AWS emr documentation change
Summary
Corrected log group ARN pattern from '/aws/glue/*' to '/aws-glue/*' and added new IAM policy documentation for EMR on EKS troubleshooting
Security assessment
The ARN correction ensures proper resource targeting in IAM policies but doesn't address a security vulnerability. The new EMR on EKS policy documentation explains required permissions for troubleshooting, which is security-related configuration but not a response to a specific vulnerability.
Diff
diff --git a/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md b/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md index a8a08d440..2aef4b8e8 100644 --- a//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md +++ b//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md @@ -144 +144 @@ Alternatively, you can attach the [AmazonElasticMapReduceFullAccess](https://doc - "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/glue/*"] + "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws-glue/*"] @@ -242,0 +243,62 @@ Alternatively, you can attach the [AmazonElasticMapReduceFullAccess](https://doc +### Option D: EMR on EKS + + 1. Create the policy document: + + cat > emr-eks-policy.json << EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "emr-containers:DescribeVirtualCluster", + "emr-containers:DescribeJobRun", + "emr-containers:ListJobRuns", + "emr-containers:ListVirtualClusters" + ], + "Resource": "*", + "Effect": "Allow", + "Sid": "EMREKSReadAccess" + }, + { + "Action": [ + "logs:GetLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams" + ], + "Resource": "*", + "Effect": "Allow", + "Sid": "EMRCloudWatchLogAccess" + }, + { + "Action": [ + "elasticmapreduce:CreatePersistentAppUI", + "elasticmapreduce:DescribePersistentAppUI", + "elasticmapreduce:GetPersistentAppUIPresignedURL" + ], + "Resource": "*", + "Effect": "Allow", + "Sid": "EMRPersistentApp" + }, + { + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": "*", + "Effect": "Allow", + "Sid": "EMREKSS3LogAccess" + } + ] + } + EOF + + 2. Attach the policy: + + aws iam put-role-policy \ + --role-name SparkTroubleshootingMCPRole \ + --policy-name EMREKSTroubleshootingAccess \ + --policy-document file://emr-eks-policy.json + + + +