AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-05-16 · Documentation low

File: emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md

Summary

Added documentation about upcoming IAM permissions change (effective May 29, 2026) where SMUS MCP server will use new condition keys instead of specific permissions

Security assessment

The change documents future IAM policy modifications and new condition keys (aws:ViaAWSMCPService, aws:CalledViaAWSMCP) for authorization, which improves security posture but doesn't fix an existing vulnerability

Diff

diff --git a/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md b/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
index 4831d4b20..f5573fa42 100644
--- a//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
+++ b//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
@@ -7 +7 @@
-IAM Role Setup for MCP ServerAdditional Permissions by Deployment Mode (EMR-EC2/EMR-S/Glue)
+IAM Role Setup for MCP ServerAdditional Permissions by Deployment Mode (EMR-EC2/EMR-S/Glue)Upcoming permissions change (May 29, 2026)
@@ -14,0 +15,4 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for
+###### Upcoming change effective May 29, 2026
+
+The `sagemaker-unified-studio-mcp` permissions shown below will no longer be required after May 29, 2026. Authorization will instead occur at the AWS service level using your existing IAM policies. If you use these permissions to deny access, see Upcoming permissions change (May 29, 2026) to update your policies before that date.
+
@@ -226,0 +231,45 @@ If the CloudWatch Logs are encrypted with a CMK, add the following policy so the
+## Upcoming permissions change (May 29, 2026)
+
+Starting May 29, 2026, the AWS SMUS MCP server will no longer require separate IAM permissions to authorize MCP server operations. Instead, authorization will occur at the AWS service level using your existing IAM roles and policies.
+
+Two condition keys will automatically be added to all requests made through the SMUS MCP server:
+
+  * `aws:ViaAWSMCPService` – Set to `true` for any request made via an AWS managed MCP server.
+
+  * `aws:CalledViaAWSMCP` – Set to the MCP server service principal (for example, `sagemaker-unified-studio-mcp.amazonaws.com`).
+
+
+
+
+If you currently use the `sagemaker-unified-studio-mcp` permissions to deny access to the SMUS MCP server, or if you do not want to allow any AWS managed MCP server initiated actions on your account, you must update your policies before May 29, 2026\. Use the new condition keys instead.
+
+**Deny all operations via any AWS managed MCP server:**
+    
+    
+    {
+      "Effect": "Deny",
+      "Action": "*",
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "aws:ViaAWSMCPService": "true"
+        }
+      }
+    }
+
+**Deny specific operations via a specific AWS managed MCP server:**
+    
+    
+    {
+      "Effect": "Deny",
+      "Action": ["glue:GetJobRun", "glue:StartJobRun"],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com"
+        }
+      }
+    }
+
+For more information about condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the _IAM User Guide_.
+