Amazon EMR
Management Guide

Amazon EMR Actions in User-Based IAM Policies

In IAM user-based policies for Amazon EMR, all Amazon EMR actions are prefixed with the lowercase elasticmapreduce element. You can specify the "elasticmapreduce:*" key, using the wildcard character (*), to specify all actions related to Amazon EMR, or you can allow a subset of actions, for example, "elasticmapreduce:Describe*". You can also explicitly specify individual Amazon EMR actions, for example "elasticmapreduce:DescribeCluster". For a complete list of Amazon EMR actions, see the API action names in the Amazon EMR API Reference. Because Amazon EMR relies on other services such as Amazon EC2 and Amazon S3, users need to be allowed a subset of permissions for these services as well. For more information, see IAM Managed Policy for Full Access.


At a minimum, to access the Amazon EMR console, an IAM user needs to have an attached IAM policy that allows the following action:


For more information about permissions and policies, see Access Management in the IAM User Guide.

Amazon EMR does not support resource-based and resource-level policies, but you can use the Condition element (also called the Condition block) to specify fine-grained access control based on cluster tags. For more information, see Use Cluster Tags for Fine-Grained Access Control. Because Amazon EMR does not support resource-based or resource-level policies, the Resource element always has a wildcard value.

The easiest way to grant permissions to users is to use the managed policies for Amazon EMR. Managed policies also offer the benefit of being automatically updated if permission requirements change. If you need to customize policies, we recommend starting with a managed policy and then customizing privileges and conditions according to your requirements.