AWS Security ChangesHomeSearch

AWS emr high security documentation change

Service: emr · 2025-05-10 · Security-related high

File: emr/latest/ManagementGuide/emr-default-ami.md

Summary

Updated documentation to clarify security update behavior across EMR versions, explicitly stating clusters do not automatically receive latest security updates at launch and require recreation. Adjusted version ranges (5.36+/6.6+ instead of 5.x/6.x) and removed outdated AL2023 kernel update details.

Security assessment

The changes correct critical misinformation about automatic security updates. Previous documentation implied security updates were applied at instance boot for 5.x/6.x, while new text explicitly states no updates are installed at launch - a fundamental security behavior change. This addresses risks of clusters running outdated packages if users relied on previous documentation.

Diff

diff --git a/emr/latest/ManagementGuide/emr-default-ami.md b/emr/latest/ManagementGuide/emr-default-ami.md
index d7acc6513..1e216bdbd 100644
--- a//emr/latest/ManagementGuide/emr-default-ami.md
+++ b//emr/latest/ManagementGuide/emr-default-ami.md
@@ -5 +5 @@
-Automatic AL updatesDefault AL versionsConsiderationsBest practices
+Automatic AL updatesDefault AL versionsSoftware update considerationsBest practices
@@ -2960 +2960 @@ Take note of the following default software update behaviors:
-Amazon EMR releases 7.0 and higher run on Amazon Linux 2023 (AL2023). The default behavior for AL2023 is to lock AMIs to a specific version of the Amazon Linux software repository. Therefore, security updates are not applied every time you launch a cluster. Instead, the default behavior for Amazon EMR 7.x releases is to automatically apply the latest AL2023 release for the default Amazon EMR AMI only when you create the cluster. To receive the latest security updates, we recommend that you periodically recreate your cluster.
+Amazon EMR releases 7.0 and higher run on Amazon Linux 2023 (AL2023). Your clusters only contain security updates that were available in the version of AL2023 AMI that you chose when you created them. At launch time, EMR cluster instances will not install the latest security updates from the enabled package repositories. To receive the latest security updates, we recommend that you periodically recreate your cluster. For more information on AL2023, see [Updating Amazon Linux 2023](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) in the _Amazon Linux 2023 User Guide_.
@@ -2962 +2962 @@ Amazon EMR releases 7.0 and higher run on Amazon Linux 2023 (AL2023). The defaul
-**Amazon EMR 5.x and 6.x — Amazon Linux and Amazon Linux 2**
+**Amazon EMR 5.36+ and 6.6+ — Amazon Linux 2**
@@ -2964 +2964 @@ Amazon EMR releases 7.0 and higher run on Amazon Linux 2023 (AL2023). The defaul
-For Amazon EMR releases that are lower than 7.0, when an Amazon EC2 instance boots for the first time in a cluster that is based on the default Amazon Linux (AL) or Amazon Linux 2 (AL2) AMI for Amazon EMR, it checks for software updates that apply to the release version in the enabled package repositories for AL and Amazon EMR. As with other AL and AL2 instances, critical and important security updates from these repositories are automatically installed.
+Amazon EMR releases 5.36 and higher, and 6.6 and higher, run on Amazon Linux 2 (AL2). Your clusters only contain security updates that were available in the version of AL2 AMI that you chose when you created them. At launch time, EMR cluster instances will not install the latest security updates from the enabled package repositories. To receive the latest security updates, we recommend that you periodically recreate your cluster. For more information on AL2, see [Manage software on your AL2 instance](https://docs.aws.amazon.com//linux/al2/ug/managing-software.html) in the _Amazon Linux 2 User Guide_.
@@ -2966,9 +2966 @@ For Amazon EMR releases that are lower than 7.0, when an Amazon EC2 instance boo
-Also note that, in your networking configuration, you must allow HTTP and HTTPS egress to Amazon Linux repositories in Amazon S3. Otherwise, security updates will fail. For more information, see [Amazon Linux - Package repository](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#package-repository) in the _Amazon EC2 User Guide_. By default, other software packages and kernel updates that require a reboot, including NVIDIA and CUDA, are excluded from the automatic download at first boot.
-
-**Amazon EMR 5.35.0 and lower, and 6.5.0 and lower — Amazon Linux AMI locked to Amazon EMR release version**
-
-For Amazon EMR 5.35.0 and lower, and 6.5.0 and lower, the default AMI is based on the most up-to-date Amazon Linux AMI available at the time of the Amazon EMR release. The AMI is tested for compatibility with the big data applications and Amazon EMR features included with that release version.
-
