AWS Security ChangesHomeSearch

AWS emr high security documentation change

Service: emr · 2025-08-25 · Security-related high

File: emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md

Summary

Removed Service principal, added explicit resource ARN, and updated conditions to enforce account/ARN validation

Security assessment

Removing the Service principal and adding aws:SourceAccount/aws:SourceArn conditions hardens the policy against confused deputy attacks by enforcing strict caller validation. This directly addresses authorization security controls.

Diff

diff --git a/emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md b/emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md
index 587dc3b2d..a45c3dfd6 100644
--- a//emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md
+++ b//emr/latest/ManagementGuide/emr-iam-role-automatic-scaling.md
@@ -62,3 +61,0 @@ JSON
-          "Principal": {
-            "Service": "application-autoscaling.amazonaws.com"
-          },
@@ -67,0 +65 @@ JSON
+          "Resource": "arn:aws:iam::123456789012:role/ApplicationAutoScalingEMRRole",
@@ -70 +68 @@ JSON
-              "aws:SourceAccount": "111122223333"
+              "aws:SourceAccount": "123456789012"
@@ -73 +71 @@ JSON
-              "aws:SourceArn": "arn:aws:application-autoscaling:region:111122223333:scalable-target/*"
+              "aws:SourceArn": "arn:aws:application-autoscaling:*:123456789012:scalable-target/*"