# Plan your deployment Plan your deployment This section helps you plan your cost, security, AWS Regions, and deployment types for the Cloud Migration Factory on AWS solution. # Cost You are responsible for the cost of the AWS services used while running this solution. As of this revision, the estimated cost for running this solution with default settings in the US East (N. Virginia) Region and assuming that you are migrating 200 servers a month with this solution is approximately **\$114.31 per month**. The cost for running this solution depends on the amount of data being loaded, requested, stored, processed, and presented as shown in the following table. | AWS service | Factors | Cost/month [USD] | | --- | --- | --- | | **Core services** | | | | Amazon API Gateway | 10,000 requests/month x (\$13.50/million) | \$10.035 | | AWS Lambda | 10,000 invocations/month (avg 3,000 ms duration and 128 MB memory) | \$10.065 | | Amazon DynamoDB | 20,000 write requests/month x (\$11.25/million) 40,000 read requests/month x (\$10.25/million) Data storage: 1 GB x \$10.25 | \$10.035 | | Amazon S3 | Storage (10MB) & 50,000 get requests/month | \$10.25 | | Amazon CloudFront | Regional data transfer out to internet: first 10 TB Regional data transfer out to origin: all data transfer HTTPS requests: 50,000 requests/month X (\$10.01/10,000 requests) | \$10.92 | | AWS Systems Manager | 10,000 steps/month | \$10.00 | | AWS Secrets Manager | 5 secrets x 30 days duration | \$12.00 | | Amazon Cognito (direct sign-in) | Up to 50,000 monthly active users (MAUs) covered by AWS Free Tier | \$10.00 | | Amazon Athena | 10MB daily x \$15.00 per TB of data scanned | \$10.0015 | | **Optional services** | | | | AWS Glue (optional migration tracker) | 2 mins daily x Default 10 DPU x \$10.44 per DPU-Hour | \$14.40 | | AWS WAF | 2 Web ACLs \$15.00 per month (prorated hourly)2 Rules \$11.00 per month (prorated hourly) 10,000 requests x (\$10.60 per 1 million requests) | \$16.60 | | Amazon Cognito (SAML sign-in) | Up to 50 MAUs covered by AWS Free TierAbove 50 MAUs, \$10.015/MAU | \$10.00 | | | **Total:** | **\$1\$114.31/month** | ## (Recommended) Deploy an Amazon Elastic Compute Cloud instance to help run automation scripts We recommend deploying an Amazon Elastic Compute Cloud (Amazon EC2) instance to automate the connection to the solution’s APIs and AWS Boto3 APIs with IAM roles. The following cost estimate assumes that the Amazon EC2 instance is located in the `us-east-1` Region and runs eight hours a day, five days a week. | AWS service | Factors | Cost/month [USD] | | --- | --- | --- | | Amazon EC2 | 176 hours a month x \$10.1108/per hour (`t3.large`) | \$119.50 | | Amazon Elastic Block Store (Amazon EBS) | 30 GB x \$10.08/GB-month (gp3) x (176 hours/720 hours) | \$10.59 | | | **Total:** | **\$1\$120.09** | Prices are subject to change. For full details, refer to the pricing webpage for each AWS service you will be using in this solution. # Security When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared model](https://aws.amazon.com/compliance/shared-responsibility-model/) can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit [AWS Cloud Security](https://aws.amazon.com/security). ## IAM roles AWS Identity and Access Management (IAM) roles allow you to assign granular access policies and permissions to services and users in the AWS Cloud. This solution creates IAM roles that grants the AWS Lambda function access to the other AWS services used in this solution. ## Amazon Cognito The Amazon Cognito user created by this solution is a local user with permissions to access only the RestAPIs for this solution. This user does not have permissions to access any other services in your AWS account. For more information, refer to [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) in the *Amazon Cognito Developer Guide*. The solution optionally supports external SAML sign-in through the configuration of federated identity providers and the hosted UI functionality of Amazon Cognito. ## Amazon CloudFront This default solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes an [Amazon CloudFront](https://aws.amazon.com/cloudfront/) distribution with an origin access identity, which is a special CloudFront user that helps provide public access to the solution’s website bucket contents. For more information, refer to [Restricting Access to Amazon S3 Content by Using an Origin Access Identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. If a **private** deployment type is selected during stack deployment, then a CloudFront distribution is not deployed, and requires that another web hosting service is used to host the web console. ## AWS WAF - Web Application Firewall If deployment type selected in the stack is Public with [AWS WAF](https://aws.amazon.com/waf/) then the CloudFormation will deploy the required AWS WAF Web ACLs and Rules configured to protect CloudFront, API Gateway, and Cognito endpoints created by the CMF solution. These endpoints will be restricted to allow only specified source IP addresses to access these endpoints. During stack deployment, two CIDR ranges must be supplied with the facility to add additional rules after deployment via the AWS WAF console. **Important** When configuring WAF IP restrictions, ensure that the IP address of your CMF automation server or the outgoing NAT Gateway IP is included in the allowed CIDR ranges. This is critical for the proper functioning of CMF automation scripts that need to access the solution’s API endpoints. ## Amazon API Gateway This solution deploys Amazon API Gateway REST APIs and uses the default API endpoint and SSL certificate. The default API endpoint supports TLSv1 security policy. It is recommended to use the TLS\$11\$12 security policy to enforce TLSv1.2\$1 with your own custom domain name and custom SSL certificate. For more information, refer to [choosing a minimum TLS version for a custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html) and [configuring custom domains](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html) in the *Amazon API Gateway Developer Guide*. ## Amazon CloudWatch Alarms / Canaries Amazon CloudWatch alarms help you monitor the solution’s functional and security assumptions are being followed. The solution includes logging and metrics for AWS Lambda functions and API Gateway