A:
- Do not hardcode AWS credentials; use IAM roles or AWS Secrets Manager.
- In Airflow, configure a connection (via AWS connection) or use assume_role or profile_name.
- Ensure minimal S3 permissions: allow only read/write to the specific bucket or prefix.
- Use HTTPS for transfers.
- Optionally enable S3 server-side encryption (SSE) or client-side encryption.
