AWS transform documentation change
Summary
Added clarification about db_datareader role requirements and added s3:PutBucketVersioning permission
Security assessment
The change clarifies least-privilege permissions (db_datareader only required for data migration) and adds S3 bucket versioning permission, which improves security posture by documenting proper access controls. No vulnerability is being fixed.
Diff
diff --git a/transform/latest/userguide/sql-server-setup.md b/transform/latest/userguide/sql-server-setup.md index 8e00bde58..1a89efe5a 100644 --- a//transform/latest/userguide/sql-server-setup.md +++ b//transform/latest/userguide/sql-server-setup.md @@ -41,0 +42,13 @@ Repeat the database-specific commands (USE, CREATE USER, GRANT) for each databas +The db_datareader role is only necessary for data migration, not for schema conversion alone. + + * The db_datareader role grants read access to all tables in the database + + * This role is required ONLY when performing data migration. + + * For schema conversion only (without data migration), the db_datareader role is NOT required + + * The other permissions (VIEW DEFINITION, VIEW DATABASE STATE, etc.) are sufficient for schema conversion + + + + @@ -142,0 +156 @@ Create a file named dms-roles.yaml with the following content: + - s3:PutBucketVersioning