To Nha Notes | June 30, 2022, 8:55 a.m.
Permission for Amazon MWAA to use other AWS services used by your environment are obtained from the execution role. An Amazon MWAA execution role needs permission to the following AWS services used by an environment:
Amazon CloudWatch (CloudWatch) – to send Apache Airflow metrics and logs.
Amazon Simple Storage Service (Amazon S3) – to parse your environment's DAG code and supporting files (such as a requirements.txt).
Amazon Simple Queue Service (Amazon SQS) – to queue your environment's Apache Airflow tasks in an Amazon SQS queue owned by Amazon MWAA.
AWS Key Management Service (AWS KMS) – for your environment's data encryption (using either an AWS owned key or your Customer managed key).
An execution role also needs permission to the following IAM actions:
airflow:PublishMetrics – to allow Amazon MWAA to monitor the health of an environment.
https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html#mwaa-create-role-aocmk