AWS Security ChangesHomeSearch

AWS emr high security documentation change

Service: emr · 2026-05-25 · Security-related high

File: emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md

Summary

Added least permissive IAM policy example with namespace restrictions

Security assessment

New IAM policy enforces least privilege access using context keys (accessScope, namespaces), directly mitigating over-permission risks. Explicit namespace restrictions reduce attack surface for EKS clusters.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md
index 7317394fb..86efd51a3 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md
@@ -70,0 +71,44 @@ For more information about authentication modes, see [ Cluster authentication mo
+  * To create a least permissive policy, add the context keys `accessScope` and `namespaces`. The following example shows a policy with these context keys:
+    
+        {
+                "Effect": "Allow",
+                "Action": [
+                    "eks:CreateAccessEntry"
+                ],
+                "Resource": [
+                    "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/<EKS_CLUSTER_NAME>"
+    
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "eks:DescribeAccessEntry",
+                    "eks:DeleteAccessEntry",
+                    "eks:ListAssociatedAccessPolicies"
+                ],
+                "Resource": [
+                    "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:access-entry/<EKS_CLUSTER_NAME>/role/<AWS_ACCOUNT_ID>/AWSServiceRoleForAmazonEMRContainers/*"
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "eks:DisassociateAccessPolicy",
+                    "eks:AssociateAccessPolicy"
+                ],
+                "Resource": [
+                    "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:access-entry/<EKS_CLUSTER_NAME>/role/<AWS_ACCOUNT_ID>/AWSServiceRoleForAmazonEMRContainers/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "eks:accessScope": "namespace"
+                    },
+                    "ForAllValues:StringEquals": {
+                        "eks:namespaces": [
+                            "<EKS_NAMESPACE>"
+                        ]
+                    }
+                }
+            }
+