AWS Security ChangesHomeSearch

AWS emr medium security documentation change

Service: emr · 2026-06-22 · Security-related medium

File: emr/latest/ManagementGuide/emr-ranger-iam-ec2.md

Summary

Changed required IAM actions from 'sts:TagSession, sts:AssumeRole' to only 'sts:AssumeRole'

Security assessment

Removes unnecessary sts:TagSession permission, reducing attack surface and potential privilege escalation risks

Diff

diff --git a/emr/latest/ManagementGuide/emr-ranger-iam-ec2.md b/emr/latest/ManagementGuide/emr-ranger-iam-ec2.md
index f6fd03d77..1cedd8547 100644
--- a//emr/latest/ManagementGuide/emr-ranger-iam-ec2.md
+++ b//emr/latest/ManagementGuide/emr-ranger-iam-ec2.md
@@ -15 +15 @@ For more information, see [Service role for cluster EC2 instances (EC2 instance
-You need to add the following statements to the default EC2 Instance Profile for Amazon EMR to be able to tag sessions and access the AWS Secrets Manager that stores TLS certificates.
+You need to add the following statements to the default EC2 Instance Profile for Amazon EMR to be able to assume roles and access the AWS Secrets Manager that stores TLS certificates.
@@ -21 +21 @@ You need to add the following statements to the default EC2 Instance Profile for
-          "Action": ["sts:TagSession", "sts:AssumeRole"],
+          "Action": "sts:AssumeRole",