AWS Security ChangesHomeSearch

AWS mgn documentation change

Service: mgn · 2026-06-16 · Documentation low

File: mgn/latest/ug/replication-server-settings.md

Summary

Replaced EBS-specific settings with new 'Target storage type' option supporting Amazon EBS or FSx for ONTAP. Removed detailed EBS encryption/KMS configuration and updated security group naming.

Security assessment

The changes restructure storage options but don't address vulnerabilities. Removed KMS encryption documentation is offset by new FSx for ONTAP security requirements (iSCSI security groups), maintaining equivalent security coverage. Security group rename reflects service rebranding without functional changes.

Diff

diff --git a/mgn/latest/ug/replication-server-settings.md b/mgn/latest/ug/replication-server-settings.md
index b31f32368..5fdda6595 100644
--- a//mgn/latest/ug/replication-server-settings.md
+++ b//mgn/latest/ug/replication-server-settings.md
@@ -7 +7 @@
-Staging area subnetReplication server instance typeDedicated instance for replication serverAmazon EBS volume typeAmazon EBS encryptionStore snapshots in AWS Local ZoneAlways use AWS Transform MGN security groupData routing and throttlingReplication resources tags
+Staging area subnetReplication server instance typeDedicated instance for replication serverTarget storage typeStore snapshots in AWS Local ZoneAlways use Application Migration Service security groupData routing and throttlingReplication resources tags
@@ -21,3 +21 @@ The replication server options, include:
-  * Amazon EBS volume types
-
-  * Amazon EBS encryption
+  * Target storage type (Amazon EBS or FSx for ONTAP)
@@ -96,180 +94 @@ Using a dedicated replication server may increase the Amazon EC2 cost you incur
-## Amazon EBS volume type
-
-Choose the default Amazon **Amazon EBS volume type** to be used by the replication servers for large disks. 
-
-Each disk has minimum and maximum sizes and varying performance metrics and pricing. Learn more about Amazon EBS volume types in [this Amazon EBS article.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html)
-
-The best practice is to not change the default Amazon EBS volume type, unless there is a business need for doing so. 
-
-###### Note
-
-This option only affects disks over 500 GiB (by default, smaller disks always use Magnetic HDD volumes). 
-
-The default **Lower cost, Throughput Optimized HDD (st1)** option utilizes slower, less expensive disks. 
-
-You may want to use this option if:
-
-  * You want to keep costs low
-
-  * Your large disks do not change frequently
-
-  * You are not concerned with how long the initial sync process will take
-
-
-
-
-The **Faster, General Purpose SSD (gp3)** option utilizes faster, but more expensive disks. 
-
-You may want to use this option if:
-
-  * Your source server has disks with a high write rate or if you want faster performance in general 
-
-  * You want to speed up the initial sync process
-
-  * You are willing to pay more for speed
-
-
-
-
-###### Note
-
-You can customize the Amazon EBS volume type used by each disk within each source server in that source server's settings. [Learn more about changing individual source server volume types.](./staging-disk.html)
-
-###### Note
-
-For information about Amazon EBS volume limits, see [What are the Amazon EBS volume limits for AWS Transform MGN?](./AWS-Related-FAQ.html#ebs-limits-faq)
-
-## Amazon EBS encryption
-
-Choose whether to use the default or custom Amazon **EBS encryption**. This option will encrypt your replicated data at rest on the Staging Area Subnet disks and the replicated disks. 
-
-  * Default – The default Amazon EBS encryption Volume Encryption Key will be used (which can be an Amazon EBS-managed key or a CMK).
-
-  * Custom – You will need to enter a custom customer-managed key (CMK) in the regular key ID format. 
-
-
-
-
-If you select the **Custom** option, the **EBS encryption key** box appears. Enter the ARN or key ID of a customer-managed CMK from your account or another AWS account. Enter the encryption key (such as a cross-account KMS key) in the regular key ID format (KMS key example: 123abcd-12ab-34cd-56ef-1234567890ab). 
-
-To create a new AWS Key Management Service key, click **Create an AWS KMS key**. You will be redirected to the Key Management Service (KMS) Console where you can create a new key to use. 
-
-Learn more about Amazon EBS Volume Encryption in [this Amazon EBS article](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html). 
-
-###### Important
-
-Reversing the encryption option after data replication has started will cause data replication to start from the beginning. 
