AWS emr high security documentation change
Summary
Removed Service principal, added explicit resource ARN, and updated conditions to enforce account/ARN validation
Security assessment
Removing the Service principal and adding aws:SourceAccount/aws:SourceArn conditions hardens the policy against confused deputy attacks by enforcing strict caller validation. This directly addresses authorization security controls.
Diff
diff --git a/emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md b/emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md index 587dc3b2d..a45c3dfd6 100644 --- a//emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md +++ b//emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md @@ -62,3 +61,0 @@ JSON - "Principal": { - "Service": "application-autoscaling.amazonaws.com" - }, @@ -67,0 +65 @@ JSON + "Resource": "arn:aws:iam::123456789012:role/ApplicationAutoScalingEMRRole", @@ -70 +68 @@ JSON - "aws:SourceAccount": "111122223333" + "aws:SourceAccount": "123456789012" @@ -73 +71 @@ JSON - "aws:SourceArn": "arn:aws:application-autoscaling:region:111122223333:scalable-target/*" + "aws:SourceArn": "arn:aws:application-autoscaling:*:123456789012:scalable-target/*"