AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2025-08-13 · Documentation low

File: emr/latest/EMR-on-EKS-DevelopmentGuide/creating-job-execution-role.md

Summary

Replaced external workshop link with direct CLI commands and IAM policy examples for job execution roles

Security assessment

Improves clarity for secure IAM role setup but does not indicate a patched vulnerability.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/creating-job-execution-role.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/creating-job-execution-role.md
index db3e80626..3e82872cd 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/creating-job-execution-role.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/creating-job-execution-role.md
@@ -11 +11,56 @@ You must also create an IAM policy that specifies the permissions for the job ex
-The following policy for the job execution role allows access to resource targets, Amazon S3, and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same process using the AWS CLI, you can also set up your role using the steps in the [Create IAM Role for job execution](https://www.eksworkshop.com/advanced/430_emr_on_eks/prereqs/#create-iam-role-for-job-execution) section of the Amazon EMR on EKS Workshop.
+The following policy for the job execution role allows access to resource targets, Amazon S3, and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same process using the AWS CLI: 
+
+Create IAM Role for job execution: Let’s create the role that EMR will use for job execution. This is the role, EMR jobs will assume when they run on EKS.
+    
+    
+    cat <<EoF > ~/environment/emr-trust-policy.json
+     {
+       "Version": "2012-10-17",
+       "Statement": [
+         {
+           "Effect": "Allow",
+           "Principal": {
+             "Service": "elasticmapreduce.amazonaws.com"
+           },
+           "Action": "sts:AssumeRole"
+         }
+       ]
+     }
+     EoF
+      
+     aws iam create-role --role-name EMRContainers-JobExecutionRole --assume-role-policy-document file://~/environment/emr-trust-policy.json
+     
+
+Next, we need to attach the required IAM policies to the role so it can write logs to s3 and cloudwatch.
+    
+    
+    cat <<EoF > ~/environment/EMRContainers-JobExecutionRole.json
+     {
+         "Version": "2012-10-17",
+         "Statement": [
+             {
+                 "Effect": "Allow",
+                 "Action": [
+                     "s3:PutObject",
+                     "s3:GetObject",
+                     "s3:ListBucket"
+                 ],
+                 "Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
+             },
+             {
+                 "Effect": "Allow",
+                 "Action": [
+                     "logs:PutLogEvents",
+                     "logs:CreateLogStream",
+                   "logs:DescribeLogGroups",
+                     "logs:DescribeLogStreams"
+                 ],
+                 "Resource": [
+                     "arn:aws:logs:*:*:*"
+                 ]
+             }
+         ]
+     } 
+     EoF
+     aws iam put-role-policy --role-name EMRContainers-JobExecutionRole --policy-name EMR-Containers-Job-Execution --policy-document file://~/environment/EMRContainers-JobExecutionRole.json
+