AWS emr documentation change
Summary
Updated link references from 'see' to 'refer to', and changed recommendation wording from 'recommend' to 'suggest' for S3 bucket access policies.
Security assessment
Changes emphasize existing security best practices (least privilege for S3 access) but do not introduce new security features or address specific vulnerabilities. The core security guidance remains unchanged.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.md b/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.md index 4db659051..72c91b786 100644 --- a//emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.md +++ b//emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.md @@ -9 +9 @@ Console settings and underlying managed permission policies -You can specify IAM role permissions that a EMR Serverless job run can assume when calling other services on your behalf. This includes access to Amazon S3 for any data sources, targets, as well as other AWS resources like Amazon Redshift clusters and DynamoDB tables. To learn more about how to create a role, see [Create a job runtime role](./getting-started.html#gs-runtime-role). +You can specify IAM role permissions that a EMR Serverless job run can assume when calling other services on your behalf. This includes access to Amazon S3 for any data sources, targets, as well as other AWS resources like Amazon Redshift clusters and DynamoDB tables. To learn more about how to create a role, refer to [Create a job runtime role](./getting-started.html#gs-runtime-role). @@ -90 +90 @@ JSON -You can attach IAM permissions policies to the a user’s role to allow the user to pass only approved roles. This allows administrators to control which users can pass specific job runtime roles to EMR Serverless jobs. To learn more about setting permissions, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html). +You can attach IAM permissions policies to the a user’s role to allow the user to pass only approved roles. This allows administrators to control which users can pass specific job runtime roles to EMR Serverless jobs. To learn more about setting permissions, refer to [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html). @@ -119 +119 @@ When you submit job runs to EMR serverless through the EMR Studio console, there -We recommend adding specific buckets. If you choose all buckets, keep in mind that it sets full access for all buckets. +We suggest adding specific buckets. If you choose all buckets, keep in mind that it sets full access for all buckets.