AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Elastic MapReduce

Amazon Elastic MapReduce (service prefix: elasticmapreduce) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Elastic MapReduce

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddInstanceFleet Grants permission to add an instance fleet to a running cluster. Write

cluster*

AddInstanceGroups Grants permission to add instance groups to a running cluster. Write

cluster*

AddJobFlowSteps Grants permission to add new steps to a running cluster. Write

cluster*

AddTags Grants permission to add tags to an Amazon EMR resource. Tagging

cluster

editor

elasticmapreduce:RequestTag/${TagKey}

CancelSteps Grants permission to cancel a pending step or steps in a running cluster. Write

cluster*

CreateEditor [permission only] Grants permission to create an EMR notebook. Tagging

cluster*

elasticmapreduce:RequestTag/${TagKey}

CreateSecurityConfiguration Grants permission to create a security configuration. Write
DeleteEditor [permission only] Grants permission to delete an EMR notebook. Write

editor*

DeleteSecurityConfiguration Grants permission to delete a security configuration. Write
DescribeCluster Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on. Read

cluster*

DescribeEditor [permission only] Grants permission to view information about a notebook, including status, user, role, tags, location, and more. Read

editor*

DescribeSecurityConfiguration Grants permission to get details of a security configuration. Read
DescribeStep Grants permission to get details about a cluster step. Read

cluster*

ListBootstrapActions Grants permission to get details about the bootstrap actions associated with a cluster. List

cluster*

ListClusters Grants permission to get the status of accessible clusters. List
ListEditors [permission only] Grants permission to list summary information for accessible EMR notebooks. List
ListInstanceFleets Grants permission to get details of instance fleets in a cluster. Read

cluster*

ListInstanceGroups Grants permission to get details of instance groups in a cluster. List

cluster*

ListInstances Grants permission to get details about the Amazon EC2 instances in a cluster. List

cluster*

ListSecurityConfigurations Grants permission to list available security configurations in this account by name, along with creation dates and times. List
ListSteps Grants permission to list steps associated with a cluster. List

cluster*

ModifyInstanceFleet Grants permission to change the target On-Demand and target Spot capacities for a instance fleet. Write

cluster*

ModifyInstanceGroups Grants permission to change the number and configuration of EC2 instances for an instance group. Write

cluster*

OpenEditorInConsole [permission only] Grants permission to launch the Jupyter notebook editor for an EMR notebook from within the console. Write

cluster*

editor*

PutAutoScalingPolicy Grants permission to create or update an automatic scaling policy for a core instance group or task instance group. Write

cluster*

RemoveAutoScalingPolicy Grants permission to remove an automatic scaling policy from an instance group. Write

cluster*

RemoveTags Grants permission to remove tags from an Amazon EMR resource. Tagging

cluster

editor

RunJobFlow Grants permission to create and launch a cluster (job flow). Tagging

elasticmapreduce:RequestTag/${TagKey}

SetTerminationProtection Grants permission to add and remove termination protection for a cluster. Write

cluster*

StartEditor [permission only] Grants permission to start an EMR notebook. Write

cluster*

editor*

StopEditor [permission only] Grants permission to shut down an EMR notebook. Write

editor*

TerminateJobFlows Grants permission to terminate a cluster (job flow). Write

cluster*

ViewEventsFromAllClustersInConsole [permission only] Grants permission to use the EMR management console to view events from all clusters. List

Resources Defined by EMR

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:elasticmapreduce:${Region}:${Account}:cluster/${ClusterId}

elasticmapreduce:ResourceTag/${TagKey}

editor arn:${Partition}:elasticmapreduce:${Region}:${Account}:editor/${EditorId}

elasticmapreduce:ResourceTag/${TagKey}

Condition Keys for Amazon Elastic MapReduce

Amazon Elastic MapReduce defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
elasticmapreduce:RequestTag/${TagKey} Filters access to actions based on whether the tag and value pair is created for an Amazon EMR resource along with the action. String
elasticmapreduce:ResourceTag/${TagKey} Filters access to actions based on the tag and value pair associated with an Amazon EMR resource. String