Migration
Migration Process to the Latest Organizational Onboarding Flow
As Upwind's cloud onboarding architecture evolves, customers are encouraged to migrate to the most recent and unified Organizational Onboarding method to benefit from enhanced capabilities, simplified maintenance, and broader coverage- such as Cloud Scanners 2.0 and Data Security. This new onboarding flow is already the default for new customers, and we recommend existing customers migrate to benefit from full automation, centralized control, and complete environment visibility.
Why migrate?
By switching to Organizational Onboarding, you'll gain:
- Automatic detection and connection of all accounts across your cloud organization
- Cloud Scanner deployment and management handled by Upwind, with no manual setup required
- Automatic scanning of any new accounts added to your cloud organization - no further action needed
- The ability to define scope - choose which accounts or projects should be connected to Upwind and optionally scanned by Cloud Scanners
- A consistent, scalable onboarding experience that supports growth across environments
This document outlines the three primary migration scenarios, provides detailed migration instructions for each, and includes guidelines for infrastructure upgrades.
Understanding Onboarding Models
Upwind previously supported multiple onboarding methods. The legacy 3-Stack Organizational Onboarding required three separate CloudFormation stacks but has been deprecated due to its complexity and lack of support for new features, such as Data Security and Cloud Scanners 2.0.
The Combined Stack (v2) replaces the old model with a single, streamlined stack that simplifies management and supports all modern capabilities. Customers using Single Account Onboarding are also encouraged to migrate to take full advantage of all organizational features.
Three Migration Scenarios
Upwind currently supports the following customer states, each requiring a different migration strategy:
| Migration Scenario | Description |
|---|---|
| 1. Migration from Single Account to Organizational Onboarding | For customers who manually onboarded individual accounts (even if part of an Org) and now want to move to full organizational integration. |
| 2. Migration from Legacy 3-Stack Organizational Onboarding to Combined Stack | For customers who previously onboarded their AWS Organization using the legacy 3-stack model and are now migrating to the modern, unified Combined Stack that supports the latest features. |
| 3. Migration from Combined Stack to Updated Version (Roles & Permissions Update) | For customers already using the Combined Stack model, who need to update their roles and permissions to enable the latest features. |
1. Migration from Single Account to Organizational Onboarding
This process is for customers who originally connected accounts manually (e.g., via Terraform or CFN), even if they belong to an AWS Organization. Migrating to Organizational Onboarding will:
- Automatically connect all accounts in your Org
- Deploy Cloud Scanners without any manual work
- Automatically scan future accounts added to your Org
Migration Steps
Step 1: Disconnect Manually Onboarded Accounts
- In the Upwind Console, disconnect any account that's part of the AWS Org you intend to onboard
- Remove their Terraform/CloudFormation setup.
Do not remove standalone single accounts that are not part of the Org - these won't be affected by the new onboarding.
Step 2: Complete the New Onboarding Flow
- Log in to the Upwind Management Console .
- Click the ➕ (plus) icon at the top of the screen and select Connect cloud account.
- Choose Amazon Web Services, then select Connect AWS Organization.
- Follow the guided steps to complete the onboarding.
- For detailed instructions, refer to the Organizational Onboarding Guide.
Once the onboarding is complete, the orchestrator account will automatically deploy and configure Cloud Scanners within ~30 minutes. Stack provisioning typically finishes shortly thereafter.
Post-Onboarding Validation
| Verification Item | How to Check |
|---|---|
| Cloud Scanners are deployed | Go to Settings → Cloud Scanners and confirm that scanners are listed. |
| Scanner health is "Healthy" | Each scanner should display a green Healthy status in the Scanners tab. |
| Accounts show active coverage | Visit Settings → Organization & Accounts, and check the Coverage column to confirm scanning is active across intended accounts. |
Our team continuously monitors scanner health and onboarding progress, and is available to assist with any questions or concerns.
Step 3: Remove Previous Cloud Scanner Deployment
Once you've verified that the new scanners are active and healthy, you can safely tear down the previous manually installed scanners. This avoids duplication and ensures only the latest configuration is running.
The removal method depends on how the original scanners were deployed:
- CloudFormation (StackSet & Stack)
- Terraform
- Open the AWS Console and navigate to CloudFormation → StackSets.
- Locate the StackSet used for creating the cross-account IAM roles for the original Upwind Cloud Scanner deployment.
- Select and delete the StackSet to remove the associated IAM roles.
- Next, go to CloudFormation → Stacks.
- Locate the CloudScanner deployment stack (used to deploy the scanner resources themselves).
- Select and delete the stack to clean up all scanner-related infrastructure.
- Use the same Terraform configuration and state files used for the original deployment.
- There are typically two separate sets of resources:
- Cross-account / target IAM roles
- CloudScanner infrastructure resources
- Run
terraform destroyseparately for each module or configuration to ensure both sets of resources are properly removed.- First, destroy the CloudScanner resources
- Then, destroy the cross-account roles
After removal, Upwind's new scanner configurations will automatically deploy in regions where relevant cloud resources exist.
Step 4: Final Cleanup
After completing the scanner migration:
- You may optionally delete the old scanner entries from the Upwind UI, or
- Contact support@upwind.io or your designated Solution Architect / Customer Success Manager, and we'll complete the cleanup for you.
