AWS .NET Modernization Tools Porting Assistant (PA) for .NET, AWS App2Container (A2C), AWS Toolkit for .NET Refactoring (TR), and AWS Microservice Extractor (ME) for .NET is no longer open to new customers. If you would like to use the service, sign up prior to November 7, 2025. Alternatively use [AWS Transform](https://aws.amazon.com/transform/), which is an agentic AI service developed to accelerate enterprise modernization of .NET. # Security in AWS Toolkit for .NET Refactoring Security Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Toolkit for .NET Refactoring, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using Toolkit for .NET Refactoring. The following topics show you how to configure Toolkit for .NET Refactoring to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Toolkit for .NET Refactoring resources. **Topics** + [ # AWS Identity and Access Management (IAM) ](dotnet-refactoring-iam.md) + [ # EULA ](eula.md) + [ # Data protection in AWS Toolkit for .NET Refactoring ](data-protection.md) + [ # AWS managed policies for AWS Toolkit for .NET Refactoring ](security-iam-awsmanpol.md) # AWS Identity and Access Management (IAM) AWS Identity and Access Management If you use Toolkit for .NET Refactoring with a license included Visual Studio Amazon Machine Image (AMI) on Amazon EC2, you can use the `refactoringtoolkit-RefactoringToolkitCallerRole` without providing credentials or modifying configuration files. For more information, see [Install Toolkit for .NET Refactoring](dotnet-refactoring-installation.md) in this guide. If you are not using Toolkit for .NET Refactoring with Amazon EC2 or if you prefer to create a user and assign roles to the user, follow the steps in this section to create the user, create access keys, and configure your AWS profile. **Topics** + [ ## Sign up for an AWS account ](#sign-up-for-aws) + [ ## Create a user with administrative access ](#create-an-admin) + [ ## Create access keys for your user ](#dotnet-refactoring-iam-access-key) + [ ## Configure your AWS profile ](#dotnet-refactoring-iam-profile) ## Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ## Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. ## Create access keys for your user Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS. To grant users programmatic access, choose one of the following options. **** | Which user needs programmatic access? | To | By | | --- | --- | --- | | IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/dotnet-refactoring-iam.html) | | Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/dotnet-refactoring-iam.html) | | IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | | IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/tk-dotnet-refactoring/latest/userguide/dotnet-refactoring-iam.html) | ## Configure your AWS profile After you have created a user, you can configure your AWS named profile to apply settings and credentials to be applied when you run commands. **Configure AWS profile in the assessment tool** 1. In the Toolkit for .NET Refactoring assessment tool, navigate to **Set up Toolkit for .NET Refactoring**. 1. Choose **Add a profile** under **AWS named profile**. 1. Enter your new **Profile name**, **AWS access key ID**, and **AWS secret access key**. 1. Choose **Add**. **Configure AWS profile using the AWS CLI** 1. Run the following AWS CLI command to create a profile for Toolkit for .NET Refactoring. The profile is named `default` in the credentials file. ``` aws configure ``` 1. For each prompt, enter the corresponding information. + `AWS Access Key ID` + `AWS Secret Access Key` + `Default region name` (For example, `us-west-2`) + `Default output format` 1. After you configure the profile using the AWS CLI, Toolkit for .NET Refactoring will display the `default` profile under **AWS named profile** on the **Set up Toolkit for .NET Refactoring** page of the assessment tool. For more information about configuring the AWS CLI, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) in the *AWS CLI User Guide*. # EULA AWS Toolkit for .NET Refactoring is licensed as *AWS Content* under the terms and conditions of the AWS Customer Agreement. For more information, see [AWS Customer Agreement](https://aws.amazon.com/agreement/) and [AWS Service Terms](https://aws.amazon.com/service-terms/). By installing, using, or accessing AWS Toolkit for .NET Refactoring, you agree to such terms and conditions. The term *AWS Content* does not include software and assets distributed under separate license terms (such as code licensed under an open source license). # Data protection in AWS Toolkit for .NET Refactoring Data protection The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Toolkit for .NET Refactoring. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Toolkit for .NET Refactoring or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. ## Data collected by Toolkit for .NET Refactoring Data collected If you accept the data collection option in the **Settings** menu of the Toolkit for .NET Refactoring extension, the following application data is collected: 1. Application errors generated when running assessments, porting, or when performing other functions provided by the Toolkit for .NET Refactoring extension. 1. Names and versions of public NuGet packages assessed by the Toolkit for .NET Refactoring extension. 1. Metrics for assessments run by the Toolkit for .NET Refactoring extension on public NuGet packages, such as the number of packages and solutions, and the amount of time taken to create a solution. You can change your data collection settings at any time in the **Settings** menu of the Toolkit for .NET Refactoring extension. Toolkit for .NET Refactoring will perform surface level analysis of your .NET Framework solution and generate a list of the following that are in use: + NuGet packages + NuGet APIs + .NET SDK APIs Only the generated list is stored in the S3 bucket you provide, and your source code never leaves your local system. Toolkit for .NET Refactoring has a scalable backend that processes source code metadata ephemerally. The backend returns compatibility and recommendation information back to you. For more information about data privacy, see [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). You can choose whether to encrypt your source code