endpoints. If additional monitoring is needed for your specific use case, you can configure CloudWatch alarms to monitor: + **API Gateway Monitoring:** + Set up alarms for 4XX and 5XX errors to detect unauthorized access attempts or API issues + Monitor API Gateway latency to ensure performance + Track the count of API requests to identify unusual patterns + **AWS Lambda Function Monitoring:** + Create alarms for Lambda function errors and timeouts + Monitor Lambda function duration to ensure optimal performance + Set up alarms for concurrent executions to prevent throttling You can create these alarms using the CloudWatch console or through AWS CloudFormation templates. For detailed instructions on creating CloudWatch alarms, refer to [Creating Amazon CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*. ## Customer Managed AWS KMS Keys This solution uses encryption at rest for securing data and employs AWS managed keys for customer data. These keys are used to automatically and transparently encrypt your data before it is written to storage layers. Some users might prefer to have more control over their data encryption processes. This approach allows you to administer your own security credentials, offering a greater level of control and visibility. For more information, refer to [Basic Concepts](https://docs.aws.amazon.com/kms/latest/cryptographic-details/basic-concepts.html) and [AWS KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in the *AWS Key Management Service Developer Guide*. ## Log Retention This solution captures application and service logs by creating Amazon CloudWatch logs groups in your account. By default, logs are kept for 10 years. You can adjust the LogRetentionPeriod parameter for each log group, switching to indefinite retention, or choosing a retention period between one day and 10 years based on your requirements. For more information, refer to [What is Amazon CloudWatch Logs?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html#cloudwatch-logs-features) in the *Amazon CloudWatch Logs User Guide*. ## Amazon Bedrock The solution automatically selects the best available foundation model for your region during CloudFormation stack deployment. The selection process uses a Lambda function that calls `list_foundation_models()` and chooses the first available model from this priority order: 1. `anthropic.claude-sonnet-4-20250514-v1:0` (Sonnet 4) 1. `anthropic.claude-3-7-sonnet-20250219-v1:0` (Sonnet 3.7) 1. `anthropic.claude-3-5-sonnet-20241022-v2:0` (Sonnet 3.5v2) 1. `anthropic.claude-3-5-sonnet-20240620-v1:0` (Sonnet 3.5) 1. `anthropic.claude-3-sonnet-20240229-v1:0` (Sonnet 3) 1. `amazon.nova-pro-v1:0` (Nova Pro) You must enable the selected model in your AWS account through the Bedrock console to use the GenAI features. The solution’s core functionalities remain fully operational without enabling the GenAI features. Customers can choose to use the tool with manual inputs if they prefer not to use the AI-assisted capabilities. After deployment, you can find the selected model ARN in the CloudFormation stack outputs under the `GenAISelectedModelArn` field in the WPMStack. ![\[CloudFormation stack output showing selected GenAI model ARN\]](http://docs.aws.amazon.com/solutions/latest/cloud-migration-factory-on-aws/images/cloudformation-genai-model-output.png) ![\[Amazon Bedrock model enablement interface\]](http://docs.aws.amazon.com/solutions/latest/cloud-migration-factory-on-aws/images/bedrock-model-enablement.png) This solution’s default configuration will deploy Amazon Bedrock Guardrails in order to: + Filter out harmful content + Block prompt injections that are irrelevant to your use case ![\[Amazon Bedrock Guardrails configuration interface\]](http://docs.aws.amazon.com/solutions/latest/cloud-migration-factory-on-aws/images/bedrock-guardrails.png) For more information, refer to [Amazon Bedrock Guardrails](https://aws.amazon.com/bedrock/guardrails/). To opt out Guardrails in CMF solution, you can select false in template parameter section. # Supported AWS Regions This solution uses Amazon Cognito and Amazon QuickSight, which are currently available in specific AWS Regions only. Therefore, you must launch this solution in a Region where these services are available. For the most current service availability by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). **Note** Data transfer during the migration process is not affected by Regional deployments. Cloud Migration Factory on AWS is available in the following AWS Regions: | Region names | | | --- | --- | | US East (Ohio) | Canada (Central) | | US East (N. Virginia) | \$1Canada West (Calgary) | | US West (N. California) | Europe (Frankfurt) | | US West (Oregon) | Europe (Ireland) | | \$1Africa (Cape Town) | Europe (London) | | \$1Asia Pacific (Hong Kong) | \$1Europe (Milan) | | \$1Asia Pacific (Hyderabad) | \$1Europe (Spain) | | \$1Asia Pacific (Jakarta) | Europe (Paris) | | \$1Asia Pacific (Melbourne) | Europe (Stockholm) | | Asia Pacific (Mumbai) | \$1Europe (Zurich) | | Asia Pacific (Osaka) | \$1Israel (Tel Aviv) | | Asia Pacific (Seoul) | \$1Middle East (Bahrain) | | Asia Pacific (Singapore) | \$1Middle East (UAE) | | Asia Pacific (Sydney) | South America (São Paulo) | | Asia Pacific (Tokyo) | | **Important** \$1Only available for private deployment type due to Amazon CloudFront access logging, see [Configuring and using standard logs (access logs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) in the *Amazon CloudFront Developer Guide* for latest details. Cloud Migration Factory on AWS is not available in the following AWS Regions: | Region name | Unavailable service(s) or service option | | --- | --- | | AWS GovCloud (US-East) | Amazon Cognito | | AWS GovCloud (US-West) | Amazon Cognito | # Quotas Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. ## Quotas for AWS services in this solution Make sure you have sufficient quota for each of the [services implemented in this solution](aws-services-in-this-solution.md). For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Select one of the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead. ## AWS CloudFormation quotas Your AWS account has CloudFormation quotas that you should be aware of when launching the stack for this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation Users Guide*.