Security in your VPC on Amazon MWAA
This page describes the Amazon VPC components used to secure your Amazon Managed Workflows for Apache Airflow environment and the configurations needed for these components.
Contents
Terms
- Public routing
-
An Amazon VPC network that has access to the Internet.
- Private routing
-
An Amazon VPC network without access to the Internet.
Security overview
Security groups and access control lists (ACLs) provide ways to control the network traffic across the subnets and instances in your Amazon VPC using rules you specify.
-
Network traffic to and from a subnet can be controlled by Access Control Lists (ACLs). You only need one ACL, and the same ACL can be used on multiple environments.
-
Network traffic to and from an instance can be controlled by an Amazon VPC security group. You can use between one to five security groups per environment.
-
Network traffic to and from an instance can also be controlled by VPC endpoint policies. If Internet access within your Amazon VPC is not allowed by your organization and you're using an Amazon VPC network with private routing, a VPC endpoint policy is required for the Amazon VPC endpoints and Apache Airflow VPC endpoints.
Network access control lists (ACLs)
A network access control list (ACL) can manage (by allow or deny rules) inbound and outbound traffic at the subnet level. An ACL is stateless, which means that inbound and outbound rules must be specified separately and explicitly. It is used to specify the types of network traffic that are allowed in or out from the instances in a VPC network.
Every Amazon VPC has a default ACL that allows all inbound and outbound traffic. You can edit the default ACL rules, or create a custom ACL and attach it to your subnets. A subnet can only have one ACL attached to it at any time, but one ACL can be attached to multiple subnets.
(Recommended) Example ACLs
The following example shows the inbound and outbound ACL rules that can be used for an Amazon VPC for an Amazon VPC with public routing or private routing.
| Rule number | Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|---|
|
100 |
All IPv4 traffic |
All |
All |
0.0.0.0/0 |
Allow |
|
* |
All IPv4 traffic |
All |
All |
0.0.0.0/0 |
Deny |
VPC security groups
A VPC security group acts as a virtual firewall that controls the network traffic at the instance level. A security group is stateful, which means that when an inbound connection is permitted, it is allowed to reply. It is used to specify the types of network traffic that are allowed in from the instances in a VPC network.
Every Amazon VPC has a default security group. By default, it has no inbound rules. It has an outbound rule that allows all outbound traffic. You can edit the default security group rules, or create a custom security group and attach it to your Amazon VPC. On Amazon MWAA, you need to configure inbound and outbound rules to direct traffic on your NAT gateways.
(Recommended) Example all access self-referencing security group
The following example shows the inbound security group rules that allows all traffic for an Amazon VPC for an Amazon VPC with public routing or private routing. The security group in this example is a self-referencing rule to itself.
| Type | Protocol | Source Type | Source |
|---|---|---|---|
|
All traffic |
All |
All |
sg-0909e8e81919 / my-mwaa-vpc-security-group |
The following example shows the outbound security group rules.
| Type | Protocol | Source Type | Source |
|---|---|---|---|
|
All traffic |
All |
All |
0.0.0.0/0 |
(Optional) Example security group that restricts inbound access to port 5432
The following example shows the inbound security group rules that allow all HTTPS traffic on port 5432 for the Amazon Aurora PostgreSQL metadata database (owned by Amazon MWAA) for your environment.
Note
If you choose to restrict traffic using this rule, you'll need to add another rule to allow TCP traffic on port 443.
| Type | Protocol | Port range | Source type | Source |
|---|---|---|---|---|
|
Custom TCP |
TCP |
5432 |
Custom |
sg-0909e8e81919 / my-mwaa-vpc-security-group |
(Optional) Example security group that restricts inbound access to port 443
The following example shows the inbound security group rules that allow all TCP traffic on port 443 for the Apache Airflow Web server.
| Type | Protocol | Port range | Source type | Source |
|---|---|---|---|---|
|
HTTPS |
TCP |
443 |
Custom |
sg-0909e8e81919 / my-mwaa-vpc-security-group |
VPC endpoint policies (private routing only)
A VPC endpoint (Amazon PrivateLink) policy controls access to Amazon services from your private subnet. A VPC endpoint policy is an IAM resource policy that you attach to your VPC gateway or interface endpoint. This section describes the permissions needed for the VPC endpoint policies for each VPC endpoint.
We recommend using a VPC interface endpoint policy for each of the VPC endpoints you created that allows full access to all Amazon services, and using your execution role exclusively for Amazon permissions.
(Recommended) Example VPC endpoint policy to allow all access
The following example shows a VPC interface endpoint policy for an Amazon VPC with private routing.
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" } ] }
(Recommended) Example Amazon S3 gateway endpoint policy to allow bucket access
The following example shows a VPC gateway endpoint policy that provides access to the Amazon S3 buckets required for Amazon ECR operations for an Amazon VPC with private routing. This is required for your Amazon ECR image to be retrieved, in addition to the bucket where your DAGs and supporting files are stored.
{ "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"] } ] }