AWS emr documentation change
Summary
Added Sids, explicit resource declarations, and concrete account IDs in assume role policy
Security assessment
Changes improve role assumption documentation by adding explicit source account/ARN conditions and statement IDs. While these enhance security posture through better policy practices, there's no indication of addressing a specific vulnerability.
Diff
diff --git a/emr/latest/ManagementGuide/emr-studio-service-role.md b/emr/latest/ManagementGuide/emr-studio-service-role.md index 43d9f7889..9b40d4cc7 100644 --- a//emr/latest/ManagementGuide/emr-studio-service-role.md +++ b//emr/latest/ManagementGuide/emr-studio-service-role.md @@ -37 +37,3 @@ JSON - "Action": "sts:AssumeRole", + "Action": [ + "sts:AssumeRole" + ], @@ -40 +42 @@ JSON - "aws:SourceAccount": "<account-id>" + "aws:SourceAccount": "111122223333>" @@ -43,2 +45 @@ JSON - "aws:SourceArn": "arn:aws:elasticmapreduce:<region>:<account-id>:*" - } + "aws:SourceArn": "arn:aws:elasticmapreduce:region>:111122223333>:*" @@ -45,0 +47,2 @@ JSON + }, + "Sid": "AllowSTSAssumerole" @@ -94 +97,3 @@ JSON - "Resource": "*" + "Resource": [ + "*" + ] @@ -134 +139,3 @@ JSON - "Resource": "*", + "Resource": [ + "*" + ], @@ -177 +184,3 @@ JSON - "Resource": "arn:aws:ec2:*:*:security-group/*", + "Resource": [ + "arn:aws:ec2:*:*:security-group/*" + ], @@ -222 +231,3 @@ JSON - "Resource": "arn:aws:ec2:*:*:network-interface/*", + "Resource": [ + "arn:aws:ec2:*:*:network-interface/*" + ], @@ -240 +251,3 @@ JSON - "Resource": "*" + "Resource": [ + "*" + ] @@ -248 +261,3 @@ JSON - "Resource": "arn:aws:secretsmanager:*:*:secret:*", + "Resource": [ + "arn:aws:secretsmanager:*:*:secret:*" + ], @@ -266 +281,3 @@ JSON - "Resource": "*" + "Resource": [ + "*" + ] @@ -323 +340,3 @@ JSON - "Resource": ["arn:aws:s3:::bucket-name/*"] + "Resource": [ + "arn:aws:s3:::bucket-name/*" + ] @@ -332 +351,3 @@ JSON - "Resource": ["arn:aws:s3:::bucket-name"] + "Resource": [ + "arn:aws:s3:::bucket-name" + ]