AWS transform documentation change
Summary
Updated documentation for target account connector setup in AWS Transform, including clarified permissions, MAP tagging requirements, security best practices for S3 buckets, and regional availability details.
Security assessment
The changes emphasize security best practices including: 1) Explicit note that S3 buckets created don't enforce HTTPS by default, requiring manual policy updates for secure transport 2) Added principle of least privilege justification for Delegated Administrator accounts 3) Clarified IAM permission requirements for post-launch actions. However, there's no evidence of addressing a specific security vulnerability.
Diff
diff --git a/transform/latest/userguide/transform-vmware-connect-target-account.md b/transform/latest/userguide/transform-vmware-connect-target-account.md index 01145e118..1157838b5 100644 --- a//transform/latest/userguide/transform-vmware-connect-target-account.md +++ b//transform/latest/userguide/transform-vmware-connect-target-account.md @@ -11 +11 @@ Step 1: Migration type selectionStep 2: MAP agreementStep 3: Connector configura -Configure your target AWS account connector for network migration, landing zone build, and server migration. This involves three steps: selecting your migration type, providing your MAP agreement details (if applicable), and setting up the connector. These settings apply across all migration stages — network migration, landing zone, and server rehost. +Configure your target AWS account connector for network migration, landing zone build, and server migration. This involves three steps: select your migration type, provide your MAP agreement details (if applicable), and set up the connector. These settings apply across all migration stages — network migration, landing zone, and server rehost. @@ -19 +19 @@ Choose whether you are performing a single-account or multi-account migration: - * **Multi-account migration** – Workloads migrate to different target accounts. The connector must be connected to the organization management account or a Delegated Administrator (DA) account registered for both Application Migration Service and CloudFormation StackSets. + * **Multi-account migration** – Workloads migrate to different target accounts. The connector must be connected to the organization management account or a Delegated Administrator (DA) account registered for both AWS Application Migration Service (Application Migration Service) and CloudFormation StackSets. @@ -26 +26 @@ Choose whether you are performing a single-account or multi-account migration: -If your migration is part of the **AWS Migration Acceleration Program (MAP 2.0)** , provide your MPE ID — a 10-character code using uppercase letters and digits (for example, ABCDE12345). AWS Transform applies the MAP tag to all resources created across network migration, landing zone, and server rehost stages. The tag format is: +If your migration is part of the **AWS Migration Acceleration Program (MAP 2.0)** , provide your Migration Portfolio Experience (MPE) ID — a 10-character code using uppercase letters and digits (for example, ABCDE12345). When you provide your MPE ID, the MAP tag is applied to all resources created across network migration, landing zone, and server rehost stages. The tag format is: @@ -33 +33 @@ If your migration is part of the **AWS Migration Acceleration Program (MAP 2.0)* -MAP tags are required to receive MAP credit. For more information, see [AWS Migration Acceleration Program](https://aws.amazon.com/migration-acceleration-program/). +You must apply MAP tags to receive MAP credit. For more information about MAP, see [AWS Migration Acceleration Program](https://aws.amazon.com/migration-acceleration-program/). @@ -37 +37 @@ MAP tags are required to receive MAP credit. For more information, see [AWS Migr -The target account connector connects your migration job to the AWS environment where your workloads will reside after migration. It's important to ensure that the target AWS account is properly set up with the necessary permissions, quotas, and configurations to support your migrated infrastructure. +You use the target account connector to connect your migration job to the AWS environment where your workloads will reside after migration. Before you begin, verify that your target AWS account has the necessary permissions, quotas, and configurations to support your migrated infrastructure. @@ -41 +41 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Manage Amazon S3 bucket operations (read/write) for VMware migration, along with access to AWS Migration Hub and AWS Application Migration Service (Application Migration Service). This includes permissions for the following items, all restricted to resources within the target account and tagged with `CreatedBy:AWSTransform` or `CreatedFor:AWSTransform`: + * Manage Amazon S3 bucket operations (read/write) for VMware migration, along with access to AWS Migration Hub