AWS Security ChangesHomeSearch

AWS emr high security documentation change

Service: emr · 2025-08-10 · Security-related high

File: emr/latest/ManagementGuide/emr-lf-enable.md

Summary

Added examples for TLS certificate configuration using S3 zip files and custom key providers, plus detailed IAM trust policy requirements for runtime roles

Security assessment

Added documentation about TLS certificate configuration and IAM role trust policies directly relates to encryption of data in transit and access control mechanisms. The trust policy modification requiring sts:TagSession and principal restrictions demonstrates security hardening.

Diff

diff --git a/emr/latest/ManagementGuide/emr-lf-enable.md b/emr/latest/ManagementGuide/emr-lf-enable.md
index 34c327d2f..17769a41e 100644
--- a//emr/latest/ManagementGuide/emr-lf-enable.md
+++ b//emr/latest/ManagementGuide/emr-lf-enable.md
@@ -39,0 +40,21 @@ To use a runtime role for your EMR cluster, you must create a security configura
+The example below illustrates how to use a zip file with certificates in Amazon S3 for certificate configuration:
+
+     * A zip file with certificates in Amazon S3 is used as the key provider (see [Providing certificates for encrypting data in transit with Amazon EMR encryption](./emr-encryption-enable.html#emr-encryption-certificates) for certificate requirements.
+    
+                                 "TLSCertificateConfiguration": {
+                                     "CertificateProviderType": "PEM",       
+                                     "S3Object": "s3://MyConfigStore/artifacts/MyCerts.zip"
+                             }                                                                             
+                                     
+
+The example below illustrates how to use a custom key provider for certificate configuration:
+
+     * A custom key provider is used (see [Providing certificates for encrypting data in transit with Amazon EMR encryption](./emr-encryption-enable.html#emr-encryption-certificates) for certificate requirements).
+    
+                                 "TLSCertificateConfiguration": {
+                                     "CertificateProviderType": "Custom",
+                                     "S3Object": "s3://MyConfig/artifacts/MyCerts.jar",
+                                     "CertificateProviderClass": "com.mycompany.MyCertProvider"
+                             }
+                                  
+
@@ -112 +133,18 @@ JSON
-You can now use runtime roles and Lake Formation to apply table and column level permissions. You can also use a source identity to control actions and monitor operations with AWS CloudTrail. For a detailed, end-to-end example, see [Introducing runtime roles for Amazon EMR steps](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/).
+You can now use runtime roles and Lake Formation to apply table and column level permissions. You can also use a source identity to control actions and monitor operations with AWS CloudTrail.
+
+For each IAM role that you plan to use as a runtime role, set the following trust policy, replacing `EMR_EC2_DefaultRole` with your instance profile role. To modify the trust policy of an IAM role, see [Modifying a role trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html).
+    
+    
+    {
+       "Sid":"AllowAssumeRole",
+       "Effect":"Allow",
+       "Principal":{
+         "AWS":"arn:aws:iam::<AWS_ACCOUNT_ID>:role/EMR_EC2_DefaultRole"
+       },
+       "Action":[
+            "sts:AssumeRole",
+            "sts:TagSession"
+           ]
+     }
+
+For a detailed, end-to-end example, see [Introducing runtime roles for Amazon EMR steps](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/).