Amazon Managed Workflows for Apache Airflow (MWAA)
  1. CNS Policies
  2. AWS Knowledge Base
  3. Amazon Managed Workflows for Apache Airflow (MWAA)

Web Server Public Access

This plugin makes sure that your MWAA-environment does not have public Web access to the Apache Airflow UI.

Risk Level: High

Description: 

This plugin makes sure that your MWAA-environment does not have Public Web access to the Apache Airflow UI. The environment should be set to be available exclusively from the specified VPC to restrict access to Apache Airflow UI.

PingSafe strongly recommends modifying Amazon MWAA environments to set web server access mode to be private only

About the Service :

Amazon Managed Workflows for Apache Airflow (MWAA) is a managed Apache Airflow orchestration service that enables the construction and operation of end-to-end cloud data pipelines. Amazon MWAA enables you to leverage Airflow and Python in order to develop workflows without the necessary scalability, availability, and security management infrastructure. In order to ensure quick, secure access to your data, Amazon MWAA automatically grows its executive capabilities to match your demands and is linked to AWS safety services.

Impact : 

The absence of this plugin will disable us to restrict access to Apache Airflow UI which will, in turn, open up the gate to several vulnerabilities.

Steps to reproduce :

  1. Sign In to your AWS Console.
  2. Navigate to the Amazon Managed Workflows for Apache Airflow (MWAA) dashboard. (https://ap-south-1.console.aws.amazon.com/mwaa/ )
  3. Next, navigate to the Environments of MWAA.
  4. Check the Web server access section under the Networking tab.
  5. If the Web server access is set to Public Network that means that the MWAA-environment has Web access to the Apache Airflow UI.
  6. Repeat steps for other environments too.

Steps for remediation :

  1. Sign In to your AWS Console.
  2. Navigate to the Amazon Managed Workflows for Apache Airflow (MWAA) dashboard. 
    https://ap-south-1.console.aws.amazon.com/mwaa/ 
  3. Next, navigate to the Environments of MWAA.
  4. Check the Web server access section under the Networking tab.
  5. If the Web server access is set to Public Network that means that the MWAA-environment has Web access to the Apache Airflow UI.
  6. Click on the Edit button in the environment to edit the Web Access Server.
  7. In the Specify details tab click Next and then in the Configure advanced settings select Private network and click Next.
  8. In the Review and Save section, click Save.            
  9. Repeat steps for other environments too.

References: