Add bring your own snapshot documentation to configuration-options.md (#9573)

* Add documentation for byos

Signed-off-by: Tanner Lewis <lewijacn@amazon.com>

* Update _migration-assistant/deploying-migration-assistant/configuration-options.md

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: Tanner Lewis <lewijacn@amazon.com>

* Enhance wording for BYOS

Signed-off-by: Tanner Lewis <lewijacn@amazon.com>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: Tanner Lewis <lewijacn@amazon.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>

Author: 3 people

_migration-assistant/deploying-migration-assistant/configuration-options.md

@@ -170,6 +170,50 @@ The `serviceSigningName` can be `es` for an Elasticsearch or OpenSearch domain,
 
 All of these authentication options apply to both source and target clusters.
 
+## Bring-your-own-snapshot options
+
+An existing Amazon Simple Storage Service (Amazon S3) snapshot can alternatively be used to perform [metadata]({{site.url}}{{site.baseurl}}/migration-assistant/migration-phases/migrating-metadata/) and [backfill]({{site.url}}{{site.baseurl}}/migration-assistant/migration-phases/backfill/) migrations instead of using Migration Assistant to create a snapshot:
+
+```json
+    "snapshot": {
+        "snapshotName": "my-snapshot-name",
+        "s3Uri": "s3://my-s3-bucket-name/my-bucket-path-to-snapshot-repo",
+        "s3Region": "us-east-2"
+    }
+```
+{% include copy.html %}
+
+By default, Amazon S3 buckets automatically allow roles in the same AWS account (with the appropriate `s3:*` permissions) to access the S3 bucket, regardless of the bucket's AWS Region. If the external S3 bucket being used is in the same AWS account as the Migration Assistant deployment, no further AWS Identity and Access Management (IAM) configuration is required to access the bucket.
+
+If a custom permission model has been used with Amazon S3, any access control list (ACL) or custom bucket policy should allow the Migration Assistant task roles for RFS and the migration console to read from the S3 bucket.
+
+If the S3 bucket is in a separate AWS account from the Migration Assistant deployment, a custom bucket policy similar to the following will be needed to allow access to Migration Assistant:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowExternalAccountReadAccessToBucket",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
+      },
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket",
+        "s3:GetBucketLocation"
+      ],
+      "Resource": [
+        "arn:aws:s3:::my-s3-bucket-name",
+        "arn:aws:s3:::my-s3-bucket-name/*"
+      ]
+    }
+  ]
+}
+```
+{% include copy.html %}
+
 ## Network configuration
 
 The migration tooling expects the source cluster, target cluster, and migration resources to exist in the same VPC. If this is not the case, manual networking setup outside of this documentation is likely required.