View a markdown version of this page

Connect target AWS accounts - AWS Transform
Step 1: Migration type selectionStep 2: MAP agreementStep 3: Connector configuration

Connect target AWS accounts

Configure your target AWS account connector for network migration, landing zone build, and server migration. This involves three steps: select your migration type, provide your MAP agreement details (if applicable), and set up the connector. These settings apply across all migration stages — network migration, landing zone, and server rehost.

Step 1: Migration type selection

Choose whether you are performing a single-account or multi-account migration:

  • Single-account migration – All workloads migrate to one target AWS account. The connector target account and the target account are the same.

  • Multi-account migration – Workloads migrate to different target accounts. The connector must be connected to the organization management account or a Delegated Administrator (DA) account registered for both AWS Application Migration Service (Application Migration Service) and CloudFormation StackSets.

Step 2: MAP agreement

If your migration is part of the AWS Migration Acceleration Program (MAP 2.0), provide your Migration Portfolio Experience (MPE) ID — a 10-character code using uppercase letters and digits (for example, ABCDE12345). When you provide your MPE ID, the MAP tag is applied to all resources created across network migration, landing zone, and server rehost stages. The tag format is:

  • Key: map-migrated Value: migMPE_ID

You must apply MAP tags to receive MAP credit. For more information about MAP, see AWS Migration Acceleration Program.

Step 3: Connector configuration

You use the target account connector to connect your migration job to the AWS environment where your workloads will reside after migration. Before you begin, verify that your target AWS account has the necessary permissions, quotas, and configurations to support your migrated infrastructure.

When you approve the connector request, you grant AWS Transform permissions to:

  • Manage Amazon S3 bucket operations (read/write) for VMware migration, along with access to AWS Migration Hub and AWS Application Migration Service (Application Migration Service). This includes permissions for the following items, all restricted to resources within the target account that are tagged with CreatedBy:AWSTransform or CreatedFor:AWSTransform:

    • Manage migration waves.

    • Manage network configurations (Amazon EC2, VPC, Transit Gateway, Direct Connect, Load Balancers, Network Firewall).

    • Manage CloudFormation stack deployments.

    • Perform automated agent installations through Systems Manager.

  • Migrate your on-premises workloads to the target AWS account and Region by using the information stored in the discovery Region.

  • Provision and manage landing zone infrastructure in the target AWS account and Region. This includes permissions for the following items, restricted to resources that are tagged with CreatedBy:AWSTransform where applicable:

    • Perform Amazon S3 bucket operations (create, read, write, delete) for buckets that start with transform-vmware-landing-zone-.

    • Manage CloudFormation stack deployments and change sets for landing zone stacks.

    • Perform AWS Control Tower operations. You can manage landing zones, enable baselines, and enable controls.

    • Manage AWS Organizations. You can create and manage organizational units, create accounts, and move accounts.

    • Manage service control policies (SCPs) through AWS Control Tower.

    • Manage AWS Service Catalog provisioning artifacts.

Note

Connector types might be updated when new features require permission changes. The current version for the target account connector type is 2.0. When you create a new connector, it uses the latest version.

Before you set up the connector, understand the account roles involved in your migration:

Account Description
AWS Transform account Any member account in your AWS Organization where you set up AWS Transform. This is where your AWS Transform workspace runs. It does not need to be the management account.
Connector target account

The account your AWS Transform connector is configured to. This depends on your migration type:

  • Single-account migration – Connect to the account you are migrating workloads to. The connector target account and the target account are the same.

  • Multi-account migration – Connect to the organization management account or a Delegated Administrator (DA) account. The DA account must be registered as delegated administrator for both Application Migration Service and CloudFormation StackSets in your AWS Organization. AWS Transform checks whether the connected account is the management account or a DA account and adjusts its behavior accordingly.
Target account The AWS account where your workloads are migrated to. In a single-account migration, this is the same as the connector target account. In a multi-account migration, these are the individual member accounts receiving the migrated workloads.

Using a delegated administrator account

For multi-account migrations, AWS recommends that you use a Delegated Administrator (DA) account rather than the organization management account directly. A DA account follows the principle of least privilege by limiting the scope of permissions required for migration operations. The DA account must be registered as delegated administrator for both Application Migration Service and CloudFormation StackSets in your AWS Organization.

The key difference between the two options is:

  • Management account – Can enable trusted access for Application Migration Service and CloudFormation StackSets across the organization. AWS Transform calls CloudFormation StackSets APIs with CallAs: SELF.

