View a markdown version of this page

Step 7: Configure a migration automation server - Cloud Migration Factory on AWS
Build a Windows serverConfigure AWS permissions for the migration automation serverInstall required software to support the automations

Step 7: Configure a migration automation server

The migration automation server is used to run migration automation.

Build a Windows server

We recommend creating the server in your AWS account, but it can also be created in your on-premises environment. If built in an AWS account, it must be in the same AWS account and Region as Cloud Migration Factory. To review the server requirements, refer to Migration automation server.

We recommend using the Windows Server 2025 Base image, but Windows Server 2019 or later is supported. Wherever you deploy the Windows instance, we recommend deploying it as a standard installation that meets your security and operational requirements.

Note

When launching the instance, assign a Key Pair to retrieve the administrator password for RDP access. No inbound connections are required on your security group if you are using Windows Server 2019 Base or higher, because you use AWS Systems Manager (SSM) to connect.

Configure AWS permissions for the migration automation server

Depending on where you deploy the migration execution server, choose one of the options below to configure AWS permissions for the migration automation server. The IAM role or policy provides the permission to the automation server and the access to AWS Secrets Manager to get agent installation keys and factory service account credentials. You can deploy the migration automation server either to AWS as an EC2 instance or on-premises.

Option 1: Configure an EC2 migration automation server in the same account and Region

  1. Navigate to the AWS CloudFormation console and select the solution’s stack.

  2. Select the Outputs tab, under the Key column, locate AutomationServerInstanceProfile and record the Value to use later in the deployment.

    Outputs tab

    cfn console outputs tab

  3. Navigate to the Amazon Elastic Compute Cloud (EC2) console.

  4. From the left navigation pane, select Instances.

  5. On the Instances page, use the Filter Instances field and enter the name of the migration execution server to find the instance.

  6. Select the instance and select Actions on the menu.

  7. Select Security from the drop-down list, and then select Modify IAM role.

    f6 ec2 console

  8. From the list of IAM roles, locate and select the IAM role containing the value for AutomationServerInstanceProfile that you recorded earlier in this procedure and choose Save.

  9. Select the instance, then choose Connect.

  10. On the Session Manager tab, verify that the status shows Connected.

    Note

    If the instance does not connect after a few minutes, try connecting by using RDP. You must update your security groups to allow external connections because SSM isn’t connected yet.

  11. Add the following tag to the migration automation server EC2 instance: Key= role and Value = mf_automation.

    EC2 console

    add tag ec2

Option 2: Configure an on-premises migration automation server

  1. Navigate to the AWS CloudFormation console and select the solution’s stack.

  2. Select the Outputs tab, under the Key column, locate AutomationServerIAMPolicy and record the value to use later in the deployment.

    Outputs tab

    outputs automation server iam policy

  3. Navigate to the AWS Identity and Access Management (IAM) console.

  4. From the left navigation pane, select Users, then choose Add users.

  5. In the User name field, create a new user.

  6. Choose Next.

  7. On the Set permissions page, under Permissions options, select Attach policies directly. A list of policies displays.

  8. From the list of policies, locate and select the policy containing the value for AutomationServerIAMPolicy that you recorded in Launch the stack.

  9. Choose Next, then verify that the correct policy is selected.

  10. Choose Create user.

  11. After you’re redirected to the Users page, choose the user you created in the previous step, and then choose the Security credentials tab.

  12. In the Access keys section, choose Create access key.

    Note

    Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don’t have access keys, you can create them from the AWS Management Console. As a best practice, do not use the root user access keys for any task where it’s not required. Instead, create a new administrator IAM user with access keys for yourself.

    The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.

  13. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:

    • Access key ID: AKIAIOSFODNN7EXAMPLE

    • Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

  14. To download the key pair, choose Download .csv file. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.

    Important

    Keep the keys confidential to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

  15. After you download the –0—csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

  16. Use your remote desktop protocol (RDP) to log in to the migration execution server.

  17. Signed in as an administrator, open a command prompt (CMD.exe).

  18. Run the following command to configure the AWS credentials on the server. Replace <your_access_key_id>, <your_secret_access key>, and <your_region> with your values:

    SETX /m AWS_ACCESS_KEY_ID <your_access_key_id>
SETX /m AWS_SECRET_ACCESS_KEY <your_secret_access key>
SETX /m AWS_DEFAULT_REGION <your_region>

  19. Reboot automation server.

  20. Install the SSM agent using Hybrid mode (on-prem servers).

    1. Create a hybrid activation; see Create an activation (console) in the AWS Systems Manager User Guide. During this process, when asked to provide an IAM Role, select an existing IAM role and choose the role with the suffix -automation-server which was automatically created when the Cloud Migration Factory stack was deployed.

    2. Log in to the migration automation server as administrator.

    3. Install the SSM Agent; see Install SSM Agent for a hybrid and multicloud environment in the AWS Systems Manager User Guide. Use the hybrid activation created in step 20.a.

    4. After the SSM Agent is installed, in the SSM console, choose Fleet Manager. Identify the node ID that has the mi- prefix and an Online status.

      Fleet Manager

      fleet manager

    5. Select the Node ID and make sure that the IAM role is the one you selected with automation-server suffix.

    6. Add the following tag for this Hybrid node: Key = role and Value = mf_automation. All lower case.

      Tag - hybrid node

      tag hybrid node

Install required software to support the automations

  1. To connect to the migration automation server, in the EC2 console, select the instance, and choose Connect > RDP client > Connect using Fleet Manager > Fleet Manager Remote Desktop. Log in as Administrator.

  2. Download Python v3.14.4. Other versions of Python might also work if installed for all users using the standalone Python installer (not the Python install manager).

  3. Run the Python installer and choose Customize installation.

  4. Choose Next, and select Install for all users and Add Python to environment variables. Choose Install.

    Migration Factory web interface Attribute Details tab

    python advanced options

  5. Verify that you have administrator privileges, open cmd.exe, and run the following commands to install the Python packages one at a time:

    python -m pip install requests
python -m pip install paramiko
python -m pip install boto3

    If any of these commands fail, upgrade pip by running the following command:

    python -m pip install --upgrade pip

  6. Install the AWS CLI (Command Line Interface) by running the following command:

    msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

    For more information, refer to Install or update to the latest version of the AWS CLI in the AWS CLI User Guide.

  7. Open PowerShell, then install the PowerShell for AWS module, ensuring that you have the *-Scope AllUsers * parameter included in the command.

    Install-Module -Name AWSPowerShell -Scope AllUsers

    For more information, refer to Installing the AWS Tools for PowerShell in the AWS Tools for PowerShell User Guide.

  8. To enable script execution, open PowerShell as Administrator and run the following command:

    Set-ExecutionPolicy RemoteSigned