Are you considering moving your AWS resources from one account to another? If so, you’re definitely not alone! This situation arises more frequently than you might think. Whether your company has undergone a merger, you’re transitioning to a new managed service provider, or you’re simply reorganizing your cloud setup for better efficiency, there can be numerous reasons for this change.
The good news is that moving between AWS accounts isn’t an insurmountable task—it’s entirely feasible. However, it involves more than just transferring files and configurations; it’s crucial to ensure that everything remains secure, minimizes downtime, and keeps costs manageable.
In this blog, we’ll break down the migration process step by step. You’ll receive all the information you need to execute this transition correctly and avoid the common pitfalls that can turn a straightforward move into a nightmare. Let’s dive in and make this migration as smooth and stress-free as possible.
Before getting into the migration part, let’s know first what a typical migration may include:
- Infrastructure, which includes the essential components that keep everything running, like AWS Lambda functions, load balancers and more.
- Compute resources, like Elastic Compute Cloud (Amazon EC2)
- Storage, such as Amazon S3 for keeping your files.
- Databases you use, whether that’s Amazon RDS, DynamoDB, or other database services. Migrate AWS Resources Between AWS Accounts
Here's how you can migrate infrascture, databases and specific files from AWS account to another. Let's exploer some popular tools and methods to seamlessly trasnfer the data from account to another.
1. Migrating Infrastructure
When it comes to moving your infrastructure, especially temporary resources, there are a couple of easy methods you can use. These methods are based on Infrastructure as Code (IaC), which is basically scripts that help set up your IT resources automatically. You can migrate your infrastructure using CloudFormation or Former2.
1.1 Using AWS CloudFormation
If you already use AWS CloudFormation, you can simply bring your existing templates over to the new AWS account. AWS CloudFormation helps you manage and set up your resources easily. You create templates that allow you to quickly and reliably set up services or applications called “stacks.”
1.2 Using Former2
Another option is to use a tool called Former2. This tool helps you create templates based on your current resources in your existing AWS account, which you can then use in your new account.
Former2 is an open-source tool that can generate IaC templates for you, like AWS CloudFormation or HashiCorp Terraform, straight from your existing resources.
2. Migrating Compute Resources
When it comes to transferring compute resources that maintain data, you have a couple of effective choices to streamline the process. These methods provide a virtual platform for running instances with various operating systems.
2.1 Utilizing AWS Backup
If you're currently using the AWS Backup service along with AWS Organizations to oversee your backup strategies, you can leverage the cross-account management feature of AWS Backup. This capability allows you to control, monitor, and restore backups across different AWS accounts, provided that both accounts are within the same AWS Organization. After the backups are transferred to the new account, restoring your EC2 instances becomes straightforward. Here’s how you can create backup copies using AWS backup.
Requirements
- All accounts involved must be part of the same AWS Organization
- Designate a management account in AWS Organizations to manage cross-account backups
- Enable the cross-account backup feature in the AWS Backup console using the management account credentials
Setup Steps
- Create a Management Account and Add Member Accounts:
- Go to Settings and enable Cross-Account Backup and Cross-Account Monitoring
- In the destination account, create a backup vault and assign a customer-managed KMS key for encryption
- In the destination account, update the access policy of the backup vault to allow the source account to copy backups into it.
- In the source account, create a backup plan and define a rule that includes the destination vault ARN.
- Create a scheduled backup plan in the AWS Backup console or perform on-demand backups by copying a backup from the source account to the destination account directly from the AWS Backup console.
- While AWS Backup does not support direct restoration of backups from one account to another, you can copy the backup to the target account and then restore it within that account
AWS Backup is an excellent service that automates data protection throughout AWS services. With this service, you can simplify the backup process.
2.2 Generating an Amazon Machine Image (AMI)
Another option is to migrate an EC2 image manually. It applies only to instances with unencrypted Amazon Elastic Block Store (EBS) volumes. Here’s how you can do this;
From the source account, create a custom AMI of the instance you wish to migrate (avoid static IP configurations to prevent connectivity issues).
- Share the created AMI with the target account using the Amazon EC2 console or AWS CLI.
- In the target account, you can locate the shared AMI using the EC2 console or AWS CLI.
- Now, launch a new instance from the shared AMI in the target account. If needed, import your public key for access.
- From the newly launched instance, create a custom AMI in the target account to avoid issues if the original shared AMI is deregistered.
If no longer needed, deregister the AMI in the source account.
Important NotesData on instance store volumes is not preserved in AMIs.
Avoid these to ensure proper connectivity.
Before deregistering the original AMI, launch instances in the target account to maintain the ability to create new instances from that AMI later.
Optionally, copy the AMI to the same or another region in the target account for backup purposes.
