How to set up an EMR studio in AWS? Standards for EMR Studio

To ensure users can access and use the environment properly, Amazon EMR Studio setup involves many steps. Once you meet prerequisites, the process begins.

Setting up an EMR studio

Setup requirements for EMR Studio Before setting up, you need:

An AWS account

Establishing and running an EMR Studio.

A dedicated Amazon S3 bucket for EMR Studio notebook and workspace backups.

Five subnets and an Amazon VPC are recommended for Git repositories and connecting to Amazon EMR on EC2 or EKS clusters. EMR Studio works with EMR Serverless without VPC.

Setup steps Setup often involves these steps:

Choose an Authentication Mode: Choose IAM Identity Centre or IAM for your studio. User and permission management is affected by this decision. AWS IAM authenticates and IAM Identity Centre stores identities. Like IAM authentication or federation, IAM mode is compatible with many identity providers and straightforward to set up for identity management. IAM Identity Centre mode simplifies user and group assignment for Amazon EMR and AWS beginners. SAML 2.0 and Microsoft Active Directory integration simplifies multi-account federation.

Create the EMR Studio Service Role: An EMR Studio needs an IAM service role to create a secure network channel between Workspaces and clusters, store notebook files in Amazon S3, and access AWS Secrets Manager for Git repositories. This service role should describe all Amazon S3 notebook storage and AWS Secrets Manager Git repository access rights.

This role requires a trust policy from AWS to allow elasticmapreduce.amazonaws.com to play:AWS:SourceArn and SourceAccount settings for confused deputy prevention. After trust policy creation, you link an IAM permissions policy to the role. This policy must include permissions for Amazon EC2 tag-based access control and specific S3 read/write operations for your assigned S3 bucket. If your S3 bucket is encrypted, you need AWS KMS permissions. Some policy claims concerning tagging network interfaces and default security groups must remain unaltered for the service role to work.

Set EMR Studio user permissions: Set up user access policies to fine-tune Studio user access.

Create an EMR Studio user role to leverage IAM Identity Centre authentication. Sts:SetContext and AssumeRole allow elasticmapreduce.amazonaws.com to assume this role's trust relationship policy. You assign EMR Studio session policies to this user role before assigning users. Session policies provide Studio users fine-grained rights like creating new EMR clusters. The final permissions of a user depend on their session policy and EMR Studio user role. If a person belongs to multiple Studio groups, their permissions are a mix of group policies.

IAM authentication mode grants studio access via ABAC and IAM permissions policies. Allowing elasticmapreduce:CreateStudioPresignedUrl in a user's IAM permissions policy lets you use ARN or ABAC tags to limit the user to a Studio.

You specify one or more IAM permissions policies to describe user behaviours regardless of authentication mode. Workspace creation, cluster attachment and detachment, Git repository management, and cluster formation are basic, intermediate, and advanced rules with different authority. Clusters set data access control rights, not Studio user permissions.

(Optional) Create custom security groups to handle EMR Studio network traffic. If no custom security groups are selected, Studio uses defaults. When using custom security groups, specify a Workspace security group for outgoing access to clusters and Git repositories and an engine security group for inbound access.

Create an EMR Studio using the AWS CLI or Amazon EMR console. The interface creates an EMR Serverless application and offers simple configurations for interactive or batch workloads. ‘Custom’ gives full control over settings. Custom parameters include studio name, S3 location, workspace count, IAM or IAM Identity Centre authentication, VPC, subnets, and security groups. IAM authentication for federated users can include an IdP login URL and RelayState parameter name.

You must select EMR Studio Service and User Roles for IAM Identity Centre authentication. For speedier sign-on, enable trusted identity propagation. The AWS CLI tool create-studio requires programmatic creation options based on authentication method.

After building an EMR Studio, you may assign users and groups. Approach depends on authentication mode.

In IAM authentication mode, user assignment and permissions may require your identity provider. Limiting Studio access with ARN or ABAC tags and configuring the user's IAM rights policy to allow CreateStudioPresignedUrl does this.

The AWS CLI or Amazon EMR administration console can handle IAM Identity Centre authentication mode users. The console lets you assign users or groups from the Identity Centre directory. The AWS CLI command create-studio-session-mapping requires the Studio ID, identity name, identity type (USER or GROUP), and ARN of the session policy to associate. At assignment, you set a session policy. Altering the session policy lets you adjust user permissions later.