AWS emr high security documentation change
Summary
Updated EMR release label to 7.9.0 and added detailed KMS key policy configuration requirements for log encryption, including service principal permissions and security best practices
Security assessment
The change adds explicit KMS key policy requirements to allow EMR service principals to perform cryptographic operations, with conditions to restrict usage to specific clusters. This addresses potential misconfiguration risks by enforcing least-privilege access for log encryption. The added security documentation explicitly recommends using encryption context and source ARN conditions to prevent unauthorized key usage.
Diff
diff --git a/emr/latest/ManagementGuide/emr-plan-debugging.md b/emr/latest/ManagementGuide/emr-plan-debugging.md index acfa0201b..b7756fa6b 100644 --- a//emr/latest/ManagementGuide/emr-plan-debugging.md +++ b//emr/latest/ManagementGuide/emr-plan-debugging.md @@ -79 +79 @@ To archive log files to Amazon S3 using the AWS CLI, type the `create-cluster` c - aws emr create-cluster --name "Test cluster" --release-label emr-7.8.0 --log-uri s3://DOC-EXAMPLE-BUCKET/logs --applications Name=Hadoop Name=Hive Name=Pig --use-default-roles --ec2-attributes KeyName=myKey --instance-type m5.xlarge --instance-count 3 + aws emr create-cluster --name "Test cluster" --release-label emr-7.9.0 --log-uri s3://DOC-EXAMPLE-BUCKET/logs --applications Name=Hadoop Name=Hive Name=Pig --use-default-roles --ec2-attributes KeyName=myKey --instance-type m5.xlarge --instance-count 3 @@ -111,0 +112,64 @@ With Amazon EMR version 5.30.0 and later (except Amazon EMR 6.0.0), you can encr + * You must also configure the KMS key to allow the `persistentappui.elasticmapreduce.amazonaws.com` and `elasticmapreduce.amazonaws.com` Service Principals to `kms:GenerateDataKey`, `kms:GenerateDataKeyWithoutPlaintext` and `kms:Decrypt`. This allows EMR to read and write logs encrypted with the KMS key to managed storage. The User IAM Role must have permission to use `kms:GenerateDataKey` and `kms:Decrypt`. + + { + "Sid": "Allow User Role to use KMS key", + "Effect": "Allow", + "Principal": { + "AWS": "User Role" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:EncryptionContext:aws:elasticmapreduce:clusterId": "j-*", + "kms:ViaService": "elasticmapreduce.region.amazonaws.com" + } + } + }, + { + "Sid": "Allow Persistent APP UI to validate KMS key for write", + "Effect": "Allow", + "Principal":{ + "Service": [ + "elasticmapreduce.amazonaws.com" + ] + }, + "Action": [ + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:SourceArn": "arn:aws:elasticmapreduce:region:account:cluster/j-*", + "kms:EncryptionContext:aws:elasticmapreduce:clusterId": "j-*" + } + } + }, + { + "Sid": "Allow Persistent APP UI to Write/Read Logs", + "Effect": "Allow", + "Principal":{ + "Service": [ + "persistentappui.elasticmapreduce.amazonaws.com", + "elasticmapreduce.amazonaws.com" + ] + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:SourceArn": "arn:aws:elasticmapreduce:region:account:cluster/j-*", + "kms:EncryptionContext:aws:elasticmapreduce:clusterId": "j-*", + "kms:ViaService": "s3.region.amazonaws.com" + } + } + } + +As a security best practice, we recommend that you add the `kms:EncryptionContext` and `aws:SourceArn` conditions. These conditions help ensure the key is only used by Amazon EMR on EC2 and only used for logs generated from jobs running in a specific cluster. + @@ -141 +205 @@ Type the following command and replace ``myKey`` with the name of your EC2 key p - --release-label emr-7.8.0 \ + --release-label emr-7.9.0 \