AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-05-28 · Documentation low

File: emr/latest/EMR-on-EKS-DevelopmentGuide/data-protection.md

Summary

Added tip about using S3 Bucket Keys to reduce KMS costs and policy considerations

Security assessment

The change documents a security feature (S3 Bucket Keys) and highlights important policy implications when encryption context changes, but doesn't address a specific security vulnerability.

Diff

diff --git a/emr/latest/EMR-on-EKS-DevelopmentGuide/data-protection.md b/emr/latest/EMR-on-EKS-DevelopmentGuide/data-protection.md
index df629f4d3..04fa4f8d1 100644
--- a//emr/latest/EMR-on-EKS-DevelopmentGuide/data-protection.md
+++ b//emr/latest/EMR-on-EKS-DevelopmentGuide/data-protection.md
@@ -64,0 +65,4 @@ SSE with customer-provided keys (SSE-C) is not available for use with Amazon EMR
+###### Tip
+
+To reduce AWS KMS costs when using SSE-KMS, consider enabling Amazon S3 Bucket Keys on your Amazon S3 buckets. Amazon S3 Bucket Keys use a short-lived bucket-level key to reduce AWS KMS API calls by up to 99 percent. Before enabling Amazon S3 Bucket Keys, review your IAM and AWS KMS key policies – the encryption context changes from the Amazon S3 object ARN to the bucket ARN, which may affect policies that use the object ARN for access control. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) in the _Amazon Simple Storage Service User Guide_.
+