AWS emr documentation change
Summary
Added SIDs to IAM/KMS policy statements, updated KMS encryption context with specific region, and expanded resource syntax to arrays.
Security assessment
Enhances documentation for log encryption policies (security feature), but does not address a specific vulnerability.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/jobs-log-encryption.md b/emr/latest/EMR-Serverless-UserGuide/jobs-log-encryption.md index 791220236..e5e06baf3 100644 --- a//emr/latest/EMR-Serverless-UserGuide/jobs-log-encryption.md +++ b//emr/latest/EMR-Serverless-UserGuide/jobs-log-encryption.md @@ -97 +97,2 @@ JSON - "Statement": { + "Statement": [ + { @@ -103 +104,4 @@ JSON - "Resource": "key-arn" + "Resource": [ + "key-arn" + ], + "Sid": "AllowKMSGeneratedatakey" @@ -104,0 +109 @@ JSON + ] @@ -119 +124,2 @@ JSON - "Statement": { + "Statement": [ + { @@ -123 +129,5 @@ JSON - ] + ], + "Resource": [ + "*" + ], + "Sid": "AllowEMRSERVERLESSGetdashboardforjobrun" @@ -124,0 +135 @@ JSON + ] @@ -165 +176,2 @@ JSON - "Statement": { + "Statement": [ + { @@ -171 +183,4 @@ JSON - "Resource": "key-arn" + "Resource": [ + "key-arn" + ], + "Sid": "AllowKMSGeneratedatakey" @@ -172,0 +188 @@ JSON + ] @@ -189 +205,2 @@ JSON - "Statement": { + "Statement": [ + { @@ -195,2 +212,3 @@ JSON - "arn:aws:logs:AWS Region:111122223333:log-group:my-log-group-name:*" - ] + "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group-name:*" + ], + "Sid": "AllowLOGSAssociatekmskey" @@ -197,0 +216 @@ JSON + ] @@ -213 +232,2 @@ JSON - "Statement": { + "Statement": [ + { @@ -216 +236 @@ JSON - "Service": "logs.AWS Region.amazonaws.com" + "Service": "logs.us-east-1.amazonaws.com" @@ -222 +242,3 @@ JSON - "Resource": "*", + "Resource": [ + "*" + ], @@ -225,2 +247 @@ JSON - "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:AWS Region:111122223333:*" - } + "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:111122223333:*" @@ -227,0 +249,2 @@ JSON + }, + "Sid": "AllowKMSDecrypt" @@ -228,0 +252 @@ JSON + ]