Discover assets on AWS

This document describes how to run an inventory discovery on your Amazon Web Services (AWS) account by using the Migration Center discovery client CLI.

You can use mcdc CLI to collect information about the following assets in your AWS account:

  • Amazon CloudFront (Preview)
  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Elastic Container Service (ECS) (Preview)
  • Amazon Elastic File System (EFS) (Preview)
  • Amazon Elastic Kubernetes Service (EKS) (Preview)
  • Amazon Redshift (Preview)
  • Amazon Relational Database Service (RDS)
    • Microsoft SQL Server
    • MySQL
    • PostgreSQL
  • Amazon Simple Storage Service (S3) (Preview)
  • Amazon Virtual Private Cloud (VPC) (Preview)
  • AWS Lambda (Preview)
  • Elastic Load Balancing (ELB) (Preview)

The mcdc CLI then sends the collected information to Migration Center where you can complete the assessment.

Limitations

When running an inventory discovery on your AWS account, the mcdc CLI has the following limitations:

  • Only EC2 and RDS asset types are included in the TCO report. To export and analyze all asset types outside of Migration Center, export your inventory.
  • The following information for EC2 instances is not collected:
    • Memory usage is not collected. To collect this information, make sure that the Amazon CloudWatch agent is installed and configured on your EC2 instances.
    • Free disk space. To collect this information, run a guest discovery.
  • You cannot run the mcdc CLI on Linux machines to collect data from AWS Windows EC2 instances. To collect information from Windows EC2 instances, run the mcdc CLI on a Windows machine.

Data collected during inventory discovery

The mcdc CLI collects the following information from the supported AWS services:

Asset type Data collected
Amazon EC2
Click to show the collected data.
  • Instance details (ID, type, state)
  • Owner discount ID
  • Instance type details (CPU, memory)
  • Tags
  • Operating system information (from SSM)
  • Block device mappings and volume details
  • Performance metrics (CPU utilization, network I/O, disk I/O)
Amazon RDS
Click to show the collected data.
  • Database instance details (identifier, class, status)
  • Engine and engine version details
  • Allocated storage
  • Tags
  • Performance metrics (CPU utilization, network throughput, IOPS, free storage)
  • Performance insights (free memory)
Amazon S3
Click to show the collected data.
  • Bucket details (name, ARN, region, creation date)
  • Tags
  • Versioning status
  • Lifecycle rules
  • Performance metrics (bucket size by storage class, number of objects)
Amazon EKS
Click to show the collected data.
  • Per cluster:
    • Cluster details (name, ARN, version, status, endpoint)
    • Tags
    • Role ARN
    • VPC configuration
    • Logging configuration
    • Launch types (EC2 or Fargate)
  • Per managed node group:
    • Node group details (name, ARN, AMI type, instance types, disk size)
    • Scaling configuration (min, max, selected size)
    • Associated auto scaling groups
  • Per Fargate profile:
    • Profile details (name, pod execution role ARN)
    • Subnets
    • Selectors (namespace, labels)
Amazon ECS
Click to show the collected data.
  • Per cluster:
    • Cluster details (name, ARN, status)
    • Tags
    • Number of services and tasks
    • Registered container instances
  • Per service:
    • Service details (name, ARN, launch type)
    • Task definition
    • Scheduling strategy
    • Deployment configuration
    • Load balancer information
  • Per task:
    • Task details (ARN, last status, selected status)
    • CPU and memory
    • Container information
ELB
Click to show the collected data.
  • Per load balancer (version 1 and 2):
    • Details (name, ARN/ID, DNS name, type, scheme)
    • Tags
    • VPC and availability zones
    • Listeners and rules
    • Target groups and target health
    • Instance health (for classic ELBs)
AWS Lambda
Click to show the collected data.
  • Per function:
    • Configuration (name, ARN, runtime, role, handler, timeout)
    • Tags
    • Memory size and ephemeral storage
    • Package type and code size
    • Architectures
    • Layers
    • Environment variables
    • Tracing configuration
    • Event source mappings
    • Concurrency settings
Amazon CloudFront
Click to show the collected data.
  • Per distribution:
    • Details (ID, ARN, domain name, status, enabled)
    • Tags
    • Aliases (CNAMEs)
    • Origins and origin groups
    • Cache behaviors
    • Price class, HTTP version, IPv6 enabled
Amazon EFS
Click to show the collected data.
  • Per file system:
    • Details (ID, ARN, name, creation time)
    • Tags
    • Total size (standard and infrequent access)
    • Performance and throughput mode
    • Encryption status
    • Lifecycle policies
    • Backup policy
    • Replication configurations
    • Mount targets and access points
Amazon Redshift
Click to show the collected data.
  • Per provisioned cluster:
    • Cluster details (identifier, ARN, status, version)
    • Tags
    • Node type and count
    • Database name
    • VPC and IAM roles
    • Encryption status
    • Snapshot and aqua configuration
  • Per serverless workgroup:
    • Workgroup details (name, ARN, status, base RPU)
    • Tags
    • Namespace information (database name, IAM roles, KMS key)
    • VPC endpoint
    • Snapshot copy configurations
Amazon VPC
Click to show the collected data.
  • Per VPC:
    • VPC details (ID, ARN, state, CIDR block, tenancy)
    • Tags
    • DHCP options ID
    • Associated subnets
    • Associated network ACLs

