AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-08-25 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/default-configs.md

Summary

Added KMS decrypt policy and refined SecretsManager permissions in IAM example

Security assessment

Introduces explicit KMS decryption permissions required for secure secret handling

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/default-configs.md b/emr/latest/EMR-Serverless-UserGuide/default-configs.md
index 563fb5ad3..472d924a9 100644
--- a//emr/latest/EMR-Serverless-UserGuide/default-configs.md
+++ b//emr/latest/EMR-Serverless-UserGuide/default-configs.md
@@ -57 +57,10 @@ JSON
-            "secretsmanager:DescribeSecret",
+            "secretsmanager:DescribeSecret"
+          ],
+          "Resource": [
+            "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-name-123abc"
+          ]
+        },
+        {
+          "Sid": "KMSDecryptPolicy",
+          "Effect": "Allow",
+          "Action": [
@@ -61 +70 @@ JSON
-            "arn:aws:secretsmanager:us-east-1:111122223333:secret:my-secret-name-123abc"
+            "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"