AWS transform documentation change
Summary
Added new AWSServiceRoleForAWSTransformCustom policy documentation and updated existing DBModDiscoveryAndAssessment and DBModProvisioningAndMigration policies with more detailed permission descriptions and explicit least-privilege implementation notes.
Security assessment
The changes document new and updated AWS managed policies for AWS Transform. The updates clarify permission scopes, add resource-level restrictions, tag-based conditions, and account-level restrictions to enforce least-privilege access. While these are security improvements in policy design, there's no evidence of addressing a specific security vulnerability or incident. The changes are routine documentation updates for new features and policy refinements.
Diff
diff --git a/transform/latest/userguide/security-iam-awsmanpol.md b/transform/latest/userguide/security-iam-awsmanpol.md index 13a12c4fb..321dbe99c 100644 --- a//transform/latest/userguide/security-iam-awsmanpol.md +++ b//transform/latest/userguide/security-iam-awsmanpol.md @@ -5 +5 @@ -UpdatesAWSServiceRoleForAWSTransformAWSTransformApplicationDeploymentPolicyAWSTransformApplicationECSDeploymentPolicyAWSTransformCustomFullAccessAWSTransformCustomExecuteTransformationsAWSTransformCustomManageTransformationsDBModDiscoveryAndAssessmentDBModProvisioningAndMigration +UpdatesAWSServiceRoleForAWSTransformAWSServiceRoleForAWSTransformCustomAWSTransformApplicationDeploymentPolicyAWSTransformApplicationECSDeploymentPolicyAWSTransformCustomFullAccessAWSTransformCustomExecuteTransformationsAWSTransformCustomManageTransformationsDBModDiscoveryAndAssessmentDBModProvisioningAndMigration @@ -23,2 +23,3 @@ Change | Description | Date -DBModProvisioningAndMigration – New policy | This policy grants database provisioning and migration capabilities. | February 26, 2026 -DBModDiscoveryAndAssessment – New policy | Added a new AWS managed policy that provides comprehensive database modernization discovery and assessment capabilities. | February 26, 2026 +AWSServiceRoleForAWSTransformCustom – New policy | Added a new AWS managed policy for the AWS Transform custom service-linked role. This policy allows AWS Transform custom to publish CloudWatch metrics to your account. | March 23, 2026 +DBModProvisioningAndMigration – New policy | This policy grants database provisioning and migration capabilities. | March 24, 2026 +DBModDiscoveryAndAssessment – New policy | Added a new AWS managed policy that provides comprehensive database modernization discovery and assessment capabilities. | March 24, 2026 @@ -42,0 +44,13 @@ To view the policy permission details see [AWSServiceRoleForAWSTransform](https: +## AWS managed policy: AWSServiceRoleForAWSTransformCustom + +This policy is attached to the [AWSServiceRoleForAWSTransformCustom](./using-service-linked-roles.html#using-service-linked-roles-custom) service-linked role (SLR). This role allows AWS Transform custom to publish CloudWatch metrics to your account on your behalf. + +**Description** + +This policy includes the following permissions: + + * **Amazon CloudWatch** – Allows publishing metrics to CloudWatch under the `AWS/TransformCustom` namespace. This enables monitoring of transformation counts, latencies, and status codes in your CloudWatch dashboards. + + + + @@ -160 +174 @@ To view the policy permission details see [AWSTransformCustomManageTransformatio -This policy grants you comprehensive database modernization discovery and assessment capabilities to streamline your database migration projects. +This policy provides comprehensive database modernization discovery and assessment capabilities for AWS Transform. @@ -164 +178 @@ This policy grants you comprehensive database modernization discovery and assess -This policy grants the following permissions: +This policy includes the following permissions: @@ -166 +180 @@ This policy grants the following permissions: - * **Amazon EC2** – Read-only access to discover infrastructure components including instances, VPCs, subnets, security groups, and connectivity. + * **Amazon EC2** – Allows describing infrastructure components including instances, VPCs, subnets, security groups, availability zones, VPC endpoints, and internet gateways. @@ -168 +182 @@ This policy grants the following permissions: - * **Amazon RDS** – Access to discover database instances, clusters, and subnet groups, and to modify subnet groups for migration preparation. + * **Amazon RDS** – Allows describing database instances, clusters, and subnet groups. Allows modifying DB subnet groups within the same AWS account for migration preparation. @@ -170 +184 @@ This policy grants the following permissions: - * **Amazon RDS Data API** – Access to execute SQL statements for schema analysis and assessment. + * **Amazon RDS Data API** – Allows enabling and disabling HTTP endpoints and executing SQL statements on database clusters tagged for the database modernization project. @@ -172 +186 @@ This policy grants the following permissions: - * **AWS DMS** – Comprehensive access to manage migration projects, schema conversion, metadata model operations, and replication resources. Write operations are restricted to resources tagged for the database modernization project. + * **AWS DMS** – Allows describing endpoints, replication instances, tasks, subnet groups, and