AWS emr documentation change
Summary
Added IAM permissions section for persistent application UI access with sample policy
Security assessment
Documents required security permissions but doesn't address a specific vulnerability
Diff
diff --git a/emr/latest/ManagementGuide/app-history-spark-UI.md b/emr/latest/ManagementGuide/app-history-spark-UI.md index d253b5cb7..aa62c9968 100644 --- a/emr/latest/ManagementGuide/app-history-spark-UI.md +++ b/emr/latest/ManagementGuide/app-history-spark-UI.md @@ -5 +5 @@ -Logs collection Large Spark event log filesConsiderations and limitations +Logs collection Large Spark event log filesPermissions for viewing persistent application user interfacesConsiderations and limitations @@ -98,0 +99,38 @@ Note that compaction attempts to exclude events with outdated event log files, s +## Permissions for viewing persistent application user interfaces + +The following sample shows the role permissions required for access to persistent application user interfaces. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticmapreduce:CreatePersistentAppUI", + "elasticmapreduce:DescribePersistentAppUI" + ], + "Resource": [ + "arn:aws:elasticmapreduce:region:accountId:cluster/clusterId" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticmapreduce:GetPersistentAppUIPresignedURL" + ], + "Resource": [ + "arn:aws:elasticmapreduce:region:accountId:cluster/clusterId", + "arn:aws:elasticmapreduce:region:accountId:persistent-app-ui/*" + ], + "Condition": { + "StringEqualsIfExists": { + "elasticmapreduce:ExecutionRoleArn": [ + "executionRoleArn" + ] + } + } + } + ] + } +