-
-### Using an AWS KMS Customer Managed Key (CMK) for encryption
-
-If you decide to use a Customer Managed Key (CMK), or if your default Amazon EBS encryption key is a CMK, you will need to add additional permissions to the key to allow AWS Transform MGN to use it. 
-
-To modify the existing key policy using the AWS Management Console _policy view_. 
-
-  1. Navigate to the AWS KMS Console and select the AWS KMS key you plan to use with MGN. 
-
-  2. Scroll to **Key policy** and click **Switch to policy view**. 
-
-  3. Click **Edit** and add the following JSON statements to the **Statement** field. 
-    
-            {
-          "Sid": "Allow AWS Services permission to describe a customer managed key for encryption purposes",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::$ACCOUNT_ID:root"
-          },
-          "Action": [
-            "kms:DescribeKey"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "kms:CallerAccount": [
-                "$ACCOUNT_ID"
-              ]
-            },
-            "Bool": {
-              "aws:ViaAWSService": "true"
-            }
-          }
-        },
-        {
-          "Sid": "Allow MGN permissions to use a customer managed key for EBS encryption",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::$ACCOUNT_ID:root"
-          },
-          "Action": [
-            "kms:CreateGrant"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "kms:CallerAccount": [
-                "$ACCOUNT_ID"
-              ],
-              "kms:GranteePrincipal": [
-                "arn:aws:iam::$ACCOUNT_ID:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
-              ]
-            },
-            "ForAllValues:StringEquals": {
-              "kms:GrantOperations": [
-                "CreateGrant",
-                "DescribeKey",
-                "Encrypt",
-                "Decrypt",
-                "GenerateDataKey",
-                "GenerateDataKeyWithoutPlaintext"
-              ]
-            },
-            "Bool": {
-              "aws:ViaAWSService": "true"
-            }
-          }
-        },
-        {
-          "Sid": "Allow EC2 to use this key on behalf of the current MGN user, during target launches",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": [
-              "arn:aws:iam::$ACCOUNT_ID:root",
-              "arn:aws:iam::$ACCOUNT_ID:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService"
-            ]
-          },
-          "Action": [
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "kms:CallerAccount": [
-                "$ACCOUNT_ID"
-              ],
-              "kms:ViaService": "ec2.$REGION.amazonaws.com"
-            }
-          }
-        }
-    
-                                
-
-###### Important
-
-     * Replace `$ACCOUNT_ID"` with the AWS account ID you are migrating into.
-
-     * Replace `$REGION` with the AWS Region you are migrating into. 
-
-     * The last statement can be made stricter by ensuring the principal refers to users who are going to perform [StartTest](https://docs.aws.amazon.com/mgn/latest/APIReference/API_StartTest.html) or [StartCutover](https://docs.aws.amazon.com/mgn/latest/APIReference/API_StartCutover.html) API calls 
-
-  4. Click **Save changes**. 
-
-
-
-
-###### Note
-
-If you are using a Customer Managed Key (CMK) from another account, you need to take an additional step from within that account to allow the service to leverage the CMK.
-
-From the account in which you want to stage MGN replication servers, create a grant that delegates the relevant permissions to the appropriate service-linked role. The Grantee Principal element of the grant is the ARN of the appropriate service-linked role. The key-id is the ARN of the key.
-
-The following is an example [create-grant](https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html) CLI command that gives the service-linked role named **AWSServiceRoleForApplicationMigrationService** in account 111122223333 permissions to use the customer-managed key in account 444455556666.
+## Target storage type
@@ -277 +96 @@ The following is an example [create-grant](https://docs.aws.amazon.com/cli/lates
-aws kms create-grant \
+AWS Transform MGN supports two target storage types for replication. You can select the storage type that best suits your workload requirements:
@@ -279 +98 @@ aws kms create-grant \
-\--region us-west-2 \
+  * **Amazon Elastic Block Store (Amazon EBS)** – The default storage type. Amazon EBS volumes are used by the replication servers. For configuration details, see [Amazon EBS configuration guide](./ebs-storage.html).