The mcdc CLI collects metrics for the last 30 days except for database memory usage. For database memory usage, AWS saves only up to 7 days of data by default, so the mcdc CLI collects data for only the last 7 days.

Before you begin

Before you begin the inventory discovery, complete the following steps:

  1. Review the requirements for downloading and running the mcdc CLI.
  2. Choose where to download the mcdc CLI and complete the steps to download the mcdc CLI.
  3. Make sure that you have access to your AWS account.

Choose where to download the mcdc CLI

You can download the mcdc CLI to both Linux and Windows machines. We recommend using a Windows EC2 instance to download and run the mcdc CLI, because it supports all available collection methods.

You can download the mcdc CLI to a location with access to your target assets, such as the following:

  • AWS CloudShell
  • A Linux EC2 instance
  • A Windows EC2 instance
  • Any computer where you have installed the mcdc CLI and have remote access to your AWS account.

For instructions to download the mcdc CLI, see Download mcdc CLI.

Create an AWS IAM policy

To authorize the mcdc CLI to read the AWS asset inventory data, create an AWS IAM policy with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:ListDistributions",
        "cloudfront:ListTagsForResource",
        "cloudwatch:DescribeAlarms",
        "cloudwatch:ListTagsForResource",
        "cloudwatch:GetMetricData",
        "ec2:DescribeRegions",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeNetworkAcls",
        "ecs:ListClusters",
        "ecs:DescribeClusters",
        "ecs:ListServices",
        "ecs:DescribeServices",
        "ecs:ListTasks",
        "ecs:DescribeTasks",
        "ecs:ListContainerInstances",
        "ecs:DescribeContainerInstances",
        "efs:DescribeFileSystems",
        "efs:ListTagsForResource",
        "efs:DescribeLifecycleConfiguration",
        "efs:DescribeBackupPolicy",
        "efs:DescribeReplicationConfigurations",
        "efs:DescribeMountTargets",
        "efs:DescribeAccessPoints",
        "eks:ListClusters",
        "eks:DescribeCluster",
        "eks:ListNodegroups",
        "eks:DescribeNodegroup",
        "eks:ListFargateProfiles",
        "eks:DescribeFargateProfile",
        "autoscaling:DescribeAutoScalingGroups",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:DescribeInstanceHealth",
        "lambda:ListFunctions",
        "lambda:ListTags",
        "lambda:ListEventSourceMappings",
        "lambda:GetFunctionConcurrency",
        "rds:DescribeDBInstances",
        "rds:DescribeDBEngineVersions",
        "pi:GetResourceMetrics",
        "redshift:DescribeClusters",
        "redshift-serverless:ListWorkgroups",
        "redshift-serverless:GetNamespace",
        "redshift-serverless:ListSnapshotCopyConfigurations",
        "redshift-serverless:ListTagsForResource",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetLifecycleConfiguration",
        "ssm:DescribeInstanceInformation"
      ],
      "Resource": "*"
    }
  ]
}

Authenticate to AWS

To authorize the mcdc CLI to access your AWS environment, authenticate your account using one of the following methods:

Use your existing AWS credentials

To use your existing AWS credentials, run the mcdc CLI commands directly from the AWS Cloud Shell. If you run the mcdc CLI from the AWS Cloud Shell, you can use your existing credentials without an access key. In this case, the mcdc CLI can access your AWS environment to discover AWS assets, as the access is granted by your credentials.

Create an access key for the mcdc CLI

To create an access key for the mcdc CLI, follow these steps:

  1. Create a dedicated IAM user to interact with the AWS API.
  2. Attach the IAM policy you created in the previous section to your new user.

  3. In the AWS console, navigate to the IAM user that you created in the previous step, and click User  > Security Credentials  > Create access key  > Other  > Next  > Create access key.

    For more information, see Create an access key.

Store the access key ID and access key. You need this information to scan your AWS inventory.

Optional: Set up access to collect guest operating system data

Guest operating system data enriches pricing reports, license reports, and asset details exports. This data also helps assess suitability for containerization migrations to Google Kubernetes Engine, GKE Autopilot, and Cloud Run. If you don't want to collect operating system data, you can skip this section.

