AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-04-25 · Documentation medium

File: emr/latest/EMR-Serverless-UserGuide/getting-started.md

Summary

Updated IAM trust policy examples to include Principal and Condition blocks, and restructured the policy statements

Security assessment

The change improves IAM policy examples by adding explicit Principal (Service) and Condition (aws:SourceAccount) blocks, which are security best practices for limiting trust. However, there is no evidence this addresses a specific security vulnerability.

Diff

diff --git a/emr/latest/EMR-Serverless-UserGuide/getting-started.md b/emr/latest/EMR-Serverless-UserGuide/getting-started.md
index d295cb4af..f34d2b47b 100644
--- a//emr/latest/EMR-Serverless-UserGuide/getting-started.md
+++ b//emr/latest/EMR-Serverless-UserGuide/getting-started.md
@@ -147,0 +148 @@ JSON
+          "Sid": "AllowSTSAssumerole",
@@ -149,5 +150,9 @@ JSON
-          "Action": [
-            "sts:AssumeRole"
-          ],
-          "Resource": "arn:aws:iam::123456789012:role/EMRServerlessExecutionRole",
-          "Sid": "AllowSTSAssumerole"
+          "Principal": {
+            "Service": "emr-serverless.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount": "123456789012"
+            }
+          }
@@ -184,3 +188,0 @@ JSON
-          "Action": [
-            "sts:AssumeRole"
-          ],
@@ -188 +190,9 @@ JSON
-          "Resource": "arn:aws:iam::123456789012:role/EMRServerlessExecutionRole"
+          "Principal": {
+            "Service": "emr-serverless.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount": "123456789012"
+            }
+          }