Pinpoint EDA - Migration Assessment CLI

Read-only migration complexity assessment for Amazon Pinpoint end-of-support (October 30, 2026).

Scans all Pinpoint resources across regions and accounts, scores migration complexity, and generates a report with migration target recommendations.

Installation

# With uv (recommended)
uv tool install pinpoint-eda

# Or with pip
pip install pinpoint-eda

Quick Start

# Interactive wizard -- auto-discovers AWS profiles from ~/.aws/
pinpoint-eda

# Direct scan with a profile
pinpoint-eda scan --profile my-profile

# Specific region (skip auto-discovery)
pinpoint-eda scan --profile my-profile --region us-east-1

# Multi-account
pinpoint-eda scan --profile prod --profile staging

# Dry run -- discover apps without scanning
pinpoint-eda scan --profile my-profile --dry-run

# Re-render or export a previous report
pinpoint-eda report ./pinpoint-eda-output/pinpoint-eda-report.json
pinpoint-eda export ./pinpoint-eda-output/pinpoint-eda-report.json

Commands

Scan Options

Complexity Scoring

The tool assigns a heuristic complexity score to each Pinpoint application to help prioritize migration planning. Scores are relative estimates -- they indicate which applications will require more effort compared to others, not how long the migration will take.

Per-Application Resources

Account-Level Resources

Complexity Levels

Disclaimer: These scores are heuristic estimates to help prioritize migration planning. They are not a substitute for a detailed migration plan. Actual effort depends on your team's familiarity with the target AWS services (Amazon Connect, SES, SNS, etc.), the complexity of your business logic, and how tightly your applications are integrated with Pinpoint-specific features like journeys and in-app messaging. Use these scores as a starting point for conversation, not as a commitment.

Output

JSON Report

Every scan produces pinpoint-eda-output/pinpoint-eda-report.json containing:

• Metadata -- tool version, EOL countdown, scan config, duration, API call count
• Complexity assessment -- overall + per-app scores with factors and migration targets
• Full inventory -- every resource organized by account, region, app, and scanner

The console summary includes complexity badges, a scoring guide, per-app tables, and a migration target mapping tree.

CSV Export

pinpoint-eda export ./pinpoint-eda-output/pinpoint-eda-report.json
pinpoint-eda export ./pinpoint-eda-output/pinpoint-eda-report.json -o ./csv-reports

Produces three CSV files:

• applications.csv -- one row per app with complexity scores, levels, and migration notes
• inventory.csv -- one row per app+scanner with resource counts and flattened metadata
• account_resources.csv -- account-level resources (templates, recommenders, SMS/Voice V2) per region

IAM Permissions

This tool is read-only -- it never creates, modifies, or deletes any AWS resources.

Minimum IAM Policy

A ready-to-use policy is provided at iam-policy.json.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PinpointEDASTSIdentity",
      "Effect": "Allow",
      "Action": "sts:GetCallerIdentity",
      "Resource": "*"
    },
    {
      "Sid": "PinpointEDAReadOnly",
      "Effect": "Allow",
      "Action": [
        "mobiletargeting:GetApp",
        "mobiletargeting:GetApps",
        "mobiletargeting:GetApplicationSettings",
        "mobiletargeting:GetApplicationDateRangeKpi",
        "mobiletargeting:GetSegments",
        "mobiletargeting:GetSegmentVersions",
        "mobiletargeting:GetCampaigns",
        "mobiletargeting:GetCampaignVersions",
        "mobiletargeting:ListJourneys",
        "mobiletargeting:GetJourney",
        "mobiletargeting:GetJourneyExecutionMetrics",
        "mobiletargeting:GetEmailChannel",
        "mobiletargeting:GetSmsChannel",
        "mobiletargeting:GetVoiceChannel",
        "mobiletargeting:GetApnsChannel",
        "mobiletargeting:GetApnsSandboxChannel",
        "mobiletargeting:GetApnsVoipChannel",
        "mobiletargeting:GetApnsVoipSandboxChannel",
        "mobiletargeting:GetGcmChannel",
        "mobiletargeting:GetBaiduChannel",
        "mobiletargeting:GetAdmChannel",
        "mobiletargeting:ListTemplates",
        "mobiletargeting:GetEmailTemplate",
        "mobiletargeting:GetSmsTemplate",
        "mobiletargeting:GetPushTemplate",
        "mobiletargeting:GetInAppTemplate",
        "mobiletargeting:GetVoiceTemplate",
        "mobiletargeting:GetEventStream",
        "mobiletargeting:GetImportJobs",
        "mobiletargeting:GetExportJobs",
        "mobiletargeting:GetRecommenderConfigurations",
        "mobiletargeting:ListTagsForResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PinpointEDASMSVoiceV2ReadOnly",
      "Effect": "Allow",
      "Action": [
        "sms-voice:DescribePhoneNumbers",
        "sms-voice:DescribePools",
        "sms-voice:DescribeSenderIds",
        "sms-voice:DescribeOptOutLists",
        "sms-voice:DescribeRegistrations",
        "sms-voice:DescribeConfigurationSets",
        "sms-voice:DescribeKeywords"
      ],
      "Resource": "*"
    }
  ]
}

Note: Resource: "*" is required because Amazon Pinpoint does not support resource-level permissions for most read operations. If you skip the SMS Voice V2 scanner (--no-sms-voice-v2), you can omit the PinpointEDASMSVoiceV2ReadOnly statement.

Cross-Account Scanning

To scan a different AWS account, create an IAM role in the target account with the policy above and a trust relationship allowing your source account to assume it.

1. Create the role in the target account

Attach iam-policy.json to a new role (e.g., PinpointEDAReadOnly), then add this trust policy -- replace 111111111111 with your source account ID:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "pinpoint-eda"
        }
      }
    }
  ]
}

2. Grant sts:AssumeRole in the source account

{
  "Sid": "AllowCrossAccountAssume",
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::222222222222:role/PinpointEDAReadOnly"
}

3. Run the scan

# Single target
pinpoint-eda scan --role-arn arn:aws:iam::222222222222:role/PinpointEDAReadOnly

# With external ID
pinpoint-eda scan \
  --role-arn arn:aws:iam::222222222222:role/PinpointEDAReadOnly \
  --external-id pinpoint-eda

# Use a profile as the base session
pinpoint-eda scan \
  --profile hub-account \
  --role-arn arn:aws:iam::222222222222:role/PinpointEDAReadOnly

# Multiple targets from one base profile
pinpoint-eda scan \
  --profile hub-account \
  --role-arn arn:aws:iam::222222222222:role/PinpointEDAReadOnly \
  --role-arn arn:aws:iam::333333333333:role/PinpointEDAReadOnly

Limitations

• No endpoint data -- the tool does not scan individual endpoints (contacts/users). Endpoint counts can significantly affect migration timelines but are not included in the score.
• Point-in-time snapshot -- the report reflects the state of resources at scan time. Resources may change between scanning and migration.
• KPI data window -- activity detection uses the --kpi-days window (default 90 days). An app with no recent activity may still have active downstream consumers.
• Scores are heuristic -- complexity scores do not account for custom business logic, downstream integrations outside of AWS, or organizational factors like team size and experience.

Development

git clone https://github.com/caylent/pinpoint-eda.git
cd pinpoint-eda
uv sync

uv run pytest              # Run tests
uv run ruff check src/ tests/  # Lint
uv run pinpoint-eda --version  # Run locally

License

MIT