To collect guest operating system data, the workstation running the mcdc CLI must connect to the target EC2 instances. Make sure that the following ports are open on the target EC2 instances:

  • Port 22 (SSH) for Linux machines
  • Port 135 (WMI) for Windows machines

Discover assets in your AWS account

To discover assets in your AWS account, follow these steps:

  1. In the command line terminal, change to the directory where you downloaded the mcdc CLI.

  2. Run the discovery:

    AWS CloudShell

    To discover assets in your AWS account, run the following command:

    Linux

    ./mcdc discover aws --host-config \ 
    
  [--services AWS_SERVICE_NAMES] \ 
    
  [--region AWS_REGION]

    Windows

    mcdc.exe discover aws --host-config \ 
    
  [--services AWS_SERVICE_NAMES] \ 
    
  [--region AWS_REGION]

    Replace the following:

    • AWS_SERVICE_NAMES: the types of assets to discover. Provide a comma-separated list. Supported values are cloudfront, ecs, efs, eks, elb, lambda, db (RDS), redshift, s3, vm (EC2), and vpc. If you don't provide this flag, all supported asset types are discovered.
    • AWS_REGION: the AWS region where your EC2 instances and RDS databases are located. This flag is optional. If you don't provide this flag, assets from all enabled AWS regions are discovered.

    AWS access key

    To discover assets in your AWS account by using your AWS access key ID and access key, run the following command:

    Linux

    ./mcdc discover aws --access-key-id AWS_ACCESS_KEY_ID \  
    
--secret-access-key AWS_ACCESS_KEY \ 
    
[--services AWS_SERVICE_NAMES] \ 
    
[--region AWS_REGION]

    Windows

    mcdc.exe discover aws --access-key-id AWS_ACCESS_KEY_ID \  
    
--secret-access-key AWS_ACCESS_KEY \ 
    
[--services AWS_SERVICE_NAMES] \ 
    
[--region AWS_REGION]

    Replace the following:

    • AWS_ACCESS_KEY_ID: the access key ID you created in the Create an access key for the mcdc CLI section.
    • AWS_ACCESS_KEY: the access key that you created in the Create an access key for the mcdc CLI section.
    • AWS_SERVICE_NAMES: the types of assets to discover. Provide a comma-separated list. Supported values are cloudfront, ecs, efs, eks, elb, lambda, db (RDS), redshift, s3, vm (EC2), and vpc. If you don't provide this flag, all supported asset types are discovered.
    • AWS_REGION: the AWS region where your AWS assets are located. This flag is optional. If you don't provide this flag, assets from all enabled AWS regions are discovered.

    The output should look similar to the following:

    [+] Collecting for AWS Account: 123456789012
[+] Collecting RDS in region eu-north-1
[✓] Collected 0 DB instances
[!] No DB instances found
[+] Collecting ECS in region eu-north-1
[+] Successfully collected data for 2 ECS clusters in region eu-north-1
[+] Collecting S3...
[+] Successfully collected data for 74 S3 buckets
[✓] Collection completed.

  3. Optional: To review the collected data, run the following command:

    Linux

    ./mcdc discover ls

    Windows

    mcdc.exe discover ls

    The output should look similar to the following:

    VM Assets
PLATFORM VM ID       NAME              COLLECTED DATA   OS                          IP ADDRESSES
i-011d6234b5769fe2a  abc-rhel9.0-arm   AWSVM            Red Hat Enterprise Linux    192.0.2.1
i-08f7e5e469508460f  def-rhel9.0-arm   AWSVM            Red Hat Enterprise Linux    192.0.2.2
i-09e28bb6eggg94db8  ghi-ol9.3         AWSVM            Linux/UNIX                  192.0.2.3

Database Assets
GENERATED ID                                         PROVIDER        ENGINE
arn:aws:rds:eu-west-1:12345678912:db:abc-sqlserver   RDS             SQL Server

AWS CloudFront Distribution: 2 assets were collected.
AWS ECS Cluster: 3 assets were collected.
AWS EFS: 5 assets were collected.
AWS Elastic Load Balancer: 7 assets were collected.
AWS Lambda: 9 assets were collected.
AWS Redshift: 2 assets were collected.
AWS S3 Bucket: 77 assets were collected.
AWS VPC: 84 assets were collected.

    Optionally, use the --asset-types flag to display assets of a specific type. For example, to display only EC2 instances, run the following command:

    Linux

    ./mcdc discover ls --asset-types=vm

    Windows

    mcdc.exe discover ls --asset-types=vm

    When using the --asset-types flag, only the following asset types are supported:

    • db: Relational Database Service (RDS)
    • vm: Elastic Compute Cloud (EC2)

  4. After you discover your assets, to view the assets, export the collected data to Migration Center.

What's next