AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2026-04-10 · Documentation medium

File: transform/latest/userguide/discover-tool-security.md

Summary

Added security guidance for Hyper-V credentials, updated OS-level collection scope, and added new sections on Bare Metal CSV Import Security and Revoking Access Considerations

Security assessment

This change significantly expands security documentation with best practices for credential management, data sensitivity handling, and access control. It adds security guidance for Hyper-V credentials (recommending minimal permissions, avoiding domain admin accounts), CSV import security (treating CSV files as sensitive data), and access revocation scoping. While these are security improvements, there's no evidence of a specific security vulnerability being addressed - rather, these appear to be proactive security best practices documentation.

Diff

diff --git a/transform/latest/userguide/discover-tool-security.md b/transform/latest/userguide/discover-tool-security.md
index 1a7e3b7d9..263aa7715 100644
--- a//transform/latest/userguide/discover-tool-security.md
+++ b//transform/latest/userguide/discover-tool-security.md
@@ -5 +5 @@
-Securing the discovery tool VMSecuring CredentialsUsing Auto-Connect Feature With Caution
+Securing the discovery tool VMSecuring CredentialsUsing Auto-Connect Feature With CautionBare Metal CSV Import SecurityRevoking Access Considerations
@@ -77,0 +78,13 @@ The discovery tool VM comes with a default login password "password" for user "d
+**Hyper-V credentials**
+
+  * Use dedicated service accounts with minimal Hyper-V management permissions.
+
+  * Avoid using domain administrator accounts.
+
+  * Hyper-V credentials support NTLM (HTTPS only) and Kerberos authentication.
+
+  * The discovery tool stores credentials encrypted at rest by using SQLCipher.
+
+
+
+
@@ -80 +93 @@ The discovery tool VM comes with a default login password "password" for user "d
-The discovery tool uses two mechanisms to assign credentials to servers during _OS level collection_ (Network and Database modules, need to connect to individual server (VM)): auto-connect and manual.
+The discovery tool uses two mechanisms to assign credentials to servers during _OS-level collection_ : auto-connect and manual. OS-level collection includes the Network, Database, and OS metrics modules. These modules connect to individual servers from all sources, including VMware VMs, Hyper-V VMs, and bare metal servers.
@@ -121,0 +135,30 @@ Follow these guidelines:
+## Bare Metal CSV Import Security
+
+When you import bare metal servers by using a CSV file, consider the following security implications:
+
+  * The CSV file might contain hostnames or IP addresses of internal servers. Treat it as sensitive data.
+
+  * The `credential_name` column references preconfigured or to be configured credentials by friendly name. The CSV does not contain secrets.
+
+  * All-or-nothing validation: if any row in the CSV is invalid, the entire upload is rejected. This prevents partial imports that could create a confusing state.
+
+  * Imported servers are immediately visible in the inventory and eligible for collection. Ensure that OS credentials are correctly scoped before you import.
+
+
+
+
+## Revoking Access Considerations
+
+When you revoke access, deletion is scoped to the specific source:
+
+  * Revoking vCenter access deletes only vCenter data. It does not affect Hyper-V or bare metal data.
+
+  * Revoking Hyper-V access deletes only Hyper-V data. It does not affect VMware or bare metal data.
+
+  * Deleting bare metal servers removes them from inventory, but downstream collection data (network, database, OS metrics) is retained.
+
+  * To remove all source-specific inventory data, you must revoke or delete each source independently. Downstream collection data (network, database, OS metrics) is retained even after all sources are revoked.
+
+
+
+