AWS mwaa documentation change
Summary
Rephrased security recommendations for cross-account access mitigation
Security assessment
Simplified sentence structure in existing security guidance about KMS keys and DAG code review. Maintains existing security recommendations without introducing new security features or addressing specific vulnerabilities.
Diff
diff --git a/mwaa/latest/userguide/mwaa-create-role.md b/mwaa/latest/userguide/mwaa-create-role.md index 45809332a..6c8ffd722 100644 --- a//mwaa/latest/userguide/mwaa-create-role.md +++ b//mwaa/latest/userguide/mwaa-create-role.md @@ -62 +62 @@ If you have elected for Amazon MWAA to use an AWS owned KMS key to encrypt your -In order to mitigate the risks associated with cross-account access to resources, we recommend reviewing the code placed in your DAGs to ensure that your workflows are not accessing arbitrary Amazon SQS queues outside your account. Furthermore, you can use a customer-managed KMS key stored in your own account to manage encryption on Amazon MWAA. This limits your environment's execution role to access only the KMS key in your account. +To mitigate the risks associated with cross-account access to resources, we recommend reviewing the code placed in your DAGs to ensure that your workflows are not accessing arbitrary Amazon SQS queues outside your account. Furthermore, you can use a customer-managed KMS key stored in your own account to manage encryption on Amazon MWAA. This limits your environment's execution role to access only the KMS key in your account. @@ -341 +341 @@ JSON -Next, you need to allow Amazon MWAA to assume this role in order to perform actions on your behalf. This can be done by adding `"airflow.amazonaws.com"` and `"airflow-env.amazonaws.com"` service principals to the list of trusted entities for this execution role [using the IAM console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console), or by placing these service principals in the assume role policy document for this execution role through the IAM [create-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) command using the AWS CLI. Refer to the following sample assume role policy document: +Next, you need to allow Amazon MWAA to assume this role to perform actions on your behalf. This can be done by adding `"airflow.amazonaws.com"` and `"airflow-env.amazonaws.com"` service principals to the list of trusted entities for this execution role [using the IAM console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console), or by placing these service principals in the assume role policy document for this execution role through the IAM [create-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) command using the AWS CLI. Refer to the following sample assume role policy document: