How to Migrate AWS Resources from one AWS Account to Another

Are you considering moving your AWS resources from one account to another? If so, you’re definitely not alone! This situation arises more frequently than you might think. Whether your company has undergone a merger, you’re transitioning to a new managed service provider, or you’re simply reorganizing your cloud setup for better efficiency, there can be numerous reasons for this change.

The good news is that moving between AWS accounts isn’t an insurmountable task-it’s entirely feasible. However, it involves more than just transferring files and configurations; it’s crucial to ensure that everything remains secure, minimizes downtime, and keeps costs manageable.

In this blog, we’ll break down the migration process step by step. You’ll receive all the information you need to execute this transition correctly and avoid the common pitfalls that can turn a straightforward move into a nightmare. Let’s dive in and make this migration as smooth and stress-free as possible.

Before getting into the migration part, let’s know first what a typical migration may include:

• Infrastructure, which includes the essential components that keep everything running, like AWS Lambda functions, load balancers and more.
• Compute resources, like Elastic Compute Cloud (Amazon EC2)
• Storage, such as Amazon S3 for keeping your files.
• Databases you use, whether that’s Amazon RDS, DynamoDB, or other database services.

Migrate AWS Resources Between AWS Accounts

Here’s how you can migrate infrascture, databases and specific files from AWS account to another. Let’s exploer some popular tools and methods to seamlessly trasnfer the data from account to another.

1. Migrating Infrastructure

When it comes to moving your infrastructure, especially temporary resources, there are a couple of easy methods you can use. These methods are based on Infrastructure as Code (IaC), which is basically scripts that help set up your IT resources automatically. You can migrate your infrastructure using CloudFormation or Former2.

1.1 Using AWS CloudFormation

If you already use AWS CloudFormation, you can simply bring your existing templates over to the new AWS account. AWS CloudFormation helps you manage and set up your resources easily. You create templates that allow you to quickly and reliably set up services or applications called “stacks.”

1.2 Using Former2

Another option is to use a tool called Former2. This tool helps you create templates based on your current resources in your existing AWS account, which you can then use in your new account.

Former2 is an open-source tool that can generate IaC templates for you, like AWS CloudFormation or HashiCorp Terraform, straight from your existing resources.

2. Migrating Compute Resources

When it comes to transferring compute resources that maintain data, you have a couple of effective choices to streamline the process. These methods provide a virtual platform for running instances with various operating systems.

2.1 Utilizing AWS Backup

If you’re currently using the AWS Backup service along with AWS Organizations to oversee your backup strategies, you can leverage the cross-account management feature of AWS Backup. This capability allows you to control, monitor, and restore backups across different AWS accounts, provided that both accounts are within the same AWS Organization. After the backups are transferred to the new account, restoring your EC2 instances becomes straightforward. Here’s how you can create backup copies using AWS backup.

Requirements

• All accounts involved must be part of the same AWS Organization
• Designate a management account in AWS Organizations to manage cross-account backups
• Enable the cross-account backup feature in the AWS Backup console using the management account credentials

Setup Steps

1. Create a Management Account and Add Member Accounts:
2. Go to Settings and enable Cross-Account Backup and Cross-Account Monitoring
3. In the destination account, create a backup vault and assign a customer-managed KMS key for encryption
4. In the destination account, update the access policy of the backup vault to allow the source account to copy backups into it.
5. In the source account, create a backup plan and define a rule that includes the destination vault ARN.
6. Create a scheduled backup plan in the AWS Backup console or perform on-demand backups by copying a backup from the source account to the destination account directly from the AWS Backup console.
7. While AWS Backup does not support direct restoration of backups from one account to another, you can copy the backup to the target account and then restore it within that account

AWS Backup is an excellent service that automates data protection throughout AWS services. With this service, you can simplify the backup process.

2.2 Generating an Amazon Machine Image (AMI)

Another option is to migrate an EC2 image manually. It applies only to instances with unencrypted Amazon Elastic Block Store (EBS) volumes. Here’s how you can do this;

1. From the source account, create a custom AMI of the instance you wish to migrate (avoid static IP configurations to prevent connectivity issues).
2. Share the created AMI with the target account using the Amazon EC2 console or AWS CLI.
3. In the target account, you can locate the shared AMI using the EC2 console or AWS CLI.
4. Now, launch a new instance from the shared AMI in the target account. If needed, import your public key for access.
5. From the newly launched instance, create a custom AMI in the target account to avoid issues if the original shared AMI is deregistered.
6. If no longer needed, deregister the AMI in the source account.

Important Notes

1. Data on instance store volumes is not preserved in AMIs.
2. Avoid these to ensure proper connectivity.
3. Before deregistering the original AMI, launch instances in the target account to maintain the ability to create new instances from that AMI later.
4. Optionally, copy the AMI to the same or another region in the target account for backup purposes.

3. Migrating Storage Resources

AWS provides a variety of storage options, including object, file, and block storage. When it comes to migrating objects from an S3 bucket, you can migrate your storage resources using these methods.

3.1 Using the Amazon S3 Command Line Interface (CLI)

One way to transfer objects is by utilizing Amazon S3 CLI commands to perform the initial copy of objects from the source account to the target account.

Objects in Amazon S3 are not automatically owned by the AWS account that uploads them. It’s recommended to use the Bucket owner enforced setting to simplify access management, but this disables access control lists (ACLs).

Attach this policy to the relevant IAM identity in the source account.

In the destination account, change the S3 Object Ownership setting for the destination bucket to Bucket owner preferred.

Update the bucket policy in the destination account to allow the source account to upload objects, including a condition to require the bucket-owner-full-control ACL:

Remember to replace the bucket name and ARN with your specific details.

Upload Objects with Correct ACL, ensure the ACL is set to bucket-owner-full-control when copying objects. For example, to copy an object using the AWS CLI:

aws s3 cp s3://source-DOC-EXAMPLE-BUCKET/object.txt s3://destination-DOC-EXAMPLE-BUCKET/object.txt --acl bucket-owner-full-control

aws s3 cp directory/ s3://bucketname/directory --recursive --acl bucket-owner-full-control

By following these steps, you can effectively manage S3 object ownership and ensure smooth transfers between AWS accounts.

After completing the initial transfer, you can activate the Amazon S3 replication feature to ensure that any changes to objects are automatically replicated across accounts. Amazon S3 offers two types of replication to automatically copy objects across buckets, which can be owned by the same or different AWS accounts.

Read the full article here.