AWS emr high security documentation change
Summary
Removed explicit principals and restricted KMS key policy to account-specific ARNs
Security assessment
Tightened KMS key policy by removing broad principal access and scoping resources to the account, reducing potential privilege escalation risks.
Diff
diff --git a/emr/latest/ManagementGuide/encryption-at-rest-kms.md b/emr/latest/ManagementGuide/encryption-at-rest-kms.md index 2bde8ccf4..0ecda60bd 100644 --- a//emr/latest/ManagementGuide/encryption-at-rest-kms.md +++ b//emr/latest/ManagementGuide/encryption-at-rest-kms.md @@ -81,8 +80,0 @@ JSON - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:role/EMR_EC2_DefaultRole" - ], - "Service": [ - "emrwal.amazonaws.com" - ] - }, @@ -94 +86 @@ JSON - "*" + "arn:aws:kms:*:123456789012:key/*"