NEW - You can now accelerate your migration and modernization with AWS Transform. Read [Getting Started](https://docs.aws.amazon.com/transform/latest/userguide/getting-started.html) in the *AWS Transform User Guide*. # Manage large-scale migrations with global view Global view The AWS Application Migration Service (AWS MGN) global view feature enables you to manage large-scale migrations across multiple accounts. Global view provides visibility, and the ability to perform actions on source servers, apps, and waves in different AWS accounts. Global view utilizes AWS Organizations to structure a management account that has access to source servers in multiple member accounts, and member accounts that only have access to their own source servers. To use this feature: + You need to have an AWS account in which AWS Application Migration Service is initialized. + The account must be a management account in AWS Organizations, or a delegated admin for AWS Application Migration Service which has the same feature permissions as a management account in AWS Organizations. # Setting up your AWS Organization Setting up your AWS Organization The AWS Organizations service enables you to consolidate multiple AWS accounts into a single organization that you create and manage. You can create member accounts or invite existing accounts to join your organization. [Learn more about AWS Organizations.](https://docs.aws.amazon.com/organizations/index.html) To use global view, first create your organization in the AWS Organizations console: 1. Go to the AWS Organizations console. 1. [Create a new AWS organization.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) 1. [Invite member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) you want to manage within AWS MGN. # Activate trusted access for AWS Application Migration Service Activate trusted access To use global view, you must activate trusted access to AWS Application Migration Service (AWS MGN) for your organization. Attach the [AWSOrganizationsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html) managed policy to the user. To enable service access for your organization, take the following steps: 1. Activate trusted access for AWS MGN 1. Log in as management account. 1. Select **Global view** from the left-hand navigation menu. 1. Activate service access by clicking the 'Enable AWS Organizations service access' button [Learn more about activating trusted access.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) 1. Select members and turn them into delegated admins for AWS MGN by calling the [RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) API, including the service name: ``` { "AccountId": "string", "ServicePrincipal": "mgn.amazonaws.com" } ``` **Important** You can register up to 5 delegated administrators. # Setting up CloudFormation StackSets Setting up StackSets After you set up your organization, you need to configure CloudFormation StackSets to create the required role per management account: AWSApplicationMigrationSharingRole\$1. AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. [Learn more about CloudFormation StackSets.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) **Important** StackSet automatically creates the roles in all accounts. You can choose to create the roles manually in each member account of the organization, however, this must be done for each account individually. To set up your StackSet: 1. Go to the CloudFormation console. 1. Select **StackSets.** 1. Click the **Activate trusted access** button. 1. Create StackSet. 1. On the **Choose a template** page, under **Prerequisites – prepare template**, choose **Use a sample template**. 1. Under **Select a sample template**, select **Create roles to access multiple accounts via AWS Application Migration Service**, and choose **Next**. 1. Provide the name and description or use the existing values. 1. Under **Parameters**, add the account ID of each admin or delegated admin and choose **Next**. 1. Select or provide the required parameters . **Important** Under **Deployment targets**, select **Deploy to organization**. Select only one specific AWS Region – we recommend that you select your StackSet Region. To provide enhanced stability, we recommend that you set the **Failure tolerance optional** to a high value - at least as high as the number of accounts within the organization. 1. Check the box next to **I acknowledge that AWS CloudFormation might create IAM resources with custom names** and choose **Submit**. Once all the steps are completed, you should be able to see your new StackSet in **StackSet details > Stack instances**. # Using an AWS KMS customer managed key for encryption in member account Using an AWS KMS customer managed key for encryption If you decide to use a customer managed key, or if your default Amazon EBS encryption key is a customer managed key in member account, you must add permissions to the AWSApplicationMigrationSharingRole\$1 to allow management account to use it. Using Administrator access, add these permissions to the AWSApplicationMigrationSharingRole\$1: # Inviting an AWS account to join your organization Inviting other accounts After you create an organization and verify the email address associated with the management account, you can invite existing AWS accounts to join your organization. Only management accounts can send an invitation to other accounts. When you invite an account, AWS Organizations sends an invitation to the account owner, who decides whether to accept or decline the invitation. You can use the AWS Organizations console to initiate and manage invitations that you send to other accounts. [Learn how to send invitations to other AWS accounts.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) # Using global view Use the global view feature to see source servers across various member accounts and to perform various actions such as installing the SSM Agent. To use global view attach the [AWSOrganizationsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html) managed policy to the user. The main **Global view** page provides an overview of your account. The information differs for a management account and a member account. + Management account: Displays **Account information** that includes the AWS organizations permissions, number of linked accounts, and the total number of source servers, applications, and waves. The **Linked account** section displays the relevant information only for the linked accounts. + Member account: Displays the **Account information** that includes the AWS organizations permissions, and the number of source servers, applications, and waves in the specific account. As a management account, you are able to choose **All accounts** and **My account** from the drop-down menu, changing your view of source servers, applications, or waves. ## Source servers in member accounts As a management account, you can view source servers in your account and all member accounts. You can also perform specific actions on managed servers. ### Single managed source server As a management account, you can perform the following actions on a single managed source server. + Change staging disk type + Edit replication settings + Launch settings – edit general launch settings only + Post launch + Deactivate the post-launch feature for this server + Change deployment settings (test and cutover, test only, or cutover only) + Start/stop replication + Test and cutover drop-down menu: + Launch test + Mark as ready for cutover + Revert to ready for testing + Launch cutover + Finalize cutover + Revert to ready for cutover + Terminate launch instances ### Multiple managed source server As a management account, you can perform the following actions on multiple managed source servers. + Edit replication settings – the edited servers must be from the same account + Add server to application – the added servers must be from the same account + Disconnect servers from service + Mark as archived + Start/stop replication + Change staging disk type + Edit replication settings + Launch settings – edit general launch settings only + Post launch + Deactivate the post-launch feature for this server + Change deployment settings (test and cutover, test only, or cutover only) + Start/stop replication + Test and cutover drop-down menu: + Launch test + Mark as ready for cutover + Revert to ready for testing + Launch cutover + Finalize cutover + Revert to ready for cutover + Terminate launch instances ## Applications As a management account, you can perform the following actions on a single or multiple managed applications: + Add application + Edit application + Delete application + Test and cutover drop-down menu (these actions can also be performed on multiple applications): + Launch test + Mark as ready for cutover + Revert to ready for testing + Launch cutover + Finalize cutover + Revert to ready for cutover + Add application to wave + Start/stop replication + Archive application ## Waves As a management account, you can perform the following actions on a single managed applications: + Add wave + Edit wave + Delete wave + Test and cutover drop-down menu (these actions can also be performed on multiple waves): + Launch test + Mark as ready for cutover + Revert to ready for testing + Launch cutover + Finalize cutover + Revert to ready for cutover + Add application to wave + Start/stop replication + Archive application ## Import/Export Use this feature to import and export your source servers, applications, and waves from a single or multiple accounts using the CSV template file.