AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-04-25 · Security-related medium

File: emr/latest/ManagementGuide/emr-encryption-support-matrix.md

Summary

Added known issue about insecure HTTP usage in YARN log server URL and provided HTTPS workaround

Security assessment

The change documents a known issue where application logs were exposed over unencrypted HTTP (port 19888), which could lead to information disclosure. The workaround explicitly requires switching to HTTPS (port 19890) to encrypt log traffic, directly addressing a security weakness in transport encryption.

Diff

diff --git a/emr/latest/ManagementGuide/emr-encryption-support-matrix.md b/emr/latest/ManagementGuide/emr-encryption-support-matrix.md
index 385ce589c..4e6fde66a 100644
--- a//emr/latest/ManagementGuide/emr-encryption-support-matrix.md
+++ b//emr/latest/ManagementGuide/emr-encryption-support-matrix.md
@@ -37 +37 @@ YARN NodeManager |  spark.shuffle.service.port1 |  7337 |  Spark AES-based encry
-[ Secure Hadoop RPC](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_RPC) is set to to `privacy` and uses SASL-based in-transit encryption. This requires that Kerberos authentication is enabled in the security configuration. If you don't want in-transit encryption for Hadoop RPC, configure `hadoop.rpc.protection = authentication`. We recommend that you use the default configuration for maximum security.
+[ Secure Hadoop RPC](https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Data_Encryption_on_RPC) is set to `privacy` and uses SASL-based in-transit encryption. This requires that Kerberos authentication is enabled in the security configuration. If you don't want in-transit encryption for Hadoop RPC, configure `hadoop.rpc.protection = authentication`. We recommend that you use the default configuration for maximum security.
@@ -64,0 +65,13 @@ NodeManager |  spark.shuffle.service.port2 |  7337 |  Spark AES-based encryption
+**Known issue**
+
+The `yarn.log.server.url` configuration in is currently using HTTP with port 19888, which prevents access to application logs from the Resource Manager UI. **Affects Version:** EMR - 7.3.0 to EMR - 7.8.0.
+
+Use the following workaround:
+
+  1. Modify the `yarn.log.server.url` configuration in `yarn-site.xml` to use the `HTTPS` protocol and port number `19890`.
+
+  2. Restart YARN Resource Manager: `sudo systemctl restart hadoop-yarn-resourcemanager.service`.
+
+
+
+