AWS emr high security documentation change
Summary
Added least permissive IAM policy example with namespace restrictions
Security assessment
New IAM policy enforces least privilege access using context keys (accessScope, namespaces), directly mitigating over-permission risks. Explicit namespace restrictions reduce attack surface for EKS clusters.
Diff
diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md index 7317394fb..86efd51a3 100644 --- a//emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md +++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-cluster-access.md @@ -70,0 +71,44 @@ For more information about authentication modes, see [ Cluster authentication mo + * To create a least permissive policy, add the context keys `accessScope` and `namespaces`. The following example shows a policy with these context keys: + + { + "Effect": "Allow", + "Action": [ + "eks:CreateAccessEntry" + ], + "Resource": [ + "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:cluster/<EKS_CLUSTER_NAME>" + + ] + }, + { + "Effect": "Allow", + "Action": [ + "eks:DescribeAccessEntry", + "eks:DeleteAccessEntry", + "eks:ListAssociatedAccessPolicies" + ], + "Resource": [ + "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:access-entry/<EKS_CLUSTER_NAME>/role/<AWS_ACCOUNT_ID>/AWSServiceRoleForAmazonEMRContainers/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "eks:DisassociateAccessPolicy", + "eks:AssociateAccessPolicy" + ], + "Resource": [ + "arn:<AWS_PARTITION>:eks:<AWS_REGION>:<AWS_ACCOUNT_ID>:access-entry/<EKS_CLUSTER_NAME>/role/<AWS_ACCOUNT_ID>/AWSServiceRoleForAmazonEMRContainers/*" + ], + "Condition": { + "StringEquals": { + "eks:accessScope": "namespace" + }, + "ForAllValues:StringEquals": { + "eks:namespaces": [ + "<EKS_NAMESPACE>" + ] + } + } + } +