Deploying Security Groups via AWS Cloud Migration Factory
Deploying Security Groups via AWS Cloud Migration Factory (CMF)
Deploying Security Groups through the AWS Cloud Migration Factory (CMF) typically occurs during the
Target Environment Build phase of migration waves. CMF automates repeatable infrastructure tasks—such as creating landing-zone networking and
security constructs—so migrated workloads land in a pre-secured environment.
1) Define Security Groups in CMF Configuration
CMF consumes CSV/JSON configuration files that describe target resources. For security groups, you’ll typically use a sheet like
target_security_groups.csv.
- Security Group Name (e.g.,
AppServerSG) - VPC ID or Name
- Inbound Rules (Protocol, Port, Source)
- Outbound Rules
- Tags
CMF parses this file to generate security group resources for each migration wave.
2) Infrastructure Build Factory — Automated Provisioning
When you run the Build action for a wave, CMF:
- Reads the wave’s configuration (networking, SGs, subnets, etc.).
- Uses AWS CloudFormation and/or AWS SDK calls to create Security Groups in the target account and VPC.
- Applies ingress/egress rules exactly as declared.
This happens before server cutover.
3) Linking Security Groups to Server Blueprints
In the application/server mapping CSV (e.g., application.csv or servers.csv), each target instance references:
- VPC/Subnet
- Security Group IDs or Names
During the Launch / Deploy phase, CMF attaches the specified security groups to the EC2 instances it provisions. Multiple SGs can be attached.
4) Updating Security Groups Across Waves
CMF operations are idempotent:
- Re-running Build detects existing SGs and updates rules if the config changed.
- Useful for gradually opening access during iterative migrations.
5) Example Security Group Definition Row
| SecurityGroupName | VPCName | Direction | Protocol | PortRange | Source/Dest | Description |
|---|---|---|---|---|---|---|
| AppServerSG | AppVPC | Inbound | TCP | 443 | 10.0.0.0/16 | HTTPS Access |
| AppServerSG | AppVPC | Outbound | All | All | 0.0.0.0/0 | Allow all egress |
6) Integrating with Existing Landing Zones
- Reference existing SG IDs (from Control Tower/Org landing zone) instead of creating new ones.
- Re-use pre-approved security baselines (e.g., SOC2 / CIS-aligned controls).
7) Typical Deployment Workflow
- Upload SG configuration into CMF.
- Run Environment Build for the wave.
- CMF provisions networking + SGs in the target account/VPC.
- Launch servers using Migration Factory jobs.
- Verify SGs in AWS Console/CLI.
8) Key Tips
- Version Control: Keep the CSV under source control; treat SG definitions as code.
- Least Privilege: Start narrow on ingress; expand only as needed.
- Naming: Align SG names with app tiers (e.g.,
WebSG,AppSG,DBSG). - Testing: Validate in a pilot wave before scaling out.
Leave a Reply