AWS emr high security documentation change
Summary
Updated policy version, removed Service principal, added resource ARN, and expanded resource wildcards
Security assessment
Policy version upgrade to 2012-10-17 enables modern features. Removal of Service principal with added account/ARN validation prevents unauthorized access. Wildcard expansion in resource ARNs follows least-privilege best practices.
Diff
diff --git a/emr/latest/ManagementGuide/emr-iam-role-for-ec2.md b/emr/latest/ManagementGuide/emr-iam-role-for-ec2.md index 8df9f8270..1152cba21 100644 --- a//emr/latest/ManagementGuide/emr-iam-role-for-ec2.md +++ b//emr/latest/ManagementGuide/emr-iam-role-for-ec2.md @@ -107 +107 @@ JSON - "Version": "2008-10-17", + "Version": "2012-10-17", @@ -112,3 +111,0 @@ JSON - "Principal": { - "Service": "ec2.amazonaws.com" - }, @@ -117 +114,2 @@ JSON - ] + ], + "Resource": "arn:aws:iam::123456789012:role/EMR_EC2_DefaultRole" @@ -203 +201 @@ JSON - "arn:aws:dynamodb:us-west-2:111122223333:table/EmrFSMetadata" + "arn:aws:dynamodb:*:123456789012:table/EmrFSMetadata" @@ -229 +227 @@ JSON - "arn:aws:sqs:us-west-2:111122223333:EMRFS-Inconsistency-*" + "arn:aws:sqs:*:123456789012:EMRFS-Inconsistency-*"