AWS emr documentation change
Summary
Updated IAM trust policy examples to include Principal blocks and removed wildcard Resources
Security assessment
The change adds Principal (AWS) blocks and removes wildcard Resources in IAM policy examples, which are security improvements for least privilege. However, there is no evidence of a specific security vulnerability being addressed.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md index cf42db98d..097151da7 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/security_iam_fgac-lf-enable.md @@ -238,0 +239,3 @@ JSON + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/QueryExecutionRole" + }, @@ -243,3 +245,0 @@ JSON - "Resource": [ - "arn:aws:iam::*:role/QueryExecutionRole" - ], @@ -255,6 +255,4 @@ JSON - "Action": [ - "sts:AssumeRole" - ], - "Resource": [ - "arn:aws:iam::*:role/QueryEngineRole" - ] + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/QueryEngineRole" + }, + "Action": "sts:AssumeRole"