AWS emr documentation change
Summary
Replaced Federated Principal with aws:userid condition and updated execution role ARNs.
Security assessment
Policy example updates use more precise conditions but do not address specific security vulnerabilities.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md index 2c20e13dc..88fcc17cf 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md @@ -23,3 +22,0 @@ JSON - "Principal": { - "Federated": "arn:aws:iam::111122223333:oidc-provider/OIDC_PROVIDER" - }, @@ -28,0 +26 @@ JSON + "Resource": "*", @@ -31 +29 @@ JSON - "OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME" + "aws:userid": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME" @@ -70 +68 @@ JSON - "arn:aws:emr-containers:us-east-1:AWS_ACCOUNT_ID:/virtualclusters/VIRTUAL_CLUSTER_ID" + "arn:aws:emr-containers:*:*:/virtualclusters/VIRTUAL_CLUSTER_ID" @@ -75,2 +73,2 @@ JSON - "execution_role_arn_1", - "execution_role_arn_2" + "arn:aws:iam::*:role/execution_role_name_1", + "arn:aws:iam::*:role/execution_role_name_2"