3. Migrating Storage Resources
AWS provides a variety of storage options, including object, file, and block storage. When it comes to migrating objects from an S3 bucket, you can migrate your storage resources using these methods.
3.1 Using the Amazon S3 Command Line Interface (CLI)
One way to transfer objects is by utilizing Amazon S3 CLI commands to perform the initial copy of objects from the source account to the target account.
Objects in Amazon S3 are not automatically owned by the AWS account that uploads them. It's recommended to use the Bucket owner enforced setting to simplify access management, but this disables access control lists (ACLs).
- Create a customer managed IAM policy that grants the necessary permissions for the IAM identity (user or role) to retrieve objects from the source bucket and upload to the destination bucket. Below is an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::source-DOC-EXAMPLE-BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
]
}
]
}
- Attach this policy to the relevant IAM identity in the source account.
- In the destination account, change the S3 Object Ownership setting for the destination bucket to Bucket owner preferred.
- Update the bucket policy in the destination account to allow the source account to upload objects, including a condition to require the bucket-owner-full-control ACL:
{
"Version": "2012-10-17",
"Id": "Policy1611277539797",
"Statement": [
{
"Sid": "Stmt1611277535086",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:user/Jane"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "Stmt1611277877767",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:user/Jane"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET"
}
]
}
- Remember to replace the bucket name and ARN with your specific details.
- Upload Objects with Correct ACL, ensure the ACL is set to bucket-owner-full-control when copying objects. For example, to copy an object using the AWS CLI:
aws s3 cp s3://source-DOC-EXAMPLE-BUCKET/object.txt s3://destination-DOC-EXAMPLE-BUCKET/object.txt --acl bucket-owner-full-control
- To copy an entire folder:
aws s3 cp directory/ s3://bucketname/directory --recursive --acl bucket-owner-full-control
By following these steps, you can effectively manage S3 object ownership and ensure smooth transfers between AWS accounts.
After completing the initial transfer, you can activate the Amazon S3 replication feature to ensure that any changes to objects are automatically replicated across accounts. Amazon S3 offers two types of replication to automatically copy objects across buckets, which can be owned by the same or different AWS accounts.
3.2 Employing Amazon S3 Batch Operations
If you have a large number of objects in your S3 bucket, you might want to use Amazon S3 Batch Operations to facilitate the bulk transfer of objects across AWS accounts.
4. Migrating Files from Amazon EFS
To transfer files from an Amazon EFS (Elastic File System) file system, you can use the following method.
4.1 Utilizing AWS DataSync
The most effective way to move data between EFS file systems is by employing the AWS DataSync agent.
AWS DataSync is a user-friendly service designed to make it easy to move, copy, and sync large amounts of data between your on-premises storage systems and AWS storage solutions. With DataSync, you can speed up and automate data transfers without having to change your applications, write scripts, or manage complex infrastructure.
One of the great features of AWS DataSync is the ability to deploy it within your Amazon Virtual Private Cloud (VPC) using VPC endpoints. This means that data is transferred directly between your DataSync agent and the service endpoints without needing a public IP address or internet access. By using VPC endpoints, you maintain complete control over your data traffic within your VPC at all times.
5. Migrating Database Resources
AWS provides a variety of specialized database engines. Here are several approaches for migrating relational databases.
5.1 AWS Database Migration Service (AWS DMS)
AWS DMS is a perfect solution. It lets you to replicate data without affecting your operations. You can configure a DMS task for either a one-time migration or ongoing replication. It keeps source and destination databases synchronized. Therefore, if you are apply any changes to the source it will be reflected to the destination.
5.2 RDS Snapshots
You can use this one. RDS Snapshots, it allows you to back up your database and share those backups across different AWS accounts. These shared snapshots can be used to launch new Amazon Relational Database Service (RDS) instances in the destination account.
5.3 AWS Backup
Additionally, you can utilize AWS Backup to create automated backup policies for your AWS resources. The cross-account management feature within AWS Backup enables you to oversee and monitor backup, restore, and copy tasks across multiple AWS accounts. Once your backups are accessible in the target account, restoring RDS instances becomes a straightforward process. Learn more about creating backup copies across AWS accounts.
Final Note
We hope you liked this AWS migration guide. Migrating AWS resources can be intricate, but with the right tools and strategies, it becomes a streamlined process. Whether you're shifting infrastructure, compute resources, storage, or databases, AWS offers multiple efficient solutions. But if this seems overwhelming, or if you're looking for a seamless transition, hire an AWS expert. An experienced professional can ensure that your migration process is smooth, secure, and aligned with your specific needs. Let us handle the complexities so you can focus on leveraging the full potential of your AWS environment.
Top comments (0)