AWS emr medium security documentation change
Summary
Added ability to configure Livy session timeout via `ttl` parameter starting in emr-7.8.0 and documentation for disabling LakeFormation fine-grained access control per session
Security assessment
The change introduces configurable session timeouts (preventing prolonged inactive sessions) and explicit controls for LakeFormation access, both of which are security-related features. The `ttl` parameter mitigates resource retention risks, and LakeFormation controls address access management.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md b/emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md index 2f5252c8a..e823c1ed6 100644 --- a//emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md +++ b//emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md @@ -349 +349,29 @@ Consider the following considerations when running interactive workloads through - * The default Apache Livy session timeout is 1 hour. If you don't run statements one hour, then Apache Livy deletes the session and releases the driver and executors. You can't change this configuration. + * The default Apache Livy session timeout is 1 hour. If you don't run statements for one hour, then Apache Livy deletes the session and releases the driver and executors. From release emr-7.8.0, this value can be set by specifying the `ttl` parameter as part of Livy `/sessions POST` request, for example, `2h`(hours), `120m`(minutes), `7200s`(seconds), `7200000ms`(milliseconds). + +###### Note + +This configuration cannot be changed prior to emr-7.8.0. The following is a sample of a `POST /sessions` request body. + + { + "kind": "pyspark", + "heartbeatTimeoutInSecond": 60, + "conf": { + "emr-serverless.session.executionRoleArn": "executionRoleArn" + }, + "ttl": "2h" + } + + * Starting with Amazon EMR release emr-7.8.0 for Applications with fine-grained access control via LakeFormation enabled, the setting can be disabled per session. For more information on enabling fine grained access control for an EMR Serverless application, see [Methods for fine-grained access control](emr-serverless-lf-enable.html#emr-serverless-lf-enable-config). + +###### Note + +Lake Formation cannot be enabled for a Session when it has not been enabled for an Application. The following is a sample of a `POST /sessions` request body. + + { + "kind": "pyspark", + "heartbeatTimeoutInSecond": 60, + "conf": { + "emr-serverless.session.executionRoleArn": "executionRoleArn" + }, + "spark.emr-serverless.lakeformation.enabled" : "false" + }