AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-05-10 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/security_iam_troubleshoot.md

Summary

Added troubleshooting guidance for Live UI/Spark history server access issues related to VPC endpoint policies

Security assessment

Addresses security-related misconfigurations that prevent debugging access. The change helps users properly configure VPC endpoint policies to maintain secure logging while enabling authorized troubleshooting access.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/security_iam_troubleshoot.md b/emr/latest/EMR-Serverless-UserGuide/security_iam_troubleshoot.md
index 084919f3b..d65c9c1c5 100644
--- a//emr/latest/EMR-Serverless-UserGuide/security_iam_troubleshoot.md
+++ b//emr/latest/EMR-Serverless-UserGuide/security_iam_troubleshoot.md
@@ -5 +5 @@
-I am not authorized to perform an action in Amazon EMR ServerlessI am not authorized to perform iam:PassRoleI want to allow people outside of my AWS account to access my Amazon EMR Serverless resources
+I am not authorized to perform an action in Amazon EMR ServerlessI am not authorized to perform iam:PassRoleI want to allow people outside of my AWS account to access my Amazon EMR Serverless resourcesI am not able to open Live UI/Spark history server from EMR Studio to debug my job or an API error occurs when I try to get logs using get-dashboard-for-job-run
@@ -18,0 +19,2 @@ Use the following information to help you diagnose and fix common issues that yo
+  * I am not able to open Live UI/Spark history server from EMR Studio to debug my job or an API error occurs when I try to get logs using get-dashboard-for-job-run
+
@@ -66,0 +69,4 @@ To learn more, consult the following:
+## I am not able to open Live UI/Spark history server from EMR Studio to debug my job or an API error occurs when I try to get logs using `get-dashboard-for-job-run`
+
+If you use EMR Serverless managed storage for logging and your EMR Serverless application is in a private subnet with VPC endpoints for Amazon S3 and you attach an endpoint policy to control access, you must add the permissions mentioned in [Logging for EMR Serverless with managed storage](logging.html#jobs-log-storage-managed-storage) in your VPC policy to S3 gateway endpoint for EMR Serverless to store and serve application logs.
+