AWS mwaa documentation change
Summary
Added documentation about VPC endpoint permission validation and recommended IAM policy using aws:CalledVia condition key.
Security assessment
Introduces security best practices for scoping ec2:CreateVpcEndpoint permissions using service-based conditions, enhancing least privilege without addressing specific vulnerabilities.
Diff
diff --git a/mwaa/latest/userguide/mwaa-slr.md b/mwaa/latest/userguide/mwaa-slr.md index 83b562979..c0e7a1eac 100644 --- a//mwaa/latest/userguide/mwaa-slr.md +++ b//mwaa/latest/userguide/mwaa-slr.md @@ -37,0 +38,2 @@ Amazon MWAA uses the service-linked role named `AWSServiceRoleForAmazonMWAA` – +When you create or update an Amazon MWAA environment, Amazon MWAA performs a dry-run validation of the `ec2:CreateVpcEndpoint` permission against your IAM identity. This dry-run does not create any resources. It verifies that your identity has explicit permission to initiate VPC endpoint creation. If the dry-run fails, Amazon MWAA returns an `UnauthorizedOperation` error and the environment creation or update does not proceed. + @@ -165,0 +168,20 @@ You must configure permissions to allow an IAM entity (such as a user, group, or +We recommend scoping the `ec2:CreateVpcEndpoint` permission using the `aws:CalledVia` condition key to restrict the permission to calls made through the Amazon MWAA service: + + + { + "Effect": "Allow", + "Action": "ec2:CreateVpcEndpoint", + "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": ["airflow.amazonaws.com"] + } + } + } + +With this condition, the permission is only effective when the call originates through the Amazon MWAA service. + +###### Note + +If your security requirements do not allow granting `ec2:CreateVpcEndpoint` to end users, you can use customer-managed endpoints instead. For more information, see [Managing your own Amazon VPC endpoints on Amazon MWAA](./vpc-endpoint-management.html). +