AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2025-10-13 · Security-related medium

File: emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md

Summary

Fixed boolean values in Spark configuration example and added requirement to use user-defined roles for Lake Formation.

Security assessment

The added requirement to avoid service-linked roles addresses a potential misconfiguration that could lead to excessive permissions (violating least privilege). This directly relates to access control security best practices.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md b/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
index 46e92cd3a..6049ffa0b 100644
--- a//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
+++ b//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md
@@ -199,2 +199,2 @@ For Iceberg tables
-            "spark.sql.catalog.spark_catalog.glue.lakeformation-enabled": true,
-            "spark.sql.catalog.dropDirectoryBeforeTable.enabled": true, 
+            "spark.sql.catalog.spark_catalog.glue.lakeformation-enabled": "true",
+            "spark.sql.catalog.dropDirectoryBeforeTable.enabled": "true", 
@@ -293,0 +294,2 @@ Operations not listed above will continue to use IAM permissions to access table
+  * You must use user defined role and not a service-linked role:[Lake Formation requirements for roles](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html).
+