AWS emr documentation change
Summary
Complete restructuring of IAM setup documentation with step-by-step CLI instructions, removal of legacy MCP-specific permissions, addition of platform-specific policies, and new condition key examples for access control.
Security assessment
The changes improve security documentation by adding granular IAM policies for different platforms (EMR/Glue/Serverless), KMS encryption guidance, and condition keys for MCP access control. However, there's no evidence of addressing a specific security vulnerability.
Diff
diff --git a/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md b/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md index f5573fa42..a8a08d440 100644 --- a//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md +++ b//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md @@ -7 +7 @@ -IAM Role Setup for MCP ServerAdditional Permissions by Deployment Mode (EMR-EC2/EMR-S/Glue)Upcoming permissions change (May 29, 2026) +PrerequisitesStep 1: Create the IAM roleStep 2: Attach permissions for your deployment modeStep 3: Configure your MCP clientCondition keys for MCP server requests @@ -11 +11 @@ IAM Role Setup for MCP ServerAdditional Permissions by Deployment Mode (EMR-EC2/ -The CloudFormation stack in Setup Instructions automates the IAM role setup for you. If you want to manually execute it, please follow the instructions below: +## Prerequisites @@ -13 +13 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -## IAM Role Setup for MCP Server +Before you begin, ensure you have: @@ -15 +15 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -###### Upcoming change effective May 29, 2026 + * An AWS account with IAM administrative access @@ -17 +17 @@ The CloudFormation stack in Setup Instructions automates the IAM role setup for -The `sagemaker-unified-studio-mcp` permissions shown below will no longer be required after May 29, 2026. Authorization will instead occur at the AWS service level using your existing IAM policies. If you use these permissions to deny access, see Upcoming permissions change (May 29, 2026) to update your policies before that date. + * AWS CLI installed and configured. For more information, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). @@ -19 +18,0 @@ The `sagemaker-unified-studio-mcp` permissions shown below will no longer be req -To access the SMUS Managed MCP server, an IAM role is required with the following inline policy: @@ -22,17 +20,0 @@ To access the SMUS Managed MCP server, an IAM role is required with the followin - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowUseSagemakerUnifiedStudioMcpServer", - "Effect": "Allow", - "Action": [ - "sagemaker-unified-studio-mcp:InvokeMcp", - "sagemaker-unified-studio-mcp:CallReadOnlyTool", - "sagemaker-unified-studio-mcp:CallPrivilegedTool" - ], - "Resource": [ - "*" - ] - } - ] - } @@ -40 +22,9 @@ To access the SMUS Managed MCP server, an IAM role is required with the followin -In the next steps, we will create a profile for this role. Whichever account assumes this role to obtain the credentials should be added to the assume role policy. +Set the following variables for use in subsequent commands: + + + ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + REGION=$(aws configure get region) + +## Step 1: Create the IAM role + +The SMUS MCP server uses your IAM role to authorize operations at the AWS service level. No separate MCP-specific permissions are required. @@ -41,0 +32 @@ In the next steps, we will create a profile for this role. Whichever account ass +**To create the IAM role (AWS CLI)** @@ -42,0 +34,3 @@ In the next steps, we will create a profile for this role. Whichever account ass + 1. Create a trust policy document that allows your account to assume the role: + + cat > mcp-trust-policy.json << EOF @@ -49 +43 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Principal": { "AWS": "arn:aws:iam::<accountId>:root" }, + "Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" }, @@ -53,0 +48,9 @@ In the next steps, we will create a profile for this role. Whichever account ass + EOF + + 2. Create the role: + + aws iam create-role \ + --role-name SparkTroubleshootingMCPRole \ + --assume-role-policy-document file://mcp-trust-policy.json + + @@ -55 +57,0 @@ In the next steps, we will create a profile for this role. Whichever account ass -## Additional Permissions by Deployment Mode (EMR-EC2/EMR-S/Glue) @@ -57 +59 @@ In the next steps, we will create a profile for this role. Whichever account ass -### EMR-EC2 Applications +## Step 2: Attach permissions for your deployment mode @@ -58,0 +61 @@ In the next steps, we will create a profile for this