AWS emr documentation change
Summary
Updated IAM trust policy examples to include Principal and Condition blocks, and restructured the policy statements
Security assessment
The change improves IAM policy examples by adding explicit Principal (Service) and Condition (aws:SourceAccount) blocks, which are security best practices for limiting trust. However, there is no evidence this addresses a specific security vulnerability.
Diff
diff --git a/emr/latest/EMR-Serverless-UserGuide/getting-started.md b/emr/latest/EMR-Serverless-UserGuide/getting-started.md index d295cb4af..f34d2b47b 100644 --- a//emr/latest/EMR-Serverless-UserGuide/getting-started.md +++ b//emr/latest/EMR-Serverless-UserGuide/getting-started.md @@ -147,0 +148 @@ JSON + "Sid": "AllowSTSAssumerole", @@ -149,5 +150,9 @@ JSON - "Action": [ - "sts:AssumeRole" - ], - "Resource": "arn:aws:iam::123456789012:role/EMRServerlessExecutionRole", - "Sid": "AllowSTSAssumerole" + "Principal": { + "Service": "emr-serverless.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + } + } @@ -184,3 +188,0 @@ JSON - "Action": [ - "sts:AssumeRole" - ], @@ -188 +190,9 @@ JSON - "Resource": "arn:aws:iam::123456789012:role/EMRServerlessExecutionRole" + "Principal": { + "Service": "emr-serverless.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + } + }