AWS emr documentation change
Summary
Complete restructuring of IAM role setup documentation for Spark upgrade agent. Added prerequisites, step-by-step CLI instructions for role creation and policy attachment, deployment mode-specific permissions, KMS encryption handling, and MCP client configuration. Removed old policy examples and added new sections about condition keys for access control.
Security assessment
The changes improve security documentation by adding detailed guidance on IAM permissions, KMS encryption requirements, and access control using condition keys. However, there's no evidence of a specific security vulnerability being addressed - this is a documentation enhancement for security best practices.
Diff
diff --git a/emr/latest/ReleaseGuide/emr-spark-upgrade-agent-iam-role.md b/emr/latest/ReleaseGuide/emr-spark-upgrade-agent-iam-role.md index 7aea24360..8dde9af8a 100644 --- a//emr/latest/ReleaseGuide/emr-spark-upgrade-agent-iam-role.md +++ b//emr/latest/ReleaseGuide/emr-spark-upgrade-agent-iam-role.md @@ -7 +7 @@ -IAM Role Setup for MCP serverAdditional Permissions by Deployment Mode (EMR-EC2/EMR-S)Upcoming permissions change (May 29, 2026) +PrerequisitesStep 1: Create the IAM roleStep 2: Attach permissions for your deployment modeStep 3: Configure your MCP clientCondition keys for MCP server requests @@ -11 +11 @@ IAM Role Setup for MCP serverAdditional Permissions by Deployment Mode (EMR-EC2/ -The CloudFormation stack in Setup Instructions automates the IAM role setup for you. If you want to manually execute it, please follow the instructions below: +## Prerequisites @@ -13 +13 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -## IAM Role Setup for MCP server +Before you begin, ensure you have: @@ -15 +15 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -###### Upcoming change effective May 29, 2026 + * An AWS account with IAM administrative access @@ -17 +17 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -The `sagemaker-unified-studio-mcp` permissions shown below will no longer be required after May 29, 2026. Authorization will instead occur at the AWS service level using your existing IAM policies. If you use these permissions to deny access, see Upcoming permissions change (May 29, 2026) to update your policies before that date. + * AWS CLI installed and configured. For more information, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). @@ -19 +19 @@ The `sagemaker-unified-studio-mcp` permissions shown below will no longer be req -To access the SMUS Managed MCP server, an IAM role is required with the following inline policy: + * An Amazon Amazon S3 bucket for staging upgraded artifacts @@ -22,17 +21,0 @@ To access the SMUS Managed MCP server, an IAM role is required with the followin - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowUseSagemakerUnifiedStudioMcpServer", - "Effect": "Allow", - "Action": [ - "sagemaker-unified-studio-mcp:InvokeMcp", - "sagemaker-unified-studio-mcp:CallReadOnlyTool", - "sagemaker-unified-studio-mcp:CallPrivilegedTool" - ], - "Resource": [ - "*" - ] - } - ] - } @@ -40 +22,0 @@ To access the SMUS Managed MCP server, an IAM role is required with the followin -In the next steps, we will create a profile for this role. Whichever account assumes this role to obtain the credentials should be added to the assume role policy. @@ -41,0 +24,10 @@ In the next steps, we will create a profile for this role. Whichever account ass +Set the following variables for use in subsequent commands (replace `my-staging-bucket` with your bucket name): + + + ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + REGION=$(aws configure get region) + STAGING_BUCKET=my-staging-bucket + +## Step 1: Create the IAM role + +The SMUS MCP server uses your IAM role to authorize operations at the AWS service level. No separate MCP-specific permissions are required. @@ -42,0 +35,5 @@ In the next steps, we will create a profile for this role. Whichever account ass +**To create the IAM role (AWS CLI)** + + 1. Create a trust policy document: + + cat > mcp-trust-policy.json << EOF @@ -49 +46 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Principal": { "AWS": "arn:aws:iam::<accountId>:root" }, + "Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" }, @@ -53,0 +51,8 @@ In the next steps, we will create a profile for this role. Whichever account ass + EOF + + 2. Create the role: + + aws iam create-role \ + --role-name SparkUpgradeMCPRole \ + --assume-role-policy-document file://mcp-trust-policy.json + @@ -55 +59,0 @@ In the next steps, we will create a profile for this role. Whichever account ass -## Additional Permissions by Deployment Mode (EMR-EC2/EMR-S) @@ -57 +60,0 @@ In the next steps, we will create a profile for this role. Whichever account ass -### EMR-EC2 Applications @@ -59 +62 @@ In the next steps, we will create a profile for this role. Whichever account ass -Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where you want the upgraded artifacts to be stored +## Step 2: Attach permissions for your deployment mode @@ -60,0 +64 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y +Attach the permissions policy that matches your EMR deployment platform. @@ -61,0 +66,5 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y +### Option A: EMR on EC2 + + 1. Create the policy document (replace `<STAGING_BUCKET>` with your Amazon S3 bucket name): + + cat > emr-ec2-upgrade-policy.json << EOF @@ -82,6 +91 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:Put*" - ], + "Action": ["s3:GetBucket*", "s3:GetObject*", "s3:List*", "s3:Put*"], @@ -89,2 +93,2 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y - "arn:aws:s3:::<s3-staging-bucket>", - "arn:aws:s3:::<s3-staging-bucket>/*" + "arn:aws:s3:::${STAGING_BUCKET}", + "arn:aws:s3:::${STAGING_BUCKET}/*" @@ -94,0 +99 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y + EOF @@ -96 +101 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y -#### KMS permissions - Staging Bucket + 2. Attach the policy: @@ -98 +103,4 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y -If the staging bucket is encrypted with a CMK, add the following policy. The service will automatically use the CMK configured on the bucket when uploading data. + aws iam put-role-policy \ + --role-name SparkUpgradeMCPRole \ + --policy-name EMREC2UpgradeAccess \ + --policy-document file://emr-ec2-upgrade-policy.json @@ -101,8 +108,0 @@ If the staging bucket is encrypted with a CMK, add the following policy. The ser - { - "Effect": "Allow", - "Action": [ - "kms:GenerateDataKey", - "kms:Encrypt" - ], - "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>" - } @@ -110 +109,0 @@ If the staging bucket is encrypted with a CMK, add the following policy. The ser -### EMR Serverless Applications @@ -112 +111 @@ If the staging bucket is encrypted with a CMK, add the following policy. The ser -Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where you want the upgraded artifacts to be stored +Alternatively, attach the [AmazonElasticMapReduceFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticMapReduceFullAccess.html) managed policy plus an Amazon S3 policy for your staging bucket. @@ -113,0 +113 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y +#### KMS permissions - Staging Bucket @@ -114,0 +115,20 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y +If the staging bucket is encrypted with a CMK, add the following policy. The service will automatically use the CMK configured on the bucket when uploading data (replace `<KEY_ID>` with your KMS key ID): + + + aws iam put-role-policy \ + --role-name SparkUpgradeMCPRole \ + --policy-name KMSStagingBucketEncrypt \ + --policy-document "{ + \"Version\": \"2012-10-17\", + \"Statement\": [{ + \"Effect\": \"Allow\", + \"Action\": [\"kms:GenerateDataKey\", \"kms:Encrypt\"], + \"Resource\": \"arn:aws:kms:${REGION}:${ACCOUNT_ID}:key/<KEY_ID>\" + }] + }" + +### Option B: EMR Serverless + + 1. Create the policy document (replace `<STAGING_BUCKET>` with your Amazon S3 bucket name): + + cat > emr-serverless-upgrade-policy.json << EOF @@ -141,4 +161 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y - "Action": [ - "logs:GetLogEvents", - "logs:DescribeLogStreams" - ], + "Action": ["logs:GetLogEvents", "logs:DescribeLogStreams"], @@ -149,6 +166 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:Put*" - ], + "Action": ["s3:GetBucket*", "s3:GetObject*", "s3:List*", "s3:Put*"], @@ -156,2 +168,2 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y - "arn:aws:s3:::<s3-staging-bucket>", - "arn:aws:s3:::<s3-staging-bucket>/*" + "arn:aws:s3:::${STAGING_BUCKET}", + "arn:aws:s3:::${STAGING_BUCKET}/*" @@ -161,0 +174,11 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y + EOF + + 2. Attach the policy: + + aws iam put-role-policy \ + --role-name SparkUpgradeMCPRole \ + --policy-name EMRServerlessUpgradeAccess \ + --policy-document file://emr-serverless-upgrade-policy.json + + + @@ -165 +188 @@ Replace Amazon S3 staging bucket in the policy with the Amazon S3 bucket where y -If the staging bucket is encrypted with a CMK, add the following policy. The service will automatically use the CMK configured on the bucket when uploading data +If the staging bucket is encrypted with a CMK, add the following policy. The service will automatically use the CMK configured on the bucket when uploading data (replace `<KEY_ID>` with your KMS key ID): @@ -168,8 +191,11 @@ If the staging bucket is encrypted with a CMK, add the following policy. The ser - { - "Effect": "Allow", - "Action": [ - "kms:GenerateDataKey", - "kms:Encrypt" - ], - "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>" - } + aws iam put-role-policy \ + --role-name SparkUpgradeMCPRole \ + --policy-name KMSStagingBucketEncrypt \ + --policy-document "{ + \"Version\": \"2012-10-17\", + \"Statement\": [{ + \"Effect\": \"Allow\", + \"Action\": [\"kms:GenerateDataKey\", \"kms:Encrypt\"], + \"Resource\": \"arn:aws:kms:${REGION}:${ACCOUNT_ID}:key/<KEY_ID>\" + }]