Amazon EMR Serverless adds support for Inline Runtime Permissions for job runs

Amazon EMR Serverless makes it simple to run open-source big data analytics frameworks without configuring, managing, and scaling clusters or servers. Today, we are excited to announce support for specifying permissions inline when submitting a job run. This allows you to define fine-grained, tenant-specific permission scopes per job run for multi-tenant use cases.

When submitting a job run on EMR Serverless, you can specify a runtime role that the job run can assume when calling other AWS services. In multi-tenant environments, such as those managed by SaaS providers, job runs are often submitted on behalf of specific tenants. To ensure security and least privileges, it is necessary to scope down the permissions of the runtime role to the specific context of a tenant for a given job run. Achieving this requires creating a separate role for each tenant with restricted permissions. The proliferation of such roles can push the account limits of IAM as well as get unwieldy to manage. Now you can specify an inline permission policy when submitting a job run in addition to the runtime role. The effective permissions for a job run is the intersection of the inline policy and the runtime role. You can define the fine-grained, tenant-specific permissions for a job run in the inline policy removing the need to manage a growing number of roles in multi-tenant environments as well as easily adjust the policy definition for tenant-specific workloads.

This feature is available for all supported EMR releases and in all regions where EMR Serverless is available. To learn more, visit Runtime Policy.

Categories:

Source: Amazon Web Services

Latest Posts