AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-04-25 · Documentation medium

File: emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md

Summary

Updated IAM trust policy examples to include Principal blocks and removed wildcard Resources

Security assessment

The change adds Principal (AWS) blocks and removes wildcard Resources in IAM policy examples, which are security improvements for least privilege. However, there is no evidence of a specific security vulnerability being addressed.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md
index cf42db98d..097151da7 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md
@@ -238,0 +239,3 @@ JSON
+          "Principal": {
+            "AWS": "arn:aws:iam::123456789012:role/QueryExecutionRole"
+          },
@@ -243,3 +245,0 @@ JSON
-          "Resource": [
-            "arn:aws:iam::*:role/QueryExecutionRole"
-          ],
@@ -255,6 +255,4 @@ JSON
-          "Action": [
-            "sts:AssumeRole"
-          ],
-          "Resource": [
-            "arn:aws:iam::*:role/QueryEngineRole"
-          ]
+          "Principal": {
+            "AWS": "arn:aws:iam::123456789012:role/QueryEngineRole"
+          },
+          "Action": "sts:AssumeRole"