Menu
Amazon EMR
Management Guide

Use Cluster Tags for Fine-Grained Access Control

You can use the Condition element (also called a Condition block) along with the following Amazon EMR condition context keys in an IAM user-based policy to control access based on cluster tags:

  • Use the elasticmapreduce:ResourceTag/TagKeyString condition context key to allow or deny user actions on clusters with specific tags.

  • Use the elasticmapreduce:RequestTag/TagKeyString condition context key to require a specific tag with actions/API calls.

Important

The condition context keys apply only to those Amazon EMR API actions that accept ClusterID as a request parameter. Because the ModifyInstanceGroups action does not accept ClusterID as an input, you can neither allow nor deny permissions for this action based on cluster tags. This is important to consider when you plan your authorization strategy.

For a complete list of Amazon EMR actions, see the API action names in the Amazon EMR API Reference. For more information about the Condition element and condition operators, see IAM Policy Elements Reference in the IAM User Guide, particularly String Condition Operators. For more information about adding tags to EMR clusters, see Tagging Amazon EMR Clusters.

Example Amazon EMR Policy Statements

The following examples demonstrate different scenarios and ways to use condition operators with Amazon EMR condition context keys. These IAM policy statements are intended for demonstration purposes only and should not be used in production environments. There are multiple ways to combine policy statements to grant and deny permissions according to your requirements. For more information about planning and testing IAM policies, see the IAM User Guide.

Allow Actions Only on Clusters with Specific Tag Values

The examples below demonstrate a policy that allows a user to perform actions based on the cluster tag department with the value dev dev and also allows a user to tag clusters with that same tag. The final policy example demonstrates how to deny privileges to tag EMR clusters with anything but that same tag.

Important

Explicitly denying permission for tagging actions is an important consideration. This prevents users from granting permissions to themselves through cluster tags that you did not intend to grant. If the actions shown in the last example had not been denied, a user could add and remove tags of their choosing to any cluster, and circumvent the intention of the preceding policies.

In the following policy example, the StringEquals condition operator tries to match dev with the value for the tag department. If the tag department hasn't been added to the cluster, or doesn't contain the value dev, the policy doesn't apply, and the actions aren't allowed by this policy. If no other policy statements allow the actions, the user can only work with clusters that have this tag with this value.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt14793345241244", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListSteps", "elasticmapreduce:TerminateJobFlows ", "elasticmapreduce:SetTerminationProtection ", "elasticmapreduce:ListInstances", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:DescribeStep" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/department": "dev" } } } ] }

You can also specify multiple tag values using a condition operator. For example, to allow all actions on clusters where the department tag contains the value dev or test, you could replace the condition block in the earlier example with the following.

Copy
"Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/department":["dev", "test"] } }

As in the preceding example, the following example policy looks for the same matching tag: the value dev for the department tag. In this case, however, the RequestTag condition context key specifies that the policy applies during tag creation, so the user must create a tag that matches the specified value.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1479334524000", "Effect": "Allow", "Action": [ "elasticmapreduce:RunJobFlow", "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "elasticmapreduce:RequestTag/department": "dev" } } } ] }

In the following example, the EMR actions that allow the addition and removal of tags is combined with a StringNotEquals operator specifying the dev tag we've seen in earlier examples. The effect of this policy is to deny a user the permission to add or remove any tags on EMR clusters that are tagged with a department tag that contains the dev value.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "elasticmapreduce:AddTags", "elasticmapreduce:RemoveTags" ], "Condition": { "StringNotEquals": { "elasticmapreduce:ResourceTag/department": "dev" } }, "Resource": [ "*" ] } ] }

Allow Actions on Clusters with a Specific Tag, Regardless of Tag Value

You can also allow actions only on clusters that have a particular tag, regardless of the tag value. To do this, you can use the Null operator. For more information, see Condition Operator to Check Existence of Condition Keys in the IAM User Guide. For example, to allow actions only on EMR clusters that have the department tag, regardless of the value it contains, you could replace the Condition blocks in the earlier example with the following one. The Null operator looks for the presence of the tag department on an EMR cluster. If the tag exists, the Null statement evaluates to false, matching the condition specified in this policy statement, and the appropriate actions are allowed.

Copy
"Condition": { "Null": { "elasticmapreduce:ResourceTag/department":"false" } }

The following policy statement allows a user to create an EMR cluster only if the cluster will have a department tag, which can contain any value.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:RunJobFlow", "iam:PassRole" ], "Condition": { "Null": { "elasticmapreduce:RequestTag/department": "false" } }, "Effect": "Allow", "Resource": [ "*" ] } ] }

Require Users to Add Tags When Creating a Cluster

The following policy statement allows a user to create an EMR cluster only if the cluster will have a department tag that contains the value dev when it is created.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:RunJobFlow", "iam:PassRole" ], "Condition": { "StringEquals": { "elasticmapreduce:RequestTag/department": "dev" } }, "Effect": "Allow", "Resource": [ "*" ] } ] }