AWS emr medium security documentation change
Summary
Removed Principal blocks and added emr:RoleARN conditions for role assumptions.
Security assessment
Replacing explicit Principals with emr:RoleARN conditions enforces role-based access control, addressing potential privilege escalation risks from overly permissive policies.
Diff
diff --git a/emr/latest/ManagementGuide/emr-emrfs-iam-roles.md b/emr/latest/ManagementGuide/emr-emrfs-iam-roles.md index abc2d6174..4a968eea0 100644 --- a//emr/latest/ManagementGuide/emr-emrfs-iam-roles.md +++ b//emr/latest/ManagementGuide/emr-emrfs-iam-roles.md @@ -51,3 +50,0 @@ JSON - "Principal": { - "AWS": "arn:aws:iam::111122223333:role/EMR_EC2_DefaultRole" - }, @@ -56,0 +54 @@ JSON + "Resource": "arn:aws:iam::123456789012:role/EMR_EC2_DefaultRole", @@ -77,6 +74,0 @@ JSON - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:role/EMRFSRole_First", - "arn:aws:iam::111122223333:role/EMRFSRole_Second" - ] - }, @@ -85,0 +78,4 @@ JSON + "Resource": [ + "arn:aws:iam::123456789012:role/EMRFSRole_First", + "arn:aws:iam::123456789012:role/EMRFSRole_Second" + ],