AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2026-06-25 · Security-related medium

File: solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md

Summary

Updated credential storage documentation from AWS Secrets Manager to Kubernetes Secrets, added NextGen references

Security assessment

Changed credential storage mechanism from AWS Secrets Manager to Kubernetes Secrets. This addresses potential security risks by removing dependency on external secrets manager and keeping credentials within the EKS cluster namespace. Kubernetes Secrets provide native encryption and access control, reducing attack surface.

Diff

diff --git a/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md b/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
index 39eef5e29..12e5d2e22 100644
--- a//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
+++ b//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
@@ -7 +7 @@
-IAM rolesSecurity groupsAWS Secrets ManagerFine-grained access control
+IAM rolesSecurity groupsBasic-auth credential storageFine-grained access control
@@ -15 +15 @@ When you build systems on AWS infrastructure, security responsibilities are shar
-AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. The Amazon EKS deployment uses [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to associate an IAM role with the Kubernetes service accounts used by the Migration Console pod (`migration-console-access-role`) and the Argo workflow executor pods (`argo-workflow-executor`). The IAM role is named `<eks-cluster-name>-migrations-role` and is created automatically by the CDK stack. This means the Migration Console and the migration jobs can authenticate to Amazon OpenSearch Service, Amazon OpenSearch Serverless, Amazon S3, AWS Secrets Manager, and other AWS services without long-lived credentials.
+AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. The Amazon EKS deployment uses [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) to associate an IAM role with the Kubernetes service accounts used by the Migration Console pod (`migration-console-access-role`) and the Argo workflow executor pods (`argo-workflow-executor`). The IAM role is named `<eks-cluster-name>-migrations-role` and is created automatically by the CDK stack. This means the Migration Console and the migration jobs can authenticate to Amazon OpenSearch Service, Amazon OpenSearch Serverless NextGen, Amazon S3, AWS Secrets Manager, and other AWS services without long-lived credentials.
@@ -19 +19 @@ AWS Identity and Access Management (IAM) roles allow customers to assign granula
-The solution creates security groups designed to control and isolate network traffic between Migration Assistant pods on Amazon EKS, as well as between certain Migration Assistant pods and associated services such as Amazon S3 (via VPC endpoints), Amazon OpenSearch Service, Amazon OpenSearch Serverless, and Amazon EFS. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running. For source and target clusters, the source and target security groups must allow inbound traffic from the Amazon EKS cluster security group.
+The solution creates security groups designed to control and isolate network traffic between Migration Assistant pods on Amazon EKS, as well as between certain Migration Assistant pods and associated services such as Amazon S3 (via VPC endpoints), Amazon OpenSearch Service, Amazon OpenSearch Serverless NextGen, and Amazon EFS. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running. For source and target clusters, the source and target security groups must allow inbound traffic from the Amazon EKS cluster security group.
@@ -21 +21 @@ The solution creates security groups designed to control and isolate network tra
-## AWS Secrets Manager
+## Basic-auth credential storage
@@ -23 +23 @@ The solution creates security groups designed to control and isolate network tra
-Migration Assistant for Amazon OpenSearch Service allows accessing stored secrets from AWS Secrets Manager from the Migration Console pod, the Argo workflow executor pods, and the Reindex-from-Snapshot, Capture Proxy, and Traffic Replayer workloads. Accessing these secrets allows for proper authentication when migrating data from source to target on Amazon OpenSearch Service or Amazon OpenSearch Serverless, and for observing migration status. Use `kubectl create secret generic` to create Kubernetes secrets in the `ma` namespace and reference them in `authConfig.basic.secretName` in your workflow configuration.
+Migration Assistant for Amazon OpenSearch Service stores workflow HTTP Basic credentials as Kubernetes Secrets in the `ma` namespace. The Workflow CLI can create and manage them with `workflow configure credentials create <NAME>`; reference those names in `authConfig.basic.secretName`. If you already manage credentials in an external secrets system, sync the `username` and `password` values into a Kubernetes Secret before referencing them from workflow configuration. The Migration Console pod, Argo workflow executor pods, Reindex-from-Snapshot workers, Capture Proxy, and Traffic Replayer workloads use these credentials when they connect to authenticated source or target clusters.