Migration · Guide ·

Pre-migration checklist: 12 items before you cut over to AWS

A practical checklist for discovery, networking, identity, backups, and runbooks — so go-live week is boring on purpose.

Cutover failures rarely come from “AWS being hard.” They come from assumptions that were never written down. Use this checklist in discovery and again 48 hours before go-live.

Discovery and scope

  • Inventory of applications, owners, RTO/RPO, and compliance tags
  • Dependency map (databases, LDAP, file shares, SaaS integrations)
  • Explicit list of in-scope vs. out-of-scope systems for phase 1

Identity and access

  • IAM Identity Center or SSO design documented (no long-lived admin keys)
  • Break-glass accounts MFA-protected; root unused for daily work
  • Least-privilege roles for deploy pipelines and operators

Network and security

  • VPC design: subnets, routing, NAT vs. endpoints, on-prem connectivity tested
  • Security groups reviewed against least privilege (not “allow all internal”)
  • Logging enabled: CloudTrail, VPC Flow Logs where required, GuardDuty considered

Data and backups

  • Backup strategy matches RPO; restore tested, not assumed
  • Encryption in transit and at rest documented (KMS keys owned by the right account)

Runbooks

  • Cutover runbook with rollback triggers and named decision-makers
  • Hypercare schedule for the first 72 hours after go-live

Treat unchecked items as explicit risks in the migration plan — not surprises on launch night. We walk teams through this in discovery workshops before any lift-and-shift or replatform work begins.