AWS emr medium security documentation change
Summary
Updated IAM permission requirements and added runtime role access restrictions for Spark UI
Security assessment
Added explicit permission requirements and role-based access controls to prevent unauthorized access to Spark jobs
Diff
diff --git a/emr/latest/ManagementGuide/app-history-spark-UI.md b/emr/latest/ManagementGuide/app-history-spark-UI.md index aa62c9968..bb82dd9f5 100644 --- a//emr/latest/ManagementGuide/app-history-spark-UI.md +++ b//emr/latest/ManagementGuide/app-history-spark-UI.md @@ -147 +147,5 @@ One-click access to persistent application user interfaces currently has the fol - * To enable one-click access to persistent application user interfaces, you must have permission to the `DescribeCluster` action for Amazon EMR. If you deny an IAM principal's permission to this action, it takes approximately five minutes for the permission change to propagate. + * To enable one-click access to persistent application user interfaces, you must have permission to the `CreatePersistentAppUI`, `DescribePersistentAppUI` and `GetPersistentAppUIPresignedURL` actions for Amazon EMR. If you deny an IAM principal's permission to these actions, it takes approximately five minutes for the permission change to propagate. + + * If a cluster is a runtime role enabled cluster, when accessing the Spark History Server from the Persistent App UI, the user will only be able to access a Spark job if the Spark job is submitted by a runtime role. + + * If a cluster is a runtime role enabled cluster, each user can access only an application submitted by the same user identity and runtime role.