AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-07-04 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md

Summary

Added ability to configure Livy session timeout via `ttl` parameter starting in emr-7.8.0 and documentation for disabling LakeFormation fine-grained access control per session

Security assessment

The change introduces configurable session timeouts (preventing prolonged inactive sessions) and explicit controls for LakeFormation access, both of which are security-related features. The `ttl` parameter mitigates resource retention risks, and LakeFormation controls address access management.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md b/emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md
index 2f5252c8a..e823c1ed6 100644
--- a//emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md
+++ b//emr/latest/EMR-Serverless-UserGuide/interactive-workloads-livy-endpoints.md
@@ -349 +349,29 @@ Consider the following considerations when running interactive workloads through
-  * The default Apache Livy session timeout is 1 hour. If you don't run statements one hour, then Apache Livy deletes the session and releases the driver and executors. You can't change this configuration.
+  * The default Apache Livy session timeout is 1 hour. If you don't run statements for one hour, then Apache Livy deletes the session and releases the driver and executors. From release emr-7.8.0, this value can be set by specifying the `ttl` parameter as part of Livy `/sessions POST` request, for example, `2h`(hours), `120m`(minutes), `7200s`(seconds), `7200000ms`(milliseconds).
+
+###### Note
+
+This configuration cannot be changed prior to emr-7.8.0. The following is a sample of a `POST /sessions` request body.
+    
+        {    
+        "kind": "pyspark",
+        "heartbeatTimeoutInSecond": 60, 
+        "conf": {
+            "emr-serverless.session.executionRoleArn": "executionRoleArn"
+        },
+        "ttl": "2h"
+    }
+
+  * Starting with Amazon EMR release emr-7.8.0 for Applications with fine-grained access control via LakeFormation enabled, the setting can be disabled per session. For more information on enabling fine grained access control for an EMR Serverless application, see [Methods for fine-grained access control](emr-serverless-lf-enable.html#emr-serverless-lf-enable-config).
+
+###### Note
+
+Lake Formation cannot be enabled for a Session when it has not been enabled for an Application. The following is a sample of a `POST /sessions` request body.
+    
+        {    
+        "kind": "pyspark",
+        "heartbeatTimeoutInSecond": 60, 
+        "conf": {
+            "emr-serverless.session.executionRoleArn": "executionRoleArn"
+        },
+        "spark.emr-serverless.lakeformation.enabled" : "false"
+    }