AWS emr medium security documentation change
Summary
Added KMS decrypt policy and refined SecretsManager permissions in IAM example
Security assessment
Introduces explicit KMS decryption permissions required for secure secret handling
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/default-configs.md b/emr/latest/EMR-Serverless-UserGuide/default-configs.md index 563fb5ad3..472d924a9 100644 --- a//emr/latest/EMR-Serverless-UserGuide/default-configs.md +++ b//emr/latest/EMR-Serverless-UserGuide/default-configs.md @@ -57 +57,10 @@ JSON - "secretsmanager:DescribeSecret", + "secretsmanager:DescribeSecret" + ], + "Resource": [ + "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-name-123abc" + ] + }, + { + "Sid": "KMSDecryptPolicy", + "Effect": "Allow", + "Action": [ @@ -61 +70 @@ JSON - "arn:aws:secretsmanager:us-east-1:111122223333:secret:my-secret-name-123abc" + "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"