AWS Security ChangesHomeSearch

AWS emr high security documentation change

Service: emr · 2025-05-10 · Security-related high

File: emr/latest/EMR-Serverless-UserGuide/emr-serverless-lf-enable-considerations.md

Summary

Updated logging security controls - clarified system driver log restrictions, added details about mandatory encrypted log storage, and VPC endpoint policy requirements for S3 access

Security assessment

Explicitly addresses protection of sensitive logs through access restrictions and encryption. The change prevents unauthorized access to system driver logs containing sensitive data and mandates encryption for stored logs. Missing VPC endpoint permissions could lead to logging failures and potential data exposure.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/emr-serverless-lf-enable-considerations.md b/emr/latest/EMR-Serverless-UserGuide/emr-serverless-lf-enable-considerations.md
index 829e0dea3..a37e80eb8 100644
--- a//emr/latest/EMR-Serverless-UserGuide/emr-serverless-lf-enable-considerations.md
+++ b//emr/latest/EMR-Serverless-UserGuide/emr-serverless-lf-enable-considerations.md
@@ -49 +49,5 @@ Amazon EMR Serverless with Lake Formation is available in all supported [EMR Ser
-  * EMR Serverless restricts access to system driver Spark logs on Lake Formation-enabled applications. Since the system driver runs with more access, events and logs that the system driver generates can include sensitive information. To prevent unauthorized users or code from accessing this sensitive data, EMR Serverless disabled access to system driver logs. For troubleshooting, contact AWS support.
+  * EMR Serverless restricts access to system driver Spark logs on Lake Formation-enabled applications. Since the system driver runs with elevated permissions, events and logs that the system driver generates can include sensitive information. To prevent unauthorized users or code from accessing this sensitive data, EMR Serverless disables access to system driver logs.
+
+System profile logs are always persisted in managed storage – this is a mandatory setting that cannot be disabled. These logs are stored securely and encrypted using either a Customer Managed KMS key or an AWS Managed KMS key. 
+
+If your EMR Serverless application is in a private subnet with VPC endpoints for Amazon S3 and you attach an endpoint policy to control access, before your jobs can send log data to AWS Managed Amazon S3, you must include the permissions detailed in [Managed storage](logging.html#jobs-log-storage-managed-storage) in your VPC policy to S3 gateway endpoint. For troubleshooting requests, contact AWS support.