Customer managed keys for Data Encryption - Amazon Managed Workflows for Apache Airflow

Customer managed keys for Data Encryption

You can optionally provide a Customer managed key for data encryption on your environment. Charges apply for the storage and use of encryption keys. For more information, see AWS KMS Pricing.

A Customer managed key must be created in the same Region as your Amazon MWAA environment instance and your Amazon S3 bucket where your customer data is stored. If the Customer managed key that you specify is in a different account from the one that you use to configure an environment, you must specify the key using its ARN. For more information about creating keys, see Creating Keys.

What's supported

AWS KMS feature Supported

An AWS KMS key ID or ARN.


An AWS KMS key alias.


An AWS KMS multi-region key.


Using Grants for Encryption

This topic describes the grants Amazon MWAA attaches to a Customer managed key on your behalf for data encryption and decryption.

How it works

There are two resource-based access control mechanisms supported by AWS KMS for Customer managed key: a key policy and grant.

A key policy is used when the permission is mostly static and used in synchronous service mode. A grant is used when more dynamic and granular permissions are required, such as when a service needs to define different access permissions for itself or other accounts.

Amazon MWAA uses and attaches four grant policies to your Customer managed key. This is due to the granular permissions required for an environment to encrypt data at rest from CloudWatch Logs, Amazon SQS queue, Aurora PostgreSQL database database, Secrets Manager secrets, Amazon S3 bucket and DynamoDB tables.

When you create an Amazon MWAA environment and specify a Customer managed key, Amazon MWAA attaches the grant policies to your Customer managed key. These policies allow Amazon MWAA in airflow.{region} to use your Customer managed key to encrypt resources on your behalf that are owned by Amazon MWAA.

Additional grants are created and attached to a specified key on your behalf. This includes policies to retire a grant if you delete your environment, to use your Customer managed key for Client-Side Encryption (CSE), and for the ECS Fargate execution role that needs to access secrets protected by your customer managed key in Secrets Manager.

Grant policies

We add the following resource based policy grants on your behalf to a Customer managed key. These policies allow the grantee and retiring principal (Amazon MWAA) to perform actions defined in the policy.

Grant 1: For Data Plane Resource Creation

{ "Name": "mwaa-grant-for-env-mgmt-role-{environment name}", "GranteePrincipal": "airflow.{region}", "RetiringPrincipal": "airflow.{region}", "Operations": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey", "kms:RetireGrant" ] }

Grant 2: For ControllerLambdaExecutionRole access

{ "Name": "mwaa-grant-for-lambda-exec-{environment name}", "GranteePrincipal": "airflow.{region}", "RetiringPrincipal": "airflow.{region}", "Operations": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:RetireGrant" ] }

Grant 3: For CfnManagementLambdaExecutionRole access

{ "Name": " mwaa-grant-for-cfn-mgmt-{environment name}", "GranteePrincipal": "airflow.{region}", "RetiringPrincipal": "airflow.{region}", "Operations": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ] }

Grant 4: For ECS Fargate execution role to access secrets

{ "Name": "mwaa-fargate-access-for-{environment name}", "GranteePrincipal": "airflow.{region}", "RetiringPrincipal": "airflow.{region}", "Operations": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:RetireGrant" ] }

Attaching key policies to a customer managed key

If you choose to use your own Customer managed key with Amazon MWAA, you must attach the following policy to the key to allow Amazon MWAA to use it to encrypt your data.

If the Customer managed key you used for your Amazon MWAA environment is not already configured to work with CloudWatch, you must update the key policy to allow for encrypted CloudWatch Logs. For more information, see the Encrypt Log Data in CloudWatch Using AWS Key Management Service Service.

The following example represents a key policy for CloudWatch Logs. Substitute the sample values provided for the region.

{ "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-west-2:*:*" } } }