AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-04-25 · Documentation medium

File: emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md

Summary

Updated IAM OIDC trust policy to use correct condition keys (OIDC_PROVIDER:aud, OIDC_PROVIDER:sub) and added Principal block

Security assessment

The change corrects the IAM OIDC trust policy by replacing aws:userid with OIDC_PROVIDER:sub and adding OIDC_PROVIDER:aud condition, aligning with OIDC security best practices. No evidence of a specific security issue.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md
index 2d0ab4f2e..58f7c1679 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/jobruns-flink-kubernetes-operator-setup.md
@@ -42,6 +42,4 @@ JSON
-          "Action": [
-            "sts:AssumeRoleWithWebIdentity"
-          ],
-          "Resource": [
-            "*"
-          ],
+          "Principal": {
+            "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"
+          },
+          "Action": "sts:AssumeRoleWithWebIdentity",
@@ -49,2 +47,4 @@ JSON
-            "StringLike": {
-              "aws:userid": "system:serviceaccount:emr:emr-containers-sa-flink-operator"
+            "StringEquals": {
+              "OIDC_PROVIDER:aud": "sts.amazonaws.com",
+              "OIDC_PROVIDER:sub": "system:serviceaccount:emr:emr-containers-sa-flink-operator"
+            }
@@ -52,2 +51,0 @@ JSON
-          },
-          "Sid": "AllowSTSAssumerolewithwebidentity"