View a markdown version of this page

Containerization permissions - AWS Transform
Base policyNetworking policyStorage policyAWS KMS policyAmazon ECS policyAmazon EKS policy

Containerization permissions

During the containerization workflow, AWS Transform deploys an IAM role to your AWS account that uses to build container images and deploy infrastructure. You are asked to review and approve the creation of this role before the workflow continues.

The role is named AWSTransformCodeBuildExecutionRole and is deployed through an AWS CloudFormation stack. It includes the following managed policies.

Base policy

Provides core permissions for the containerization workflow:

  • Amazon S3 — Read and write objects in aws-transform-* buckets

  • Amazon ECR — Authenticate, pull images (tagged with Project: atx-migration), and push images to repositories tagged with CreatedBy: AWSTransform

  • AWS CodeArtifact — Read from repositories tagged with Project: atx-migration, list repositories, obtain authorization tokens, and read repository endpoints. These permissions support both public dependency resolution and private dependency sources configured during the workflow

  • Amazon CloudWatch Logs — Create log groups and streams, and write log events for and Amazon ECS log groups

  • AWS KMS — Describe and decrypt keys (scoped to Amazon S3 via-service condition)

  • Amazon EC2 — Create and manage network interfaces for VPC-enabled projects

  • AWS CodeConnections — Use connections to access source code repositories through the configured CodeConnections ARN

Networking policy

Manages networking resources for deployed applications:

  • Elastic Load Balancing — Create, describe, and manage load balancers, target groups, listeners, and rules (tagged with CreatedBy: AWSTransform)

  • Route 53 — Create and manage hosted zones and DNS records

  • AWS Cloud Map — Create and manage namespaces and services for service discovery (tagged with CreatedBy: AWSTransform)

Storage policy

Manages storage resources for deployed applications:

  • Amazon S3 — Create and manage buckets, including encryption, versioning, lifecycle, and access policies

  • Amazon EFS — Create and manage file systems, mount targets, and access points (tagged with CreatedBy: AWSTransform)

  • Amazon EBS — Create and manage volumes and snapshots (tagged with CreatedBy: AWSTransform)

AWS KMS policy

Manages encryption key operations:

  • Describe keys, list aliases, and read key policies

  • Encrypt, decrypt, and generate data keys (scoped to Amazon CloudWatch Logs, Amazon EFS, Amazon EC2, and Amazon S3 via-service conditions)

Amazon ECS policy

Manages Amazon Elastic Container Service resources for container deployments:

  • Create and manage clusters, services, and task definitions (tagged with CreatedBy: AWSTransform)

  • Register and deregister task definitions, run tasks

  • Pass IAM roles to Amazon ECS tasks and services

  • Read IAM role information and ACM certificates

  • Describe Amazon EC2 VPCs, subnets, security groups, and network interfaces

Amazon EKS policy

Manages Amazon Elastic Kubernetes Service resources for Kubernetes deployments:

  • Access the Kubernetes API, describe clusters, and list add-ons

  • Pass IAM roles to Amazon EKS

Note

All permissions are scoped to your AWS account and AWS Region. Resources created by AWS Transform are tagged with CreatedBy: AWSTransform, and write operations are restricted to resources with this tag where applicable.