AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-05-10 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/logging.md

Summary

Added detailed IAM policy requirements for S3 VPC endpoints to enable managed log storage

Security assessment

Introduces granular permissions (s3:PutObject/PutObjectAcl) with service principal and VPC source conditions. Ensures least-privilege access for log storage while preventing unauthorized S3 operations. Without these policies, logging might fail or be exposed to broader access.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/logging.md b/emr/latest/EMR-Serverless-UserGuide/logging.md
index d5dc0cb52..5b0a4df6c 100644
--- a//emr/latest/EMR-Serverless-UserGuide/logging.md
+++ b//emr/latest/EMR-Serverless-UserGuide/logging.md
@@ -41,0 +42,30 @@ To turn off this option from the AWS CLI, use the `managedPersistenceMonitoringC
+If your EMR Serverless application is in a private subnet with VPC endpoints for Amazon S3 and you attach an endpoint policy to control access, you must add the following permissions for EMR Serverless to store and serve application logs. Replace `Resource` with the `AppInfo` buckets from the available regions table in [Sample policies for private subnets that access Amazon S3](https://docs.aws.amazon.com/emr/latest/ManagementGuide/private-subnet-iampolicy.html#private-subnet-iampolicy-regions).
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "EMRServerlessManagedLogging",
+                "Effect": "Allow",
+                "Principal": "*",
+                "Action": [
+                    "s3:PutObject",
+                    "s3:PutObjectAcl"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::prod.AWS_REGION.appinfo.src",
+                    "arn:aws:s3:::prod.AWS_REGION.appinfo.src/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:PrincipalServiceName": "emr-serverless.amazonaws.com",
+                        "aws:SourceVpc": "vpc-XXXX" // Optional
+                    }
+                }
+            }
+        ]
+    }
+
+Additionally, you can use the `aws:SourceVpc` condition key to ensure that the request travels through the VPC that the VPC endpoint is attached to.
+