn/latest/ug/predefined-post-launch-actions.md b/mgn/latest/ug/predefined-post-launch-actions.md
index bfe94df3f..8edbc4b2d 100644
--- a//mgn/latest/ug/predefined-post-launch-actions.md
+++ b//mgn/latest/ug/predefined-post-launch-actions.md
@@ -66 +66 @@ The SSM allows AWS Application Migration Service to execute modernization action
-When you activate the post-launch actions, AWS Application Migration Service will install the **SSM agent** and create the required IAM roles.
+When you activate the post-launch actions, AWS Application Migration Service installs the **SSM agent** and creates the required IAM roles.
@@ -82 +82 @@ Use the **DR after migration** feature to configure disaster recovery using AWS
-This action will install the AWS Elastic Disaster Recovery Replication Agent on your Amazon EC2 instance.
+This action installs the AWS Elastic Disaster Recovery Replication Agent on your Amazon EC2 instance.
@@ -84 +84 @@ This action will install the AWS Elastic Disaster Recovery Replication Agent on
-You must select the target disaster recovery region, which is the AWS Region in which the Recovery instances will be deployed. AWS Elastic Disaster Recovery must be available in the selected Region and initiated in your account. You must initialize Elastic Disaster Recovery for this action to work. 
+You must select the target disaster recovery region, which is the AWS Region in which the Recovery instances is deployed. AWS Elastic Disaster Recovery must be available in the selected Region and initiated in your account. You must initialize Elastic Disaster Recovery for this action to work. 
@@ -146 +146 @@ Up to 50 volumes can be checked in a single action.
-Use the **Process status validation** feature to ensure that processes are in running state following instance launch. You will need to provide a list of processes that you want to verify, and define how long the service should wait before testing begins.
+Use the **Process status validation** feature to ensure that processes are in running state following instance launch. You need to provide a list of processes that you want to verify, and define how long the service should wait before testing begins.
@@ -154 +154 @@ Use the **Windows MS-SQL license conversion** feature to easily convert Windows
-Application Migration Service will do the following:
+Application Migration Service:
@@ -156 +156 @@ Application Migration Service will do the following:
-  * Check the SQL edition (Enterprise, Standard, or Web) as part of the launch process 
+  * Checks the SQL edition (Enterprise, Standard, or Web) as part of the launch process 
@@ -158 +158 @@ Application Migration Service will do the following:
-  * Use the right AMI with the right billing code to launch from
+  * Uses the right AMI with the right billing code to launch from
@@ -163 +163 @@ Application Migration Service will do the following:
-The SSM document will run and verify that the right billing code is used post launch.
+The SSM document runs and verifies that the right billing code is used post launch.
@@ -165 +165 @@ The SSM document will run and verify that the right billing code is used post la
-The action uses the following APIs:
+The action uses these APIs:
@@ -174 +174 @@ The action uses the following APIs:
-To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
+To allow the SSM document to run these APIs, you need the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
@@ -180 +180 @@ Use the **CloudWatch agent installation** feature to install and configure the C
-You will need the following policy to run this post-launch action (in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html)): 
+You need the AWSApplicationMigrationSSMAccess policy, or a user-defined policy that allows the SSM document to run, to run this post-launch action. This is in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html):
@@ -182,6 +182 @@ You will need the following policy to run this post-launch action (in addition t
-  * AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)
-
-
-
-
-The launched instance will require the following policies:
+The launched instance requirea these policies:
@@ -207 +202 @@ To ensure that the launch instance has the right policies, create a role that ha
-  * You must attach both policies to the template for the CloudWatch agent to operate. Without the CloudWatchAgentServerPolicy, the action will still be marked as successful but the CloudWatch Agent will not be active.
+  * You must attach both policies to the template for the CloudWatch agent to operate. Without the CloudWatchAgentServerPolicy, the action is still marked as successful but the CloudWatch Agent is not active.
@@ -209 +204 @@ To ensure that the launch instance has the right policies, create a role that ha
-  * Configuring the Application Insights is optional. You can choose to skip the Application Insights agent configuration and only install the CloudWatch agent. To do so, simply provide the required parameterStoreName parameter and leave the other parameters empty.
+  * Configuring the Application Insights is optional. You can choose to skip the Application Insights agent configuration and only install the CloudWatch agent. To do so provide the required parameterStoreName parameter and leave the other parameters empty.
@@ -218,3 +213 @@ To ensure that the launch instance has the right policies, create a role that ha
-Use the **Windows upgrade** feature to easily upgrade your migrated server to Windows Server 2012 R2, 2016, 2019, or 2022 ([see the full list of available OS versions](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-CloneInstanceAndUpgradeWindows.html)). 
-
-You will need the following policy to run this post-launch action (in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html)).
+Use the **Windows upgrade** feature to upgrade your migrated server to a more recent verions of Windows Server ([see the full list of available OS versions](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-CloneInstanceAndUpgradeWindows.html)). 
@@ -222 +215 @@ You will need the following policy to run this post-launch action (in addition t
-  * AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)
+You need the AWSApplicationMigrationSSMAccess policy, or a user-defined policy that allows the SSM document to run, to run this post-launch action. This is in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html):
@@ -223,0 +217 @@ You will need the following policy to run this post-launch action (in addition t
+To allow the SSM document to run these APIs, you must have the required permissions (including [CreateImages](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html), [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html), [DescribeInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html), and more) or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
@@ -224,0 +219 @@ You will need the following policy to run this post-launch action (in addition t
+Learn more about the permissions required to perform the upgrade in [AWSEC2-CloneInstanceAndUpgradeWindows.](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-CloneInstanceAndUpgradeWindows.html)
@@ -225,0 +221 @@ You will need the following policy to run this post-launch action (in addition t
+The SSM document:
@@ -227 +223 @@ You will need the following policy to run this post-launch action (in addition t
-To allow the SSM document to run these APIs, you will need to have the required permissions (including [CreateImages](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html), [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html), [DescribeInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html), and more) or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
+  * Creates an Amazon Machine Image (AMI) from the instance using the [CreateImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html) API.
