AWS emr high security documentation change
Summary
Added disclaimer about trusting EMR cluster administrators when granting Lake Formation access, and added EKS administrator responsibilities regarding namespace protection and access restrictions
Security assessment
The changes explicitly address security controls for sensitive resources: 1) Warning about cross-account Lake Formation access risks 2) Mandating Kubernetes RBAC restrictions for System namespace 3) Restricting CREATE permissions on sensitive Kubernetes resources 4) Warning against exposing Spark component logs. These directly mitigate potential privilege escalation and data exposure risks.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-considerations.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-considerations.md index cdacb64ee..d9f0464b9 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-considerations.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-considerations.md @@ -4,0 +5,2 @@ +Disclaimer for data administratorsResponsibilities for EKS administrators + @@ -62,0 +65,19 @@ The following are considerations and limitations when using Apache Iceberg: +For more information, see [Understanding Amazon EMR on EKS concepts and terminology](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/emr-eks-concepts.html) and [Enable cluster access for Amazon EMR on EKS](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.html). + +## Disclaimer for data administrators + +###### Note + +When you grant access to Lake Formation resources to an IAM role for EMR on EKS, you must ensure the EMR cluster administrator or operator is a trusted administrator. This is particularly relevant for Lake Formation resources that are shared across multiple organizations and AWS accounts. + +## Responsibilities for EKS administrators + + * The `System` namespace should be protected. No user or resource or entity or tooling would be allowed to have any Kubernetes RBAC permissions on the Kubernetes resources in the `System` namespace. + + * No user or resource or entity except the EMR on EKS service should have access to `CREATE` access to POD, CONFIG_MAP and SECRET in the `User` namespace. + + * `System` drivers and `System` executors contain sensitive data. So, Spark events, Spark driver logs, and Spark executor logs in the `System` namespace should not be forwarded to external log storage systems. + + + +