AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-07-10 · Documentation low

File: emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md

Summary

Corrected log group ARN pattern from '/aws/glue/*' to '/aws-glue/*' and added new IAM policy documentation for EMR on EKS troubleshooting

Security assessment

The ARN correction ensures proper resource targeting in IAM policies but doesn't address a security vulnerability. The new EMR on EKS policy documentation explains required permissions for troubleshooting, which is security-related configuration but not a response to a specific vulnerability.

Diff

diff --git a/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md b/emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
index a8a08d440..2aef4b8e8 100644
--- a//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
+++ b//emr/latest/ReleaseGuide/spark-troubleshooting-agent-iam-setup.md
@@ -144 +144 @@ Alternatively, you can attach the [AmazonElasticMapReduceFullAccess](https://doc
-          "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/glue/*"]
+          "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws-glue/*"]
@@ -242,0 +243,62 @@ Alternatively, you can attach the [AmazonElasticMapReduceFullAccess](https://doc
+### Option D: EMR on EKS
+
+  1. Create the policy document:
+    
+        cat > emr-eks-policy.json << EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "emr-containers:DescribeVirtualCluster",
+                    "emr-containers:DescribeJobRun",
+                    "emr-containers:ListJobRuns",
+                    "emr-containers:ListVirtualClusters"
+                ],
+                "Resource": "*",
+                "Effect": "Allow",
+                "Sid": "EMREKSReadAccess"
+            },
+            {
+                "Action": [
+                    "logs:GetLogEvents",
+                    "logs:DescribeLogGroups",
+                    "logs:DescribeLogStreams"
+                ],
+                "Resource": "*",
+                "Effect": "Allow",
+                "Sid": "EMRCloudWatchLogAccess"
+            },
+            {
+                "Action": [
+                    "elasticmapreduce:CreatePersistentAppUI",
+                    "elasticmapreduce:DescribePersistentAppUI",
+                    "elasticmapreduce:GetPersistentAppUIPresignedURL"
+                ],
+                "Resource": "*",
+                "Effect": "Allow",
+                "Sid": "EMRPersistentApp"
+            },
+            {
+                "Action": [
+                    "s3:GetObject",
+                    "s3:ListBucket"
+                ],
+                "Resource": "*",
+                "Effect": "Allow",
+                "Sid": "EMREKSS3LogAccess"
+            }
+        ]
+    }
+    EOF
+
+  2. Attach the policy:
+    
+        aws iam put-role-policy \
+      --role-name SparkTroubleshootingMCPRole \
+      --policy-name EMREKSTroubleshootingAccess \
+      --policy-document file://emr-eks-policy.json
+
+
+
+