AWS mwaa documentation change
Summary
Updated endpoint creation instructions with explicit steps for NLB/GWLB services and added a note requiring explicit 'Interface' type declaration in infrastructure-as-code tools.
Security assessment
Clarifies operational procedures for VPC endpoint setup but doesn't address security vulnerabilities or introduce new security features. The note prevents misconfiguration but isn't tied to a specific security flaw.
Diff
diff --git a/mwaa/latest/userguide/vpc-endpoint-management.md b/mwaa/latest/userguide/vpc-endpoint-management.md index 35a501df5..61095f90d 100644 --- a//mwaa/latest/userguide/vpc-endpoint-management.md +++ b//mwaa/latest/userguide/vpc-endpoint-management.md @@ -333 +333 @@ The `Owner` account must set up a security group in the `Owner` account to allow - 3. Choose **Endpoints** , then create new endpoints for the environment database and the webserver (if in private mode) using the endpoint service names from the previous steps. Choose the shared Amazon VPC, the subnets you used for the environment, and the environment's security group. + 3. Choose **Endpoints** , then choose **Create endpoint**. Under **Endpoint settings** , select **Endpoint services that use NLBs and GWLBs**. In the **Service name** field, enter the database endpoint service name you noted from the Amazon MWAA console, then choose **Verify service**. Choose the shared Amazon VPC, select the subnets you used for the environment, and select the security group you created in the previous step. Choose **Create endpoint**. If your environment uses a private webserver, repeat these steps using the webserver endpoint service name. @@ -337,0 +338,4 @@ The `Owner` account must set up a security group in the `Owner` account to allow +###### Note + +If you create VPC endpoints using infrastructure as code, set the endpoint type to `Interface` explicitly. The default endpoint type in both AWS CloudFormation and Terraform is `Gateway`, which is not compatible with Amazon MWAA endpoint services. +