AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2026-03-28 · Documentation low

File: transform/latest/userguide/data-encryption.md

Summary

Added new section 'Encryption for database migration' with detailed KMS key policy for using customer managed keys during database migration with AWS DMS

Security assessment

This change adds documentation about encryption configuration for database migration, specifically how to set up KMS key policies for customer managed keys. It provides security documentation for a feature (encryption during migration) but does not indicate any security vulnerability being fixed. The change is instructional and proactive rather than reactive to a security incident.

Diff

diff --git a/transform/latest/userguide/data-encryption.md b/transform/latest/userguide/data-encryption.md
index 16812d519..ad2e106de 100644
--- a//transform/latest/userguide/data-encryption.md
+++ b//transform/latest/userguide/data-encryption.md
@@ -227,0 +228,43 @@ During the [SQL Server modernization](./sql-server-modernization.html) process A
+### Encryption for database migration
+
+During the database migration process, AWS Transform uses AWS Database Migration Service (DMS) to migrate your database data. You can optionally provide a customer managed key to encrypt your database data during migration.
+
+The following policy contains three statements. The first statement grants root account permissions for the AWS KMS key. The second statement allows the connector role to validate the key during discovery. The third statement allows the connector role to use the key for DMS operations.
+    
+    
+     "Statement": [
+        {
+          "Sid": "Enable IAM User Permissions",
+          "Effect": "Allow",
+          "Principal": { "AWS": "arn:aws:iam::111122223333:root" },
+          "Action": "kms:*",
+          "Resource": "*"
+        },
+        {
+          "Sid": "Allow connector role to validate key during discovery",
+          "Effect": "Allow",
+          "Principal": { "AWS": "connector-role-arn" },
+          "Action": "kms:DescribeKey",
+          "Resource": "*"
+        },
+        {
+          "Sid": "Allow connector role to use key via DMS",
+          "Effect": "Allow",
+          "Principal": { "AWS": "connector-role-arn" },
+          "Action": [
+            "kms:CreateGrant",
+            "kms:Decrypt",
+            "kms:DescribeKey",
+            "kms:Encrypt",
+            "kms:GenerateDataKey*",
+            "kms:ReEncrypt*"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:ViaService": "dms.us-east-1.amazonaws.com"
+            }
+          }
+        }
+      ]
+