User-level Git secrets policy in EMR Studio Workspaces

Set up EMR Studio workplace collaboration. AWS Improves EMR Studio Security with Detailed IAM Permissions

Amazon Web Services (AWS) provides fine-grained control over user behaviours in Amazon EMR Studio, a big data analytics programming environment. New material covers AWS Identity and Access Management (IAM) user rights setup for controlling access to Amazon EMR clusters on EC2 or Amazon EKS. This comprehensive solution lets administrators set fine-grained permissions for user roles and authentication methods. It is important to note that this guide's permissions focus more on EMR Studio activity management than input dataset data access control. To manage dataset access, the Studio must directly establish cluster permissions. Foundational: User Roles and Permissions Permission architecture in EMR Studio emphasises user roles and access policies. IAM Identity Centre authentication requires an EMR Studio user role. This involves creating a role to grant permissions to an AWS service according to AWS procedures. This user position was built around trust relationship policy. This policy determines which service can perform the job. Acting like sts:Sts, AssumeRole:SetContext, EMR Studio's trust policy should allow elasticmapreduce.amazonaws.com to play the role. Standard trust policies look like this:

After creating the role, remove default policies and permissions. Before assigning users to Studios, this role is related with EMR Studio session policies.

Alternative authentication methods like direct IAM authentication or IAM federation with an external identity provider link permissions policies to IAM identities (users, groups, or roles). External IdP IAM jobs or roles are tied to IAM federation policies. Tiers of Permission Administrators can create IAM permissions policies to restrict Studio user access. Documentation includes basic, intermediate, and advanced policies. A careful analysis maps every Studio process to the minimum IAM activities. Permissions policies must include certain statements. Tagging Secrets Manager secrets with emr-studio-* requires permissions.

Example of Basic User Policy

Basic user policies allow most EMR Studio actions but restrict users from directly creating Amazon EMR clusters. It covers permissions to create, describe, list, start, stop, and delete Workspaces (elasticmapreduce: CreateEditor, DescribeEditor, ListEditors, DeleteEditor), view the Collaboration panel, access S3 for logs and bucket listings, attach and detach EC2 and EKS clusters, debug jobs using persistent and on-cluster user interfaces, and manage Git repositories. This policy includes tag-based access control (TBAC) requirements for EMR Studio service role compatibility. It can enumerate IAM roles (iam:ListRoles) and describe network objects (ec2:DescribeVpcs, DescribeSubnets, DescribeSecurityGroups). Direct IAM authentication requires the CreateStudioPresignedUrl permission, which the simple policy example lacks. Intermediate/Advanced Skills Intermediate user policy expands basic permissions. All basic EMR Studio actions work. Most crucially, it grants permissions for using cluster templates to create new Amazon EMR clusters. This covers CloudFormation:DescribeStackResources and Service Catalogue:SearchProducts, DescribeProduct, and ProvisionProduct. Intermediate users can attach and detach EMR Serverless apps. The enhanced user policy allows all EMR Studio functions for maximum access. In addition to the intermediate policy, elasticmapreduce:RunJobFlow can create new Amazon EMR clusters from templates or with a complete setup. The advanced policy also allows access to Amazon Athena SQL editor with Glue, KMS, and S3 permissions (athena:*, glue:*, kms:*, s3:* actions for data catalogue, queries, etc.), Amazon SageMaker AI Studio for Data Wrangler visual interface (sagemaker:* actions), and Amazon CodeWhisperer. The advanced policy requires CreateStudioPresignedUrl permission and TBAC requirements for IAM authentication users, like the basic and intermediate examples. The full table in the documentation shows how to add and remove Workspaces:

Workplace collaboration

Multiple users can cooperate in EMR Studio's workspace. You need certain rights to use the Collaboration panel in the Workspace UI: Elasticmapreduce:ListWorkspaceAccessIdentities, UpdateEditor, PutWorkspaceAccess, and DeleteWorkspaceAccess. The panel is accessible to authorised users. Limited collaboration can be achieved via tag-based access control. EMR Studio automatically applies a default tag with the key creatorUserId and the value the workspace creator's ID upon workspace creation. Manually tag older workspaces for TBAC, which applies to workspaces created after November 16, 2021. By using a policy variable like ${aws:userId}, users can enable collaboration only for their created Workspaces.

Policy variables like aws:userId enable request context-based policy evaluation. Managing Git Secret Permissions Integrating Git repositories with EMR Studio requires permissions to access AWS Secrets Manager Git credentials. EMR Studio automatically tags newly created Git secrets with for-use-with-amazon-emr-managed-user-policies for user-level access control. Users or services can set Git secret permissions. User-level management is implemented by adding tag-based permissions to the EMR Studio user role policy for the secretsmanager:GetSecretValue function. This policy utilises the tag ${aws:userId} for usage with Amazon EM R controlled user policies.

EMR Studio service role policy permissions for secretsmanager:GetSecretValue should be removed when moving to user-level rights. EMR Studio automatically applied the user-level tag on September 1, 2023. Secrets generated before this date must be tagged or recreated for user-level rights. Keeping GetSecretValue in the service role policy lets administrators use service-level access. For more precise secret access control, user-level permissions with tag-based access control are recommended. Last thoughts on EMR Studio permissions Businesses using Amazon EMR Studio must configure these IAM rights. Administrators can employ user roles, custom permission policies, and tag-based access control for Git secrets and Workspace collaboration to provide users the access they need to do their work. This enhances security and clarifies Studio user capabilities. These systems provide tight control over Studio activities, but restricting data access is also important for security.