AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-05-28 · Documentation low

File: emr/latest/ManagementGuide/emr-data-encryption-options.md

Summary

Added tip about using S3 Bucket Keys to reduce KMS costs and policy considerations

Security assessment

Documents a security optimization feature (S3 Bucket Keys) and policy review requirements, but doesn't fix any security vulnerability.

Diff

diff --git a/emr/latest/ManagementGuide/emr-data-encryption-options.md b/emr/latest/ManagementGuide/emr-data-encryption-options.md
index 5fc1c408d..ec38cdc9d 100644
--- a//emr/latest/ManagementGuide/emr-data-encryption-options.md
+++ b//emr/latest/ManagementGuide/emr-data-encryption-options.md
@@ -58,0 +59,4 @@ SSE with customer-provided keys (SSE-C) is not available for use with Amazon EMR
+###### Tip
+
+To reduce AWS KMS costs when using SSE-KMS, consider enabling Amazon S3 Bucket Keys on your Amazon S3 buckets. Amazon S3 Bucket Keys use a short-lived bucket-level key to reduce AWS KMS API calls by up to 99 percent. Before enabling Amazon S3 Bucket Keys, review your IAM and AWS KMS key policies – the encryption context changes from the Amazon S3 object ARN to the bucket ARN, which may affect policies that use the object ARN for access control. For more information, see [Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) in the _Amazon Simple Storage Service User Guide_.
+