AWS emr high security documentation change
Summary
Removed wildcard Principal (*) and updated resource ARNs. Added VPC condition for S3 bucket access.
Security assessment
Removing Principal '*' prevents overly permissive access. Adding VPC conditions enforces network-level security, addressing a potential misconfiguration risk.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/logging.md b/emr/latest/EMR-Serverless-UserGuide/logging.md index 0b8ac17a1..d8137a794 100644 --- a//emr/latest/EMR-Serverless-UserGuide/logging.md +++ b//emr/latest/EMR-Serverless-UserGuide/logging.md @@ -57 +56,0 @@ JSON - "Principal": "*", @@ -63,2 +62,2 @@ JSON - "arn:aws:s3:::prod.AWS_REGION.appinfo.src", - "arn:aws:s3:::prod.AWS_REGION.appinfo.src/*" + "arn:aws:s3:::prod.us-east-1.appinfo.src", + "arn:aws:s3:::prod.us-east-1.appinfo.src/*" @@ -69 +68 @@ JSON - "aws:SourceVpc": "vpc-XXXX" + "aws:SourceVpc": "vpc-12345678" @@ -160 +159 @@ JSON - "arn:aws:logs:us-east-1:111122223333:*" + "arn:aws:logs:*:123456789012:*" @@ -173 +172 @@ JSON - "arn:aws:logs:us-east-1:111122223333:log-group:my-log-group-name:*" + "arn:aws:logs:*:123456789012:log-group:my-log-group-name:*"