@@ -229 +225 @@ To allow the SSM document to run these APIs, you will need to have the required
-Learn more about the different permissions required to perform the upgrade in [AWSEC2-CloneInstanceAndUpgradeWindows.](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-CloneInstanceAndUpgradeWindows.html)
+  * Uses the AMI to create a new instance and then upgrades that instance.
@@ -231,7 +227 @@ Learn more about the different permissions required to perform the upgrade in [A
-The SSM document will:
-
-  * Create an Amazon Machine Image (AMI) from the instance using the [CreateImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html) API.
-
-  * Use the AMI to create a new instance and then upgrade that instance.
-
-  * Create an AMI from the upgraded instance and terminate the upgraded instance.
+  * Creates an AMI from the upgraded instance and terminates the upgraded instance.
@@ -246 +236 @@ The SSM document will:
-  * All other post-launch actions will run on the instance launched by Application Migration Service and not on the upgraded instance. 
+  * All other post-launch actions run on the instance launched by Application Migration Service and not on the upgraded instance. 
@@ -257,3 +247 @@ Use the **Create AMI from Instance** feature to create a new Amazon Machine Imag
-You will need the following policy to run this post-launch action (in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html)): 
-
-  * AWSApplicationMigrationSSMAccess (or any other user-defined policy that allows that specific document to run)
+You need the AWSApplicationMigrationSSMAccess policy, or a user-defined policy that allows the SSM document to run, to run this post-launch action. This is in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html):
@@ -261,6 +249 @@ You will need the following policy to run this post-launch action (in addition t
-
-
-
-Attach the following permissions to your instance:
-
-The action uses the following APIs:
+The action uses these APIs:
@@ -275 +258 @@ The action uses the following APIs:
-To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
+To allow the SSM document to run these APIs, you need the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
@@ -281,7 +264 @@ To allow the SSM document to run these APIs, you will need to have the required
-Use this **Join domain** feature to simplify the AWS Join Domain process. If you activate this action, your instance will be managed by the AWS Cloud Directory (instead of on-premises).
-
-You will need the following policy to run this post-launch action (in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html)):
-
-  * [AWSApplicationMigrationSSMAccess](./security-iam-awsmanpol-AWSApplicationMigrationSSMAccess.html) (or any other user-defined policy that allows that specific document to run)
-
-
+Use this **Join domain** feature to simplify the AWS Join Domain process. If you activate this action, your instance is managed by the AWS Cloud Directory (instead of on-premises).
@@ -288,0 +266 @@ You will need the following policy to run this post-launch action (in addition t
+You need the AWSApplicationMigrationSSMAccess policy, or a user-defined policy that allows the SSM document to run, to run this post-launch action. This is in addition to the [full access policy](./security-iam-awsmanpol-AWSApplicationMigrationFullAccess.html):
@@ -290 +268 @@ You will need the following policy to run this post-launch action (in addition t
-The launched instance will require the following policies:
+The launched instance requires these policies:
@@ -320 +298 @@ Use the **Disk space validation** feature to obtain visibility into the disc spa
-Use the **Verify HTTP/HTTPS response** feature to conduct HTTP/HTTPS connectivity checks to a predefined list of URLs. The feature will verify that HTTP/HTTPS requests (for example, https://localhost) receive the correct response.
+Use the **Verify HTTP/HTTPS response** feature to conduct HTTP/HTTPS connectivity checks to a predefined list of URLs. The feature verifies that HTTP/HTTPS requests (for example, https://localhost) receive the correct response.
@@ -324 +302 @@ Use the **Verify HTTP/HTTPS response** feature to conduct HTTP/HTTPS connectivit
-The **Enable Inspector** feature allows you to run security scans on your Amazon EC2 resources. The Amazon Inspector service will be enabled at the account level.
+The **Enable Inspector** feature allows you to run security scans on your Amazon EC2 resources. The Amazon Inspector service is enabled at the account level.
@@ -330 +308 @@ Amazon Inspector is a paid AWS service. For additional information, [refer to th
-This action uses the following APIs:
+This action uses these APIs:
@@ -341 +319 @@ This action uses the following APIs:
-To allow the SSM document to run these APIs, you will need to have the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
+To allow the SSM document to run these APIs, you need the required permissions or have access to a role with those permissions and then provide the role’s ARN as an input parameter to the SSM automation document.
@@ -345 +323 @@ To allow the SSM document to run these APIs, you will need to have the required
-Use the **Verify tags** feature to validate that tags which have been defined in the launch template and on the source server are copied to the migrated server. 
+Use the **Verify tags** feature to validate that tags that have been defined in the launch template and on the source server are copied to the migrated server. 
@@ -375 +353 @@ This action installs Dynatrace OneAgent on your launched instance.
-To configure this action, you will need to have an existing Dynatrace account and configure the required additionalArguments for your particular usage.
+To configure this action, you need an existing Dynatrace account and configure the required additionalArguments for your particular usage.
@@ -387 +365 @@ This action installs New Relic Infrastructure agent on your launched Amazon EC2
-To configure this action, you will need to have an existing New Relic account and configure the required additionalArguments for your particular usage. You must use an original account license key for this action to succeed.
+To configure this action, you need an existing New Relic account and configure the required additionalArguments for your particular usage. You must use an original account license key for this action to succeed.
@@ -407 +385 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Post-launch actions table
+Post-launch settings
@@ -409 +387 @@ Post-launch actions table
-Create custom post-launch action
+Network requirements