AWS emr medium security documentation change
Summary
Changed required IAM actions from 'sts:TagSession, sts:AssumeRole' to only 'sts:AssumeRole'
Security assessment
Removes unnecessary sts:TagSession permission, reducing attack surface and potential privilege escalation risks
Diff
diff --git a/emr/latest/ManagementGuide/emr-ranger-iam-ec2.md b/emr/latest/ManagementGuide/emr-ranger-iam-ec2.md index f6fd03d77..1cedd8547 100644 --- a//emr/latest/ManagementGuide/emr-ranger-iam-ec2.md +++ b//emr/latest/ManagementGuide/emr-ranger-iam-ec2.md @@ -15 +15 @@ For more information, see [Service role for cluster EC2 instances (EC2 instance -You need to add the following statements to the default EC2 Instance Profile for Amazon EMR to be able to tag sessions and access the AWS Secrets Manager that stores TLS certificates. +You need to add the following statements to the default EC2 Instance Profile for Amazon EMR to be able to assume roles and access the AWS Secrets Manager that stores TLS certificates. @@ -21 +21 @@ You need to add the following statements to the default EC2 Instance Profile for - "Action": ["sts:TagSession", "sts:AssumeRole"], + "Action": "sts:AssumeRole",