Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Denying the ModifyInstanceGroup action in Amazon EMR

Focus mode
Denying the ModifyInstanceGroup action in Amazon EMR - Amazon EMR

The ModifyInstanceGroups action in Amazon EMR does not require that you provide a cluster ID with the action. Instead, you can specify only an instance group ID. For this reason, an apparently simple deny policy for this action based on cluster ID or a cluster tag may not have the intended effect. Consider the following example policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Deny", "Resource": "arn:aws:elasticmapreduce:us-east-1:123456789012:cluster/j-12345ABCDEFG67" } ] }

If a user with this policy attached performs a ModifyInstanceGroup action and specifies only the instance group ID, the policy does not apply. Because the action is allowed on all other resources, the action is successful.

A solution to this issue is to attach a policy statement to the identity that uses a NotResource element to deny any ModifyInstanceGroup action issued without a cluster ID. The following example policy adds such a deny statement so that any ModifyInstanceGroups request fails unless a cluster ID is specified. Because an identity must specify a cluster ID with the action, deny statements based on cluster ID are therefore effective.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Deny", "Resource": "arn:aws:elasticmapreduce:us-east-1:123456789012:cluster/j-12345ABCDEFG67" }, { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Deny", "NotResource": "arn:*:elasticmapreduce:*:*:cluster/*" } ] }

A similar issue exists when you want to deny the ModifyInstanceGroups action based on the value associated with a cluster tag. The solution is similar. In addition to a deny statement that specifies the tag value, you can add a policy statement that denies the ModifyInstanceGroup action if the tag that you specify is not present, regardless of value.

The following example demonstrates a policy that, when attached to an identity, denies the identity the ModifyInstanceGroups action any cluster with the tag department set to dev. This statement is only effective because of the deny statement that uses the StringNotLike condition to deny the action unless the department tag is present.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Condition": { "StringEquals": { "aws:ResourceTag/department": "dev" } }, "Effect": "Deny", "Resource": "*" }, { "Action": [ "elasticmapreduce:ModifyInstanceGroups" ], "Condition": { "StringNotLike": { "aws:ResourceTag/department": "?*" } }, "Effect": "Deny", "Resource": "*" } ], }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.