AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2026-04-25 · Documentation low

File: transform/latest/userguide/transform-vmware-migrate-servers.md

Summary

Restructured prerequisites section, updated DHCP security note to be more specific about MAP security groups mapping strategy, and expanded connector setup documentation with detailed steps for IAM roles, SSM Hybrid Activation, and credential configuration.

Security assessment

The changes primarily restructure documentation and add procedural details for connector setup. The update to the DHCP note clarifies a specific technical constraint (static IP assignment required with MAP security groups) rather than addressing a vulnerability. The added documentation includes security-related information about IAM roles, SSM Hybrid Activation, and credential management, which enhances security awareness but doesn't indicate a response to a specific security incident.

Diff

diff --git a/transform/latest/userguide/transform-vmware-migrate-servers.md b/transform/latest/userguide/transform-vmware-migrate-servers.md
index b7335361f..a58c3eff5 100644
--- a//transform/latest/userguide/transform-vmware-migrate-servers.md
+++ b//transform/latest/userguide/transform-vmware-migrate-servers.md
@@ -7 +7 @@
-PrerequisitesStep 0: Migration execution defaultsStep 1: Set up migration waveStep 2: Validate and confirm inventoryStep 3: Deploy replication agentsStep 4: Data replicationStep 5: TestingStep 5b: Mark applications as ready for cutoverStep 6: CutoverServer lifecycle statesDeployment approvals
+Prerequisites and migration execution defaultsStep 1: Set up migration waveStep 2: Validate and confirm inventoryStep 3: Deploy replication agentsStep 4: Data replicationStep 5: TestingStep 5b: Mark applications as ready for cutoverStep 6: CutoverServer lifecycle statesDeployment approvals
@@ -32 +32,3 @@ Server migration is organized by waves. Each wave represents a group of servers
-## Prerequisites
+## Prerequisites and migration execution defaults
+
+### Prerequisites
@@ -49 +51 @@ Before starting rehost migration, verify that you have the networking resources
-## Step 0: Migration execution defaults
+### Migration execution defaults
@@ -53 +55 @@ Before starting wave execution, you configure default settings that apply to all
-### Amazon EC2 recommendation preferences
+#### Amazon EC2 recommendation preferences
@@ -63 +65 @@ You can modify the suggested Amazon EC2 instance types to include recommendation
-### Default launch settings
+#### Default launch settings
@@ -127 +129 @@ You choose how IP addresses are assigned to your migrated servers:
-###### Important
+###### Note
@@ -129 +131 @@ You choose how IP addresses are assigned to your migrated servers:
-When security groups are created by AWS Transform, you cannot use DHCP for server migrations. Security groups use CIDR configurations, and enabling DHCP could compromise your network's security posture.
+If you selected the MAP security groups mapping strategy during network migration, only static IP assignment is available. For more details, see [Security groups mapping](./transform-vmware-migrate-network.html#transform-vmware-security-group-association).
@@ -224 +226,78 @@ The connector must be installed on a Linux machine, but it can deploy agents to
-For information about how to set up the Application Migration Service connector, see [Set up the MGN Connector](https://docs.aws.amazon.com/mgn/latest/ug/mgn-connector-setup-instructions.html) in the _Application Migration Service User Guide_.
+AWS Transform guides you through the following steps to set up the connector:
+
+**Step 1: Connector configuration**
+
+Provide a name for your connector, or use the auto-generated default name. The connector can be installed on the management account or on a delegated administrator account in Application Migration Service. For multi-account migrations, the connector can deploy agents to servers across member accounts.
+
+**Step 2: AWS resource setup**
+
+AWS Transform opens a setup page that runs in your browser using your AWS credentials. You must be logged in to the AWS Management Console with either your management account or your delegated administrator account. This must be the same account your AWS Transform target connector is connected to.
+
+The setup page automatically creates the following resources:
+
+  * **IAM roles** (created idempotently — skipped if they already exist):
+
+    * `AWSApplicationMigrationConnectorManagementRole` – Used during agent installation to access credentials.
+
+    * `AWSApplicationMigrationConnectorSharingRole_<ACCOUNT-ID>` – Contains permissions for agent installation.
+
+  * **SSM Hybrid Activation** – 30-day expiration period. Links the connector machine to AWS Systems Manager and generates secure activation credentials.
+
+
+
+
+Alternatively, you can download a CloudFormation template from the setup page to deploy the IAM roles yourself.
+
+The setup page generates a one-line installation command with all necessary credentials and configuration.
+
+###### Important
+
+Keep the setup page open until installation is complete. Closing it will require restarting the process. All credentials exist only in your browser and are not stored by AWS Transform.
+
+**Step 3: Connector installation**
+
+Install the connector on a Linux machine in your environment:
+
+  1. Copy the installation link from the setup page.
+
+  2. SSH into your chosen Linux machine.
+
+  3. Paste and execute the installation command.
+
+  4. Wait for installation to complete (typically 2–3 minutes).
+
+
+
+
+**Step 4: Attach source servers**
+
+After installation, AWS Transform identifies all source servers that belong to the current wave and automatically attaches them to the Application Migration Service connector.
+
+**Step 5: Configure credentials**
+
+Provide AWS Secrets Manager ARNs for your source server credentials. AWS Transform offers three credential configuration options:
+
+  * **Single secret for Linux servers** – One shared secret containing SSH keys or username/password for all Linux source servers.
+
+  * **Single secret for Windows servers** – One shared secret containing username and password for all Windows source servers.
+
+  * **Multiple per-server secrets** – Different secrets per server or group of servers. Use this when servers have different credentials. AWS Transform generates a CSV file pre-populated with your server list. You fill in the `secret_arn` column for each server and upload the completed file.
+
+
+
+
+###### Note
+
+You can combine the Linux and Windows single-secret options if you have both server types with one shared secret each. The per-server secrets option is mutually exclusive with the single-secret options.
+
+Credential secret format. To read more about it, see [MGN connector credentials](https://docs.aws.amazon.com/mgn/latest/ug/mgn-connector-credentials.html) in the _Application Migration Service User Guide_ :
+    
+    
+    {
+      "WinConnectionProtocol": "HTTPS",
+      "WinUserName": "windows_username",
+      "WinPassword": "windows_password",
+      "LinuxUserName": "linux_username",
+      "LinuxPrivateKey": "linux_private_key",
+      "LinuxHostKeyValidation": false
+    }