AWS emr medium security documentation change
Summary
Fixed boolean values in Spark configuration example and added requirement to use user-defined roles for Lake Formation.
Security assessment
The added requirement to avoid service-linked roles addresses a potential misconfiguration that could lead to excessive permissions (violating least privilege). This directly relates to access control security best practices.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md b/emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md index 46e92cd3a..6049ffa0b 100644 --- a//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md +++ b//emr/latest/EMR-Serverless-UserGuide/lake-formation-unfiltered-access.md @@ -199,2 +199,2 @@ For Iceberg tables - "spark.sql.catalog.spark_catalog.glue.lakeformation-enabled": true, - "spark.sql.catalog.dropDirectoryBeforeTable.enabled": true, + "spark.sql.catalog.spark_catalog.glue.lakeformation-enabled": "true", + "spark.sql.catalog.dropDirectoryBeforeTable.enabled": "true", @@ -293,0 +294,2 @@ Operations not listed above will continue to use IAM permissions to access table + * You must use user defined role and not a service-linked role:[Lake Formation requirements for roles](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html). +