Security in your VPC on Amazon MWAA - Amazon Managed Workflows for Apache Airflow

Security in your VPC on Amazon MWAA

This page describes the Amazon VPC components used to secure your Amazon Managed Workflows for Apache Airflow (MWAA) environment and the configurations needed for these components.

Terms

Public routing

An Amazon VPC network that has access to the Internet.

Private routing

An Amazon VPC network without access to the Internet.

Security overview

Security groups and access control lists (ACLs) provide ways to control the network traffic across the subnets and instances in your Amazon VPC using rules you specify.

  • Network traffic to and from a subnet can be controlled by Access Control Lists (ACLs). You only need one ACL, and the same ACL can be used on multiple environments.

  • Network traffic to and from an instance can be controlled by an Amazon VPC security group. You can use between one to five security groups per environment.

  • Network traffic to and from an instance can also be controlled by VPC endpoint policies. If Internet access within your Amazon VPC is not allowed by your organization and you're using an Amazon VPC network with private routing, a VPC endpoint policy is required for the AWS VPC endpoints and Apache Airflow VPC endpoints.

Network access control lists (ACLs)

A network access control list (ACL) can manage (by allow or deny rules) inbound and outbound traffic at the subnet level. An ACL is stateless, which means that inbound and outbound rules must be specified separately and explicitly. It is used to specify the types of network traffic that are allowed in or out from the instances in a VPC network.

Every Amazon VPC has a default ACL that allows all inbound and outbound traffic. You can edit the default ACL rules, or create a custom ACL and attach it to your subnets. A subnet can only have one ACL attached to it at any time, but one ACL can be attached to multiple subnets.

(Recommended) Example ACLs

The following example shows the inbound and outbound ACL rules that can be used for an Amazon VPC for an Amazon VPC with public routing or private routing.

Rule number Type Protocol Port range Source Allow/Deny

100

All IPv4 traffic

All

All

0.0.0.0/0

Allow

*

All IPv4 traffic

All

All

0.0.0.0/0

Deny

VPC security groups

A VPC security group acts as a virtual firewall that controls the network traffic at the instance level. A security group is stateful, which means that when an inbound connection is permitted, it is allowed to reply. It is used to specify the types of network traffic that are allowed in from the instances in a VPC network.

Every Amazon VPC has a default security group. By default, it has no inbound rules. It has an outbound rule that allows all outbound traffic. You can edit the default security group rules, or create a custom security group and attach it to your Amazon VPC. On Amazon MWAA, you need to configure inbound and outbound rules to direct traffic on your NAT gateways.

(Recommended) Example all access self-referencing security group

The following example shows the inbound security group rules that allows all traffic for an Amazon VPC for an Amazon VPC with public routing or private routing. The security group in this example is a self-referencing rule to itself.

Type Protocol Source Type Source

All traffic

All

All

sg-0909e8e81919 / my-mwaa-vpc-security-group

The following example shows the outbound security group rules.

Type Protocol Source Type Source

All traffic

All

All

0.0.0.0/0

(Optional) Example security group that restricts inbound access to port 5432

The following example shows the inbound security group rules that allow all HTTPS traffic on port 5432 for the Amazon Aurora PostgreSQL metadata database (owned by Amazon MWAA) for your environment.

Note

If you choose to restrict traffic using this rule, you'll need to add another rule to allow TCP traffic on port 443.

Type Protocol Port range Source type Source

HTTPS

TCP

5432

Custom

sg-0909e8e81919 / my-mwaa-vpc-security-group

(Optional) Example security group that restricts inbound access to port 443

The following example shows the inbound security group rules that allow all TCP traffic on port 443 for the Apache Airflow Web server.

Type Protocol Port range Source type Source

Custom TCP

TCP

443

Custom

sg-0909e8e81919 / my-mwaa-vpc-security-group

VPC endpoint policies (private routing only)

A VPC endpoint (AWS PrivateLink) policy controls access to AWS services from your private subnet. A VPC endpoint policy is an IAM resource policy that you attach to your VPC gateway or interface endpoint. This section describes the permissions needed for the VPC endpoint policies for each VPC endpoint.

We recommend using a VPC interface endpoint policy for each of the VPC endpoints you created that allows full access to all AWS services, and using your execution role exclusively for AWS permissions.

(Recommended) Example VPC endpoint policy to allow all access

The following example shows a VPC interface endpoint policy for an Amazon VPC with private routing.

{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" } ] }

(Recommended) Example Amazon S3 gateway endpoint policy to allow bucket access

The following example shows a VPC gateway endpoint policy that provides access to the Amazon S3 buckets required for Amazon ECR operations for an Amazon VPC with private routing. This is required for your Amazon ECR image to be retrieved, in addition to the bucket where your DAGs and supporting files are stored.

{ "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"] } ] }