Connect target account

The target account is where your network will be deployed and where your migrated servers and applications will reside in AWS.

Important

AWS Transform will create an Amazon S3 bucket on your behalf in this target AWS account. This bucket won't have SecureTransport enabled by default. If you want the bucket policy to include secure transport, you must update the policy yourself. For more information, see Security best practices for Amazon S3.

To use an existing target account connector

In the Job Plan pane, expand Choose target account, and then choose Create or select connectors.
In the Collaboration tab, select an existing connector if your workspace already has connectors, and then choose Use connector. In the list of available connectors, if a connector is grayed out, that means its version isn't compatible with the job type that you selected earlier.

Important
If you specify a connector with a target AWS Region that is different from the AWS Transform Region, that means AWS Transform will be transferring your data across AWS Regions.
Choose Continue.

To create a new connector

In the Job Plan pane, expand Connect target account, and then choose Create or select connectors.
Specify the AWS account and AWS Region that you want to use as your target, and then choose Next.

Important
If you specify a connector with a target AWS Region that is different from the discovery AWS Region, that means AWS Transform will be transferring your data across AWS Regions.
Choose whether you want to use Amazon S3 managed keys for encryption. If you specify your own KMS key, you can use the default key policy. However, if you want a less permissive key policy, the following is an example. For information about how to create a KMS key, see Create a KMS key in the AWS Key Management Service Developer Guide.

AWS Transform uses the kms:DescribeKey permission to make sure the key exists. It uses the kms:GenerateDataKey and kms:Decrypt permissions to encrypt and decrypt the transformation job data in the Amazon S3 bucket.

AWS Transform uses default Amazon S3 encryption. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys
Choose Continue.
Copy the verification link, share it with an administrator of the target AWS account, and ask them to approve the connection request.
After the administrator of the AWS account approves the request, select the newly created connector from the list of connectors in the Collaboration tab, and then choose Use connector.
Choose Send to AWS Transform.

If you plan to modify the AWS Application Migration Service template to enable post-launch actions, add the following permission to the target connector role. You can find the name of that role in the Collaboration tab after the connector is created. For information about how to add permissions to a role, see Update permissions for a role in the IAM User Guide.


{
      "Sid": "MGNPostLaunchActions",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::target-account-ID:role/service-role/AWSApplicationMigrationLaunchInstanceWithSsmRole"
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Migration planning

Migrate network