Policies for tag-based access control - Amazon EMR

Amazon EMR Serverless is in preview release and is subject to change. To use EMR Serverless in preview, follow the sign up steps at https://pages.awscloud.com/EMR-Serverless-Preview.html. The only Region that EMR Serverless currently supports is us-east-1, so make sure to set all region parameters to this value. All Amazon S3 buckets used with EMR Serverless must also be created in us-east-1.

Policies for tag-based access control

You can use conditions in your identity-based policy to control access to applications and job runs based on tags.

The following examples demonstrate different scenarios and ways to use condition operators with EMR Serverless condition keys. These IAM policy statements are intended for demonstration purposes only and should not be used in production environments. There are multiple ways to combine policy statements to grant and deny permissions according to your requirements. For more information about planning and testing IAM policies, see the IAM User Guide.


Explicitly denying permission for tagging actions is an important consideration. This prevents users from tagging a resource and thereby granting themselves permissions that you did not intend to grant. If tagging actions for a resource are not denied, a user can modify tags and circumvent the intention of the tag-based policies. For an example of a policy that denies tagging actions, see Deny access to add and remove tags.

The examples below demonstrate identity-based permissions policies that are used to control the actions that are allowed with EMR Serverless applications.

Require tagging when a resource is created

In the example below, the tag needs to be applied when creating the application.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": "*", "Condition": { "StringEquals": { "emr-serverless:RequestTag/department": "dev" } } } ] }

The following policy statement allows a user to create an application only if the application has a department tag, which can contain any value.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": "*", "Condition": { "Null": { "emr-serverless:RequestTag/department": "false" } } } ] }

Deny access to add and remove tags

The effect of this policy is to deny a user the permission to add or remove any tags on applications that are tagged with a department tag that contains the dev value.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "emr-serverless:TagResource", "emr-serverless:UntagResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "emr-serverless:ResourceTag/department": "dev" } } } ] }