  • Delegated Administrator account – Cannot enable trusted access directly (that must be done from the management account), but can manage Application Migration Service source servers, launch instances, and deploy CloudFormation StackSets across member accounts. AWS Transform calls CloudFormation StackSets APIs with CallAs: DELEGATED_ADMIN.

For more information, see Delegated administrator for Application Migration Service in the Application Migration Service User Guide.

IAM roles created during setup

During migration setup, a CloudFormation StackSet (MGNMultiAccountRoles) is deployed to create the required IAM roles across your target accounts. These roles grant the permissions that AWS Transform needs to replicate servers, launch instances, and install agents in each target account. The following roles are created:

  • AWSApplicationMigrationConnectorManagementRole – Used during agent installation to access source server credentials from AWS Secrets Manager.

  • AWSApplicationMigrationConnectorSharingRole_<ACCOUNT-ID> – Contains permissions for agent installation across accounts.

  • Application Migration Service service roles – Created automatically during Application Migration Service initialization in each target account. These include roles for replication and launch operations, and cross-account roles for multi-account migrations.

Note

IAM roles are created only if they don't already exist in the account. If they already exist, the setup process doesn't create them again.

Target account connector setup

Important

During connector setup, an Amazon S3 bucket is created in your target AWS account. This bucket won't enforce HTTPS-only access (SecureTransport) by default. If you want the bucket policy to include secure transport, you must update the policy yourself. For more information, see Security best practices for Amazon S3.

To use an existing target account connector

  1. In the Job Plan pane, expand Choose target account, and then choose Create or select connectors.

  2. In the Collaboration tab, select an existing connector and then choose Use connector. If a connector is unavailable, its version isn't compatible with the job type you selected.

    Important

    If you specify a connector with a target AWS Region that is different from the AWS Transform Region, AWS Transform will transfer your data across AWS Regions.

  3. Choose Continue.

To create a new connector

  1. In the Job Plan pane, expand Connect target account, and then choose Create or select connectors.

  2. Specify the AWS account and AWS Region for your target, and then choose Next.

    Important

    If the target AWS Region differs from the discovery AWS Region, AWS Transform will transfer your data across AWS Regions.

  3. Choose whether to use Amazon S3 managed keys for encryption. If you specify your own KMS key, you can use the default key policy or a less permissive one. For information about creating a KMS key, see Create a KMS key in the AWS Key Management Service Developer Guide.

    AWS Transform uses the kms:DescribeKey permission to verify the key exists, and kms:GenerateDataKey and kms:Decrypt to encrypt and decrypt job data in the Amazon S3 bucket. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys.

  4. Choose Continue.

  5. Copy the verification link, share it with an administrator of the target AWS account, and ask them to approve the connection request.

  6. After the administrator approves the request, select the newly created connector from the list and choose Use connector.

  7. Choose Send to AWS Transform.

If you plan to modify the AWS Application Migration Service template to enable post-launch actions, add the following permission to the target connector role. This JSON policy statement grants the iam:PassRole permission for the post-launch actions role. You can find the role name in the Collaboration tab after the connector is created. For information about adding permissions to a role, see Update permissions for a role in the IAM User Guide.

{
      "Sid": "MGNPostLaunchActions",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::target-account-ID:role/service-role/AWSApplicationMigrationLaunchInstanceWithSsmRole"
}

Supported target regions

When you create the connector, specify a target AWS Region. You can use any of the following AWS Regions:

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (Oregon)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Seoul)

  • Asia Pacific (Osaka)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Paris)

  • Europe (Stockholm)

  • South America (São Paulo)

Important

If you specify a target AWS Region that differs from the AWS Transform AWS Region, your data is transferred across AWS Regions.

Note

If you plan to run a job that includes only server migration (without network migration), additional commercial AWS Regions are available as target Regions. These Regions include US West (N. California), Europe (Milan), Asia Pacific (Jakarta), Europe (Zurich), Europe (Spain), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Middle East (Tel Aviv), Asia Pacific (Bangkok), Asia Pacific (Kuala Lumpur), Middle East (Bahrain), Africa (Cape Town), Asia Pacific (Hong Kong), and Middle East (UAE).

To use one of these additional Regions before Q3 2026, contact your AWS account team to request access. After Q3 2026, these Regions will be generally available without an access request.