and AWS Application Migration Service (Application Migration Service). This includes permissions for the following items, all restricted to resources within the target account that are tagged with `CreatedBy:AWSTransform` or `CreatedFor:AWSTransform`: @@ -43 +43 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Managing migration waves + * Manage migration waves. @@ -45 +45 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Network configurations (Amazon EC2, VPC, Transit Gateway, Direct Connect, Load Balancers, Network Firewall) + * Manage network configurations (Amazon EC2, VPC, Transit Gateway, Direct Connect, Load Balancers, Network Firewall). @@ -47 +47 @@ When you approve the connector request, you grant AWS Transform permissions to: - * CloudFormation stack deployments + * Manage CloudFormation stack deployments. @@ -49 +49 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Automated agent installations via Systems Manager + * Perform automated agent installations through Systems Manager. @@ -53 +53 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Provision and manage landing zone infrastructure in the target AWS account and Region. This includes permissions for the following items, restricted to resources tagged with `CreatedBy:AWSTransform` where applicable: + * Provision and manage landing zone infrastructure in the target AWS account and Region. This includes permissions for the following items, restricted to resources that are tagged with `CreatedBy:AWSTransform` where applicable: @@ -55 +55 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Amazon S3 bucket operations (create, read, write, delete) for buckets starting with `transform-vmware-landing-zone-` + * Perform Amazon S3 bucket operations (create, read, write, delete) for buckets that start with `transform-vmware-landing-zone-`. @@ -57 +57 @@ When you approve the connector request, you grant AWS Transform permissions to: - * CloudFormation stack deployments and change set management for landing zone stacks + * Manage CloudFormation stack deployments and change sets for landing zone stacks. @@ -59 +59 @@ When you approve the connector request, you grant AWS Transform permissions to: - * AWS Control Tower operations (managing landing zones, enabling baselines and controls) + * Perform AWS Control Tower operations. You can manage landing zones, enable baselines, and enable controls. @@ -61 +61 @@ When you approve the connector request, you grant AWS Transform permissions to: - * AWS Organizations management (creating and managing organizational units, creating accounts, and moving accounts) + * Manage AWS Organizations. You can create and manage organizational units, create accounts, and move accounts. @@ -63 +63 @@ When you approve the connector request, you grant AWS Transform permissions to: - * Service control policy (SCP) management via AWS Control Tower + * Manage service control policies (SCPs) through AWS Control Tower. @@ -65 +65 @@ When you approve the connector request, you grant AWS Transform permissions to: - * AWS Service Catalog provisioning artifact management + * Manage AWS Service Catalog provisioning artifacts. @@ -72 +72 @@ When you approve the connector request, you grant AWS Transform permissions to: -AWS Transform may update connector types when introducing features requiring permission changes. The current version for the target account connector type is 2.0. New connectors are always created with the latest version. +Connector types might be updated when new features require permission changes. The current version for the target account connector type is 2.0. When you create a new connector, it uses the latest version. @@ -74 +74 @@ AWS Transform may update connector types when introducing features requiring per -Before setting up the connector, understand the account roles involved in your migration: +Before you set up the connector, understand the account roles involved in your migration: @@ -89 +89 @@ Target account | The AWS account where your workloads are migrated to. In a sing -For multi-account migrations, AWS recommends using a Delegated Administrator (DA) account rather than the organization management account directly. The DA account must be registered as delegated administrator for both Application Migration Service and CloudFormation StackSets in your AWS Organization. +For multi-account migrations, AWS recommends that you use a Delegated Administrator (DA) account rather than the organization management account directly. A DA account follows the principle of least privilege by limiting the scope of permissions required for migration operations. The DA account must be registered as delegated administrator for both Application Migration Service and CloudFormation StackSets in your AWS Organization. @@ -104 +104 @@ For more information, see [Delegated administrator for Application Migration Ser -During migration setup, AWS Transform deploys a CloudFormation StackSet (`MGNMultiAccountRoles`) to