AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-04-11 · Security-related medium

File: emr/latest/ManagementGuide/app-history-spark-UI.md

Summary

Updated IAM permission requirements and added runtime role access restrictions for Spark UI

Security assessment

Added explicit permission requirements and role-based access controls to prevent unauthorized access to Spark jobs

Diff

diff --git a/emr/latest/ManagementGuide/app-history-spark-UI.md b/emr/latest/ManagementGuide/app-history-spark-UI.md
index aa62c9968..bb82dd9f5 100644
--- a//emr/latest/ManagementGuide/app-history-spark-UI.md
+++ b//emr/latest/ManagementGuide/app-history-spark-UI.md
@@ -147 +147,5 @@ One-click access to persistent application user interfaces currently has the fol
-  * To enable one-click access to persistent application user interfaces, you must have permission to the `DescribeCluster` action for Amazon EMR. If you deny an IAM principal's permission to this action, it takes approximately five minutes for the permission change to propagate.
+  * To enable one-click access to persistent application user interfaces, you must have permission to the `CreatePersistentAppUI`, `DescribePersistentAppUI` and `GetPersistentAppUIPresignedURL` actions for Amazon EMR. If you deny an IAM principal's permission to these actions, it takes approximately five minutes for the permission change to propagate.
+
+  * If a cluster is a runtime role enabled cluster, when accessing the Spark History Server from the Persistent App UI, the user will only be able to access a Spark job if the Spark job is submitted by a runtime role.
+
+  * If a cluster is a runtime role enabled cluster, each user can access only an application submitted by the same user identity and runtime role.