2. Migration from Legacy 3-Stack Organizational Onboarding to Combined Stack
The original Organizational onboarding flow used three separate CloudFormation stacks. This approach has been replaced with a single combined stack model that deploys the same components more efficiently and is easier to maintain.
Migration Steps
Step 1: Offboard Existing Cloud Scanners
- Remove all currently deployed Cloud Scanners via the Upwind Console.
- This is required before deleting the roles they're associated with.
Step 2: Disconnect Manually Onboarded Accounts
- In the Upwind Console, disconnect any account that's part of the AWS Org you intend to onboard
- Remove their Terraform/CloudFormation setup.
Do not remove standalone single accounts that are not part of the Org - these won't be affected by the new onboarding.
Step 3: Contact Support to Reset Your Organization
- Reach out to Upwind Support to request a reset of your AWS Organization connection.
- This step is necessary to allow you to re-onboard your organization through the Upwind Console.
Step 4: Re-Onboard Using Combined Stack
- Log in to the Upwind Management Console .
- Click the ➕ (plus) icon at the top of the screen and select Connect cloud account.
- Choose Amazon Web Services, then select Connect AWS Organization.
- Follow the guided steps to complete the onboarding.
- For detailed instructions, refer to the Organizational Onboarding Guide.
Once the onboarding is complete, the orchestrator account will automatically deploy and configure Cloud Scanners within ~30 minutes. Stack provisioning typically finishes shortly after.
Post-Onboarding Validation
| Verification Item | How to Check |
|---|---|
| Cloud Scanners are deployed | Go to Settings → Cloud Scanners and confirm that scanners are listed. |
| Scanner health is "Healthy" | Each scanner should display a green Healthy status in the Scanners tab. |
| Accounts show active coverage | Visit Settings → Organization & Accounts, and check the Coverage column to confirm scanning is active across intended accounts. |
Our team continuously monitors scanner health and onboarding progress, and is available to assist with any questions or concerns.
Step 5: Remove Previous Cloud Scanner Deployment
Once you've verified that the new scanners are active and healthy, you can safely tear down the previous manually installed scanners. This avoids duplication and ensures only the latest configuration is running.
The removal method depends on how the original scanners were deployed:
- CloudFormation (StackSet & Stack)
- Terraform
- Open the AWS Console and navigate to CloudFormation → StackSets.
- Locate the StackSet used for creating the cross-account IAM roles for the original Upwind Cloud Scanner deployment.
- Select and delete the StackSet to remove the associated IAM roles.
- Next, go to CloudFormation → Stacks.
- Locate the CloudScanner deployment stack (used to deploy the scanner resources themselves).
- Select and delete the stack to clean up all scanner-related infrastructure.
- Use the same Terraform configuration and state files used for the original deployment.
- There are typically two separate sets of resources:
- Cross-account / target IAM roles
- CloudScanner infrastructure resources
- Run
terraform destroyseparately for each module or configuration to ensure both sets of resources are properly removed.- First, destroy the CloudScanner resources
- Then, destroy the cross-account roles
After removal, Upwind's new scanner configurations will automatically deploy in regions where relevant cloud resources exist.
Step 6: Final Cleanup
After completing the migration:
- You may optionally delete the old scanner entries from the Upwind UI, or
- Contact Upwind Support or your designated Solution Architect / Customer Success Manager, and we'll complete the cleanup for you.
3. Migration from Combined Stack to Updated Version
This section applies to customers who are already using the Combined Stack onboarding model and need to update their deployed Cloud Scanners to the latest version. This update unlocks new capabilities such as Cloud Scanners 2.0 and DSPM.
This is a simple update process that does not require disconnecting accounts or redoing the onboarding. It involves updating the CloudFormation template (or Terraform module) to apply the latest roles and permissions, which will automatically update your deployed Cloud Scanners to the newest version.
Cloud Scanners Version Update: Roles & Permissions Update Guide
When Should You Update?
- To upgrade your deployed Cloud Scanners to the latest version with new features (e.g., DSPM, advanced scanner capabilities).
- To apply improvements or refinements to your current Cloud Scanner deployment.
- CloudFormation
- Terraform
Step 1 – Locate Existing Stack
- Go to the AWS Console → CloudFormation
- Select your onboarding stack (typically named
UpwindCombinedOrg) - Click Update stack → Make a direct update to the stack.
Step 2 – Replace Template
- Choose "Replace existing template"
- Use the following S3 path:
https://s3.us-east-1.amazonaws.com/get.upwind.io/cfn/templates/iam/cross-account-roles/v2/upwind-combined-org-onboarding.yaml - Click "Next".
- Submit and wait for the stack to update (duration depends on Org size)
Step 1 – Reference the Latest Module
provider "aws" {
region = "us-east-1"
}
module "upwind_aws_org_onboarding" {
source = "https://get.upwind.io/terraform/modules/aws-org-onboarding/aws-org-onboarding-1.1.0.tar.gz"
...
}
Step 2 – Upgrade and Merge
terraform init --upgrade
If using a local module, merge changes manually.
Step 3 – Apply
-
Disable Org Discovery Role registration first:
upwind_disable_org_discovery_role_registration = true -
Then run:
terraform apply -
Repeat for each AWS account as needed.
Need Help?
For additional help with settings, please contact us through one of the following methods:
- Access 24/7 live chat support directly in the Upwind Management Console .
- Reach out to us anytime via email at support@upwind.io.
- Collaborate with us by starting a shared Slack channel.