metadata that is uploaded to Amazon S3. Toolkit for .NET Refactoring supports using your own customer managed keys in AWS Key Management Service (AWS KMS) for encryption and decryption. For more information, see [Protecting data with encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) in the *Amazon Simple Storage Service User Guide* and [AWS KMS concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the *AWS Key Management Service Developer Guide*. **Encryption at rest** All data within Toolkit for .NET Refactoring is encrypted at rest in accordance with industry standards. **Encryption in transit** All requests to Toolkit for .NET Refactoring must be made over the Transport Layer Security protocol (TLS). We recommend TLS 1.2 or later. # AWS managed policies for AWS Toolkit for .NET Refactoring AWS managed policies To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. ## AWS managed policy: AWSRefactoringToolkitFullAccess AWSRefactoringToolkitFullAccess Use this policy to test your application on AWS when you modernize your application with the AWS Toolkit for .NET Refactoring extension for Microsoft Visual Studio. Attach the policy to your local AWS profile. The policy grants permissions to upload application artifacts and download the resulting artifacts from S3. It grants permissions to build the application into a container image using AWS CodeBuild and store and retrieve the images in Amazon Elastic Container Registry (Amazon ECR). In addition, it allows for the deployment of the application to container services on AWS, such as Amazon Elastic Container Service (Amazon ECS), the optional creation of Amazon VPC resources, and the optional connection to existing infrastructure, such as AWS Directory Service. To view the permissions for this policy, see [AWSRefactoringToolkitFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRefactoringToolkitFullAccess.html) in the *AWS Managed Policy Reference*. **Permission details** This policy includes permissions for the following services: + Application Transformation – Allows Toolkit for .NET Refactoring to perform compatibility assessments along with containerization and deployment operations. + Amazon CloudWatch – Allows Toolkit for .NET Refactoring to create log groups and store log output from Toolkit for .NET Refactoring operations and your applications. + Amazon Elastic Compute Cloud (Amazon EC2) – Allows Toolkit for .NET Refactoring to create and modify security groups, internet gateways, and Amazon VPC. + Amazon Elastic Container Registry (Amazon ECR) – Allows Toolkit for .NET Refactoring to create and read your Amazon ECR repository and to tag resources. + Amazon Elastic Container Service (Amazon ECS) – Allows Toolkit for .NET Refactoring to run your container images as tasks in Amazon ECS and to facilitate debugging. + Amazon Simple Storage Service (Amazon S3) – Allows Toolkit for .NET Refactoring to list and manage objects from Amazon S3 buckets that are used by Toolkit for .NET Refactoring. + CloudFormation – Allows Toolkit for .NET Refactoring to deploy the infrastructure components of CodeBuild and application deployment in the form of CloudFormation stacks. + AWS CodeBuild – Allows Toolkit for .NET Refactoring to allocate resources for CodeBuild projects and start builds. + AWS Identity and Access Management (IAM) – Allows Toolkit for .NET Refactoring to verify which roles are passed to other AWS services. + AWS Key Management Service (AWS KMS) – Allows Toolkit for .NET Refactoring to utilize user-provided KMS keys across AWS services for encryption. + AWS Systems Manager (Systems Manager) – Allows Toolkit for .NET Refactoring to manage Systems Manager parameters and communicate with Amazon ECS tasks. ## AWS managed policy: AWSRefactoringToolkitSidecarPolicy AWSRefactoringToolkitSidecarPolicy This policy is used by the Amazon ECS tasks that are created to run a test application on AWS with the AWS Toolkit for .NET Refactoring extension for Microsoft Visual Studio. The policy grants permissions to download application artifacts from S3 and to communicate the status of the task using AWS Systems Manager. To view the permissions for this policy, see [AWSRefactoringToolkitSidecarPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRefactoringToolkitSidecarPolicy.html) in the *AWS Managed Policy Reference*. ## Toolkit for .NET Refactoring updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Toolkit for .NET Refactoring since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Toolkit for .NET Refactoring Document history page. | Change | Description | Date | | --- | --- | --- | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – Updated policy | Modified the permissions for CreateTags by adding conditions that use the aws:CallVia condition key. | April 9, 2025 | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – Updated policy | Added permissions for the `cloudformation:TagResource` and `cloudformation:UntagResource` actions to manage resource tags on stacks created for AWS App2Container. | March 25, 2024 | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – Updated policy | Added permissions for `application-transformation` actions and KMS permissions for resources matching `ForAnyValue:StringLike` with `"kms:ResourceAliases": "alias/application-transformation*"`. Changed permissions for EC2, ECR, ECS, and CloudWatch Logs to scope them to the `application-transformation` request and resource tag. | November 18, 2023 | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – Updated policy | Added `ListStacks` permissions. | March 22, 2023 | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – Updated policy | Added tagging permissions that allow new accounts to perform the `CreateLogGroup` action. | December 15, 2022 | | [AWSRefactoringToolkitSidecarPolicy](#AWSRefactoringToolkitSidecarPolicy) – Updated policy | Added permissions to open a data channel to transfer files to the customer's container. | October 29, 2022 | | [AWSRefactoringToolkitFullAccess](#AWSRefactoringToolkitFullAccess) – New policy | Added the `AWSRefactoringToolkitFullAccess` policy. | October 25, 2022 | | [AWSRefactoringToolkitSidecarPolicy](#AWSRefactoringToolkitSidecarPolicy) – New policy | Added the AWSRefactoringToolkitSidecarPolicy policy. | October 25, 2022 |