role. Whichever account ass +Attach the permissions policy that matches your Spark deployment platform. You can attach one or more of the following depending on which platforms you use. @@ -59,0 +63,5 @@ In the next steps, we will create a profile for this role. Whichever account ass +### Option A: EMR on EC2 + + 1. Create the policy document: + + cat > emr-ec2-policy.json << 'EOF' @@ -73,3 +81 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Resource": [ - "*" - ] + "Resource": ["*"] @@ -80,4 +86 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Action": [ - "s3:GetObject", - "s3:ListBucket" - ], + "Action": ["s3:GetObject", "s3:ListBucket"], @@ -94,3 +97 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Resource": [ - "*" - ] + "Resource": ["*"] @@ -99,0 +101,10 @@ In the next steps, we will create a profile for this role. Whichever account ass + EOF + + 2. Create and attach the policy: + + aws iam put-role-policy \ + --role-name SparkTroubleshootingMCPRole \ + --policy-name EMREC2TroubleshootingAccess \ + --policy-document file://emr-ec2-policy.json + + @@ -101 +111,0 @@ In the next steps, we will create a profile for this role. Whichever account ass -### Glue Jobs @@ -102,0 +113 @@ In the next steps, we will create a profile for this role. Whichever account ass +Alternatively, you can attach the [AmazonElasticMapReduceFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticMapReduceFullAccess.html) AWS managed policy if your role already uses it: @@ -103,0 +115,10 @@ In the next steps, we will create a profile for this role. Whichever account ass + + aws iam attach-role-policy \ + --role-name SparkTroubleshootingMCPRole \ + --policy-arn arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess + +### Option B: AWS Glue + + 1. Create the policy document: + + cat > glue-policy.json << EOF @@ -117,3 +138 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Resource": [ - "arn:aws:glue:*:<account id>:job/*" - ] + "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] @@ -124,7 +143,2 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Action": [ - "logs:GetLogEvents", - "logs:FilterLogEvents" - ], - "Resource": [ - "arn:aws:logs:*:<account id>:log-group:/aws/glue/*" - ] + "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], + "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/glue/*"] @@ -154,3 +168 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Resource": [ - "arn:aws:glue:*:<account id>:job/*" - ] + "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] @@ -170,0 +183,3 @@ In the next steps, we will create a profile for this role. Whichever account ass + EOF + + 2. Attach the policy: @@ -172 +187,4 @@ In the next steps, we will create a profile for this role. Whichever account ass -### EMR Serverless Applications + aws iam put-role-policy \ + --role-name SparkTroubleshootingMCPRole \ + --policy-name GlueTroubleshootingAccess \ + --policy-document file://glue-policy.json @@ -174,0 +193,7 @@ In the next steps, we will create a profile for this role. Whichever account ass + + +### Option C: EMR Serverless + + 1. Create the policy document: + + cat > emr-serverless-policy.json << EOF @@ -190,3 +215 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Resource": [ - "*" - ] + "Resource": ["*"] @@ -197,7 +220,2 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Action": [ - "logs:GetLogEvents", - "logs:FilterLogEvents" - ], - "Resource": [ - "arn:aws:logs:*:<account id>:log-group:/aws/emr-serverless/*" - ] + "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], + "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/emr-serverless/*"] @@ -208,4 +226 @@ In the next steps, we will create a profile for this role. Whichever account ass - "Action": [ - "s3:GetObject", - "s3:ListBucket" - ], + "Action": ["s3:GetObject", "s3:ListBucket"], @@ -215,0 +231 @@ In the next steps, we will create a profile for this role. Whichever account ass + EOF @@ -217 +233 @@ In the next steps, we will create a profile for this role. Whichever account ass -### KMS Permissions - CloudWatch Logs + 2. Attach the policy: @@ -219 +235,4 @@ In the next steps, we will create a profile for this role. Whichever account ass -If the CloudWatch Logs are encrypted with a CMK, add the following policy so the service can read the EMR-Serverless application logs. + aws iam put-role-policy \ + --role-name SparkTroubleshootingMCPRole \ + --policy-name EMRServerlessTroubleshootingAccess \ + --policy-document file://emr-serverless-policy.json @@ -222,8 +240,0 @@ If the CloudWatch Logs are encrypted with a CMK, add the following policy so the - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:DescribeKey"