-Each Amazon EMR 5.35.0 and lower, and 6.5.0 and lower Amazon EMR release version is "locked" to its respective assigned Amazon Linux AMI version to maintain compatibility. For this reason, we recommend that you use the latest Amazon EMR release version, unless you need an lower version for compatibility and are unable to migrate. If you must use an lower release version of Amazon EMR for compatibility, we recommend that you use the latest release in a series. For example, if you must use the 5.12 series, use 5.12.2 instead of 5.12.0 or 5.12.1. If a new release becomes available in a series, consider migrating your applications to the new release. 
-
-For more information on the auto-update behavior introduced with Amazon EMR 5.36.0 and higher and 6.6.0 and higher, see Automatic Amazon Linux updates for Amazon EMR releases.
+**Amazon EMR 3.x, 4.x, 5.0.0 to 5.35.0, and 6.0.0 to 6.5.0 — Amazon Linux AMI locked to Amazon EMR release version**
@@ -2976 +2968 @@ For more information on the auto-update behavior introduced with Amazon EMR 5.36
-**Default boot behavior excludes kernel updates**
+For Amazon EMR releases 3.x, 4.x, 5.0.0 to 5.35.0, and 6.0.0 to 6.5.0, the default AMI is based on the most up-to-date Amazon Linux AMI available at the time of the Amazon EMR release. The AMI is tested for compatibility with the big data applications and Amazon EMR features included in that release version.
@@ -2978,3 +2970 @@ For more information on the auto-update behavior introduced with Amazon EMR 5.36
-When an Amazon EC2 instance in a cluster that is based on the default Amazon Linux AMI for Amazon EMR boots for the first time, it checks the enabled package repositories for Amazon Linux and Amazon EMR for software updates that apply to the AMI version. As with other Amazon EC2 instances, critical and important security updates from these repositories are automatically installed.
-
-However, if you are using an older version of Amazon Linux AMI, the latest security update might not be automatically installed. This is because the repositories that your EMR cluster references are fixed for each version of Amazon Linux AMI.
+When an Amazon EC2 instance boots for the first time in a cluster that is based on the default Amazon Linux (AL) or AL2 AMI for Amazon EMR, it checks for software updates that apply to the release version in the enabled package repositories for AL and Amazon EMR. As with other Amazon EC2 instances that run AL or AL2 AMIs, critical and important security updates from these repositories are automatically installed.
@@ -2986,5 +2976 @@ Also note that, in your networking configuration, you must allow HTTP and HTTPS
-EMR clusters that run AL2023 use the default Amazon Linux behavior, and your Amazon Machine Images (AMIs) are locked to a specific version of the Amazon Linux repository. By default, your clusters won't automatically receive software security updates at launch. Your clusters only contain the updates that were available in the version of AL2023 AMI that you chose when you created your cluster. For more information, see [Updating Amazon Linux 2023](https://docs.aws.amazon.com/linux/al2023/ug/updating.html) in the _Amazon Linux 2023 User Guide_.
-
-###### Important
-
-EMR clusters that run Amazon Linux or Amazon Linux 2 Amazon Machine Images (AMIs) use default Amazon Linux behavior, and do not automatically download and install important and critical kernel updates that require a reboot. This is the same behavior as other Amazon EC2 instances that run the default Amazon Linux AMI. If new Amazon Linux software updates that require a reboot (such as kernel, NVIDIA, and CUDA updates) become available after an Amazon EMR release becomes available, EMR cluster instances that run the default AMI do not automatically download and install those updates. To get kernel updates, you can [customize your Amazon EMR AMI](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-custom-ami.html) to [use the latest Amazon Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html).
+Amazon EMR releases 3.x, 4.x, 5.0.0 to 5.35.0, and 6.0.0 to 6.5.0 use the default Amazon Linux behavior, and do not automatically download and install important and critical kernel updates that require a reboot. This is the same behavior as other Amazon EC2 instances that run the default AL or AL2 AMIs. If new Amazon Linux software updates that require a reboot (such as kernel, NVIDIA, and CUDA updates) become available after an Amazon EMR release becomes available, EMR cluster instances that run the default AMI do not automatically download and install those updates. To get kernel updates, you can use the [latest Amazon Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html) as described in [Using a custom AMI to provide more flexibility for Amazon EMR cluster configuration](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-custom-ami.html).