AWS emr high security documentation change
Summary
Updated policy version, removed Service principal, and added account/ARN validation conditions
Security assessment
Policy version update and replacement of Service principal with aws:SourceAccount/aws:SourceArn conditions strengthen authorization controls, reducing risk of service-based privilege escalation.
Diff
diff --git a/emr/latest/ManagementGuide/emr-iam-role.md b/emr/latest/ManagementGuide/emr-iam-role.md index bfc8b2047..978a57456 100644 --- a//emr/latest/ManagementGuide/emr-iam-role.md +++ b//emr/latest/ManagementGuide/emr-iam-role.md @@ -458 +458 @@ JSON - "Version": "2008-10-17", + "Version": "2012-10-17", @@ -463,3 +462,0 @@ JSON - "Principal": { - "Service": "elasticmapreduce.amazonaws.com" - }, @@ -468,0 +466 @@ JSON + "Resource": "arn:aws:iam::123456789012:role/EMRServiceRole", @@ -471 +469 @@ JSON - "aws:SourceAccount": "111122223333" + "aws:SourceAccount": "123456789012" @@ -474 +472 @@ JSON - "aws:SourceArn": "arn:aws:elasticmapreduce:region>:111122223333:*" + "aws:SourceArn": "arn:aws:elasticmapreduce:*:123456789012:*"