orderable instances. Allows listing data providers, instance profiles, and migration projects. Allows describing table statistics, assessment runs, and metadata model operations. Detailed describe and metadata operations are restricted to resources tagged for the database modernization project. @@ -174 +188 @@ This policy grants the following permissions: - * ****– Access to discover and retrieve database credentials. Write access is restricted to resources tagged for the database modernization project. + * ****– Allows listing secrets for discovering database credentials. @@ -176 +190 @@ This policy grants the following permissions: - * **AWS Identity and Access Management (IAM)** – Read-only access to verify IAM policies and specific DMS service role configurations. + * **AWS Identity and Access Management (IAM)** – Allows inspecting specific AWS DMS service roles and their attached policies. Includes access to read AWS-managed AWS DMS policies. @@ -178 +192 @@ This policy grants the following permissions: - * **AWS Key Management Service (KMS)** – Access to discover encryption keys and decrypt secrets specifically through integration. + * **AWS Key Management Service (KMS)** – Allows listing key aliases and describing keys. Allows decryption of secrets through integration, restricted to the same AWS account. @@ -182,0 +197,2 @@ This policy grants the following permissions: +The policy implements least-privilege access through resource-level permissions, tag-based conditions, and account-level restrictions to ensure operations are limited to database modernization project resources within the same AWS account. + @@ -189 +205 @@ To view the policy permission details see [DBModDiscoveryAndAssessment](https:// -This policy grants you database provisioning and migration capabilities for database modernization projects. It provides permissions to create and manage migration infrastructure, provision target databases, and store migration data. +This policy provides database provisioning and migration capabilities for AWS Transform database modernization projects. It includes permissions to create and manage migration infrastructure, provision target databases, and store migration data. @@ -193 +209,3 @@ This policy grants you database provisioning and migration capabilities for data -This policy grants the following permissions: +This policy includes the following permissions: + + * **AWS DMS** – Allows creating and managing replication subnet groups, instance profiles, data providers, migration projects, endpoints, replication instances, and replication tasks. Includes schema conversion operations such as metadata model import, conversion, export, and assessment. Allows lifecycle management of replication instances (create, delete, modify, reboot) and replication tasks (delete, start, stop, assess). All write operations are restricted to resources tagged for the database modernization project. @@ -195 +213 @@ This policy grants the following permissions: - * **AWS DMS** – Access to create and manage replication instances, tasks, endpoints, and migration projects. Includes lifecycle operations such as starting, stopping, and assessing replication tasks. All resources must be tagged for the database modernization project. + * **Amazon RDS** – Allows creating database subnet groups, database clusters, and database instances. All resources must be tagged for the database modernization project. @@ -197 +215 @@ This policy grants the following permissions: - * **Amazon RDS** – Access to provision database instances, clusters, and subnet groups. Includes HTTP endpoint management for serverless databases. All resources must be tagged for the database modernization project. + * ****– Allows creating, updating, and tagging secrets with the database modernization naming prefix. Allows retrieving secret values and describing secrets for tagged resources. @@ -199 +217 @@ This policy grants the following permissions: - * ****– Access to create and update secrets for database credentials. Restricted to secrets with the database modernization naming prefix and project tags. + * **Amazon S3** – Allows creating and managing S3 buckets and objects for migration data storage. Includes bucket tagging, versioning, and object lifecycle operations. Restricted to buckets with the database modernization naming prefix. @@ -201 +219 @@ This policy grants the following permissions: - * **Amazon S3** – Access to create and manage S3 buckets and objects for migration data storage. Restricted to buckets with the database modernization naming prefix. + * **AWS Identity and Access Management (IAM)** – Allows passing specific AWS DMS service roles to AWS DMS and schema conversion services. Allows creating the Amazon RDS service-linked role required for database operations. @@ -203 +220,0 @@ This policy grants the following permissions: - * **AWS Identity and Access Management (IAM)** – Access to pass specific DMS service roles and create the Amazon RDS service-linked role required for database operations. @@ -206,0 +224 @@ This policy grants the following permissions: +The policy implements least-privilege access through resource-level permissions, tag-based conditions, and account-level restrictions to ensure operations are limited to database modernization project resources within the same AWS account.