create the required IAM roles across your target accounts. The following roles are created: +During migration setup, a CloudFormation StackSet (`MGNMultiAccountRoles`) is deployed to create the required IAM roles across your target accounts. These roles grant the permissions that AWS Transform needs to replicate servers, launch instances, and install agents in each target account. The following roles are created: @@ -117 +117 @@ During migration setup, AWS Transform deploys a CloudFormation StackSet (`MGNMul -IAM roles are created idempotently — if they already exist in the account, the setup process skips creating them again. +IAM roles are created only if they don't already exist in the account. If they already exist, the setup process doesn't create them again. @@ -119 +119 @@ IAM roles are created idempotently — if they already exist in the account, the -### How to set up the connector +### Target account connector setup @@ -123 +123 @@ IAM roles are created idempotently — if they already exist in the account, the -AWS Transform creates an Amazon S3 bucket on your behalf in the target AWS account. This bucket won't have `SecureTransport` enabled by default. If you want the bucket policy to include secure transport, you must update the policy yourself. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html). +During connector setup, an Amazon S3 bucket is created in your target AWS account. This bucket won't enforce HTTPS-only access (`SecureTransport`) by default. If you want the bucket policy to include secure transport, you must update the policy yourself. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html). @@ -129 +129 @@ AWS Transform creates an Amazon S3 bucket on your behalf in the target AWS accou - 2. In the **Collaboration** tab, select an existing connector and then choose **Use connector**. If a connector is grayed out, its version isn't compatible with the job type you selected. + 2. In the **Collaboration** tab, select an existing connector and then choose **Use connector**. If a connector is unavailable, its version isn't compatible with the job type you selected. @@ -165 +165 @@ AWS Transform uses the `kms:DescribeKey` permission to verify the key exists, an -If you plan to modify the AWS Application Migration Service template to enable post-launch actions, add the following permission to the target connector role. You can find the role name in the **Collaboration** tab after the connector is created. For information about adding permissions to a role, see [Update permissions for a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-permissions.html) in the _IAM User Guide_. +If you plan to modify the AWS Application Migration Service template to enable post-launch actions, add the following permission to the target connector role. This JSON policy statement grants the `iam:PassRole` permission for the post-launch actions role. You can find the role name in the **Collaboration** tab after the connector is created. For information about adding permissions to a role, see [Update permissions for a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-permissions.html) in the _IAM User Guide_. @@ -218 +218 @@ When you create the connector, specify a target AWS Region. You can use any of t -If you specify a target AWS Region that is different from the AWS Transform AWS Region, that means AWS Transform will be transferring your data across AWS Regions. +If you specify a target AWS Region that differs from the AWS Transform AWS Region, your data is transferred across AWS Regions. @@ -222 +222,3 @@ If you specify a target AWS Region that is different from the AWS Transform AWS -If you plan to run a job that includes server migration only (without network migration execution), additional commercial AWS Regions are available as target Regions: US West (N. California), Europe (Milan), Asia Pacific (Jakarta), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Middle East (Tel Aviv), Asia Pacific (Bangkok), Asia Pacific (Kuala Lumpur), Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), and Middle East (UAE). To use one of these additional Regions before Q3 2026, contact your AWS account team to have your account allow-listed. Starting in Q3 2026, these Regions will be generally available without the need for an allow-list request. +If you plan to run a job that includes only server migration (without network migration), additional commercial AWS Regions are available as target Regions. These Regions include US West (N. California), Europe (Milan), Asia Pacific (Jakarta), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Middle East (Tel Aviv), Asia Pacific (Bangkok), Asia Pacific (Kuala Lumpur), Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), and Middle East (UAE). + +To use one of these additional Regions before Q3 2026, contact your AWS account team to request access. After Q3 2026, these Regions will be generally available without an access request.