AWS emr documentation change
Summary
Updated IAM OIDC trust policy to use correct condition keys (OIDC_PROVIDER:aud, OIDC_PROVIDER:sub) and added Principal block
Security assessment
The change corrects the IAM OIDC trust policy by replacing aws:userid with OIDC_PROVIDER:sub and adding OIDC_PROVIDER:aud condition, which are security best practices for OIDC federation. This improves security but does not indicate a specific vulnerability.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md index e93270fbf..5365258c2 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md @@ -25,4 +25,4 @@ JSON - "Action": [ - "sts:AssumeRoleWithWebIdentity" - ], - "Resource": "*", + "Principal": { + "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER" + }, + "Action": "sts:AssumeRoleWithWebIdentity", @@ -29,0 +30,3 @@ JSON + "StringEquals": { + "OIDC_PROVIDER:aud": "sts.amazonaws.com" + }, @@ -31 +34,2 @@ JSON - "aws:userid": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME" + "OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME" + } @@ -33,2 +36,0 @@ JSON - }, - "Sid": "AllowSTSAssumerolewithwebidentity"