AWS
Overview
Note
For feedback, questions, and comments — please open a GitHub Issue.
Please review the Project Support section for important information on support and service terms.
The Security Reference Architecture (SRA) with Terraform provides a prescriptive deployment pattern for Databricks on AWS and AWS GovCloud, designed for highly secure and regulated environments. It captures Databricks security best practices in Terraform templates, allowing organizations to programmatically deploy workspaces and supporting infrastructure with hardened, opinionated defaults.
This architecture emphasizes:
- Secure by Default – Environments are provisioned with restrictive networking, scoped IAM roles, and encryption controls.
- Governance & Compliance – Aligns with industry standards and simplifies audits through consistent, automated configurations.
- Flexibility – Templates can be customized to integrate with existing networking and security controls.
- Point-in-Time Design – Each release reflects security best practices at that time; new releases may not be drop-in replacements.
Architecture Diagram
The AWS implementation of the Security Reference Architecture (SRA) includes:
- Configurable networking patterns (isolated or custom).
- Core AWS components such as VPCs and privatelink endpoints, IAM roles, S3 buckets, and KMS keys.
- Core Databricks components including Unity Catalog, system tables, audit log delivery, and network connectivty configurations and network policies for serverless compute.
Next Steps
- Review the Read Before Deploying section for critical considerations.
- Explore the SRA Components Breakdown to understand the included AWS and Databricks resources.
- Follow the Getting Started guide to deploy using Terraform.