Amazon EMR Actions in User-Based IAM Policies
In IAM user-based policies for Amazon EMR, all Amazon EMR actions are prefixed with the
elasticmapreduce element. You can specify the
"elasticmapreduce:*" key, using the wildcard character (*), to specify
all actions related to Amazon EMR, or you can allow a subset of actions, for example,
"elasticmapreduce:Describe*". You can also explicitly specify
individual Amazon EMR actions, for example
For a complete list of Amazon EMR actions, see the API action names in the Amazon EMR API Reference.
Because Amazon EMR relies on other services such as Amazon EC2 and Amazon S3, users need to be allowed
a subset of permissions for these services as well. For more information, see IAM Managed Policy for Full Access.
At a minimum, to access the Amazon EMR console, an IAM user needs to have an attached IAM policy that allows the following action:
For more information about permissions and policies, see Access Management in the IAM User Guide.
Amazon EMR does not support resource-based and resource-level policies, but you can use the
Condition element (also called the
Condition block) to
specify fine-grained access control based on cluster tags. For more information, see
Using Cluster Tags for Fine-Grained Access
Control. Because Amazon EMR does not support
resource-based or resource-level policies, the
Resource element always has
a wildcard value.
The easiest way to grant permissions to users is to use the managed policies for Amazon EMR. Managed policies also offer the benefit of being automatically updated if permission requirements change. If you need to customize policies, we recommend starting with a managed policy and then customizing privileges and conditions according to your requirements.