AWS Security ChangesHomeSearch

AWS mwaa documentation change

Service: mwaa · 2025-08-28 · Documentation low

File: mwaa/latest/userguide/access-policies.md

Summary

Updated documentation wording from 'see' to 'refer to' in multiple sections related to IAM permissions and Apache Airflow roles. Added reference to using 'aws:SourceVpc' for granular access control.

Security assessment

The changes are primarily stylistic (changing 'see' to 'refer to') and do not introduce new security content or address specific vulnerabilities. The mention of 'aws:SourceVpc' for access control reinforces existing security practices but does not indicate a new security issue or feature.

Diff

diff --git a/mwaa/latest/userguide/access-policies.md b/mwaa/latest/userguide/access-policies.md
index 8b29741e2..41ecf0974 100644
--- a//mwaa/latest/userguide/access-policies.md
+++ b//mwaa/latest/userguide/access-policies.md
@@ -92 +92 @@ Your full console access policy must include permissions to perform `iam:PassRol
-For more information about `iam:PassRole`, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
+For more information about `iam:PassRole`, refer to [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
@@ -368 +368 @@ A full API access policy must include permissions to perform `iam:PassRole`. Thi
-For more information about `iam:PassRole`, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
+For more information about `iam:PassRole`, refer to [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
@@ -567 +567 @@ JSON
-A user may need access to the `AmazonMWAAWebServerAccess` permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of access for the user of the web token. For more information, see [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the _Apache Airflow reference guide_.
+A user may need access to the `AmazonMWAAWebServerAccess` permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of access for the user of the web token. For more information, refer to [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the _Apache Airflow reference guide_.
@@ -592 +592 @@ JSON
-  * Amazon MWAA provides IAM integration with the five [default Apache Airflow role-based access control (RBAC) roles](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html?highlight=roles). For more information on working with custom Apache Airflow roles, see [Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs](./limit-access-to-dags.html).
+  * Amazon MWAA provides IAM integration with the five [default Apache Airflow role-based access control (RBAC) roles](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html?highlight=roles). For more information on working with custom Apache Airflow roles, refer to [Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs](./limit-access-to-dags.html).
@@ -601 +601 @@ JSON
-To access the Apache Airflow REST API, you must grant the `airflow:InvokeRestApi` permission in your IAM policy. In the following policy sample, specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of user access. For more information, see [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the _Apache Airflow reference guide_.
+To access the Apache Airflow REST API, you must grant the `airflow:InvokeRestApi` permission in your IAM policy. In the following policy sample, specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of user access. For more information, refer to [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the _Apache Airflow reference guide_.
@@ -627 +627 @@ JSON
-  * While configuring a private web server, the `InvokeRestApi` action cannot be invoked from outside of a Virtual Private Cloud (VPC). You can use the `aws:SourceVpc` key to apply more granular access control for this operation. For more information, see [aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)
+  * While configuring a private web server, the `InvokeRestApi` action cannot be invoked from outside of a Virtual Private Cloud (VPC). You can use the `aws:SourceVpc` key to apply more granular access control for this operation. For more information, refer to [aws:SourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)