AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-04-25 · Documentation medium

File: emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md

Summary

Updated IAM OIDC trust policy to use correct condition keys (OIDC_PROVIDER:aud, OIDC_PROVIDER:sub) and added Principal block

Security assessment

The change corrects the IAM OIDC trust policy by replacing aws:userid with OIDC_PROVIDER:sub and adding OIDC_PROVIDER:aud condition, which are security best practices for OIDC federation. This improves security but does not indicate a specific vulnerability.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md
index e93270fbf..5365258c2 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/iam-execution-role.md
@@ -25,4 +25,4 @@ JSON
-          "Action": [
-            "sts:AssumeRoleWithWebIdentity"
-          ],
-          "Resource": "*",
+          "Principal": {
+            "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
+          },
+          "Action": "sts:AssumeRoleWithWebIdentity",
@@ -29,0 +30,3 @@ JSON
+            "StringEquals": {
+              "OIDC_PROVIDER:aud": "sts.amazonaws.com"
+            },
@@ -31 +34,2 @@ JSON
-              "aws:userid": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME"
+              "OIDC_PROVIDER:sub": "system:serviceaccount:NAMESPACE:emr-containers-sa-*-*-AWS_ACCOUNT_ID-BASE36_ENCODED_ROLE_NAME"
+            }
@@ -33,2 +36,0 @@ JSON
-          },
-          "Sid": "AllowSTSAssumerolewithwebidentity"