AWS emr documentation change
Summary
Added IAMConfiguration settings for Runtime Roles, removed redundant IAM role ARN parameter, and updated Trusted Identity Propagation references
Security assessment
Introduces new IAM role configuration options (ApplicationScopedIAMRole, PropagateSourceIdentity) which are security features, but no evidence of addressing a specific security vulnerability. The changes document enhanced identity propagation controls.
Diff
diff --git a/emr/latest/ManagementGuide/emr-idc-start.md index 360bdc882..e9a877f3b 100644 --- a/emr/latest/ManagementGuide/emr-idc-start.md +++ b/emr/latest/ManagementGuide/emr-idc-start.md @@ -105 +105 @@ If the role doesn't have trusted credentials and accesses a Lake Formation-prote -AWS credentials that use trusted identity propagation use the IAM policies defined in the IAM role for any calls made to services not integrated with IAM Identity Center. This includes, for example, the AWS Key Management Service. Your role should also define any IAM permissions for any such services you would attempt to access. Currently supported IAM Identity Center integrated services include AWS Lake Formation and Amazon S3 Access Grants. +AWS credentials that use Trusted Identity Propagation the IAM policies defined in the IAM role for any calls made to services not integrated with IAM Identity Center. This includes, for example, the AWS Key Management Service. Your role should also define any IAM permissions for any such services you would attempt to access. Currently supported IAM Identity Center integrated services include AWS Lake Formation and Amazon S3 Access Grants. @@ -107 +107 @@ AWS credentials that use trusted identity propagation use the IAM policies defin -To learn more about trusted identity propagation, see [Trusted identity propagation across applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation.html). +To learn more about Trusted Identity Propagation, see [Trusted Identity Propagation across applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation.html). @@ -119,2 +119 @@ To launch an EMR cluster with IAM Identity Center integration, use the following - "IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789", - "IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::123456789012:role/tip-role" + "IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789" @@ -125 +124,7 @@ To launch an EMR cluster with IAM Identity Center integration, use the following - "EnableLakeFormation": true + "AuthorizedSessionTagValue": "Amazon EMR" + }, + "IAMConfiguration": { + "EnableApplicationScopedIAMRole": true, + "ApplicationScopedIAMRoleConfiguration": { + "PropagateSourceIdentity": true + } @@ -149,0 +155,2 @@ To launch an EMR cluster with IAM Identity Center integration, use the following + * `IAMConfiguration` – Enables EMR Runtimes Roles feature to be used in addition to your TIP identity. If you enable this configuration, then you (or the caller AWS Service) will be required to specify an IAM Runtime Role in each call to the EMR Steps or EMR `GetClusterSessionCredentials` APIs. If the EMR cluster is being used with SageMaker Unified Studio, then this option is required if Trusted Identity Propagation is also enabled. +