AWS Security ChangesHomeSearch

AWS mgn documentation change

Service: mgn · 2025-11-04 · Documentation low

File: mgn/latest/ug/mgn-connector-permissions.md

Summary

Restructured IAM role requirements, added specific role names, and provided multi-account setup instructions via CloudFormation

Security assessment

Adds documentation about required IAM roles (security features) and their deployment patterns. While security-related, there's no evidence of addressing a specific vulnerability. The removed S3 logging guidance was relocated rather than deleted.

Diff

diff --git a/mgn/latest/ug/mgn-connector-permissions.md b/mgn/latest/ug/mgn-connector-permissions.md
index ec3d3b796..72a809659 100644
--- a//mgn/latest/ug/mgn-connector-permissions.md
+++ b//mgn/latest/ug/mgn-connector-permissions.md
@@ -7 +7 @@ NEW - You can now accelerate your migration and modernization with AWS Transform
-# Required permissions for the MGN Connector
+# IAM roles needed for the MGN connector
@@ -9 +9 @@ NEW - You can now accelerate your migration and modernization with AWS Transform
-In order to use MGN connector, you must have the required permissions in IAM.
+To use MGN connector you must have these required IAM roles for individual accounts and AWS Organizations networks:
@@ -11 +11,16 @@ In order to use MGN connector, you must have the required permissions in IAM.
-For security best practices, it is recommended that the MGN connector will be accessed only by allowed personnel and will have the required OS patches. It is also recommended that the servers to which the MGN connector connects, will have all the required OS patches.
+  * **MGNConnectorInstallerRole**
+
+  * **AWSApplicationMigrationConnectorManagementRole**
+
+  * **AWSApplicationMigrationConnectorSharingRole_`management-account-id`** Needed in an individual account. Also needed in an organization, on _every_ account, including the management account.
+
+
+
+
+**Individual account:** For an MGN connector in an individual account, create these roles as described in [Create roles manually](./create-permissions-manually.html). 
+
+**Multiple accounts:** If the MGN connector manages source servers from multiple accounts, set up the global view feature and set up your AWS Organization, as described in [Manage large-scale migrations with global view](./global-view.html). After you set up your AWS Organization:
+
+  1. Create the MGNConnectorInstallerRole and the AWSApplicationMigrationConnectorManagementRole as described in [Create roles manually](./create-permissions-manually.html).
+
+  2. Configure the CloudFormation StackSet to create the AWSApplicationMigrationConnectorSharingRole_`management-account-id` role per management account. Use the template "Enable Application Migration Service Connector access". Instructions are in [Deploy role using a CloudFormation template ](./CloudFormation_Template.html).
@@ -13 +27,0 @@ For security best practices, it is recommended that the MGN connector will be ac
-If you configure [outputting logs to S3](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging), first [create an Amazon S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html). it is recommended to apply S3 bucket security practices - following AWS official reference to [S3 security practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
@@ -15 +28,0 @@ If you configure [outputting logs to S3](https://docs.aws.amazon.com/systems-man
-Refer to the [next section](./CloudFormation_Template.html) to deploy permissions using a CloudFormation template.
@@ -17 +29,0 @@ Refer to the [next section](./CloudFormation_Template.html) to deploy permission
-Alternatively, in order to create the permissions manually, create the following IAM roles:
@@ -27 +39 @@ Architecture overview
-Create permissions manually
+Create roles manually