Minimum Amazon S3 policy for private subnet
For private subnets, at a minimum you must provide the ability for Amazon EMR to access Amazon Linux
repositories. This private subnet policy is a part of the VPC endpoint policies for
accessing Amazon S3. With Amazon EMR 5.25.0 or later, to enable one-click access to persistent
Spark history server, you must allow Amazon EMR to access the system bucket that collects
Spark event logs. If you enable logging, provide PUT permissions to a
aws157-logs-* bucket. For more information, see One-click access to persistent
Spark History Server.
It is up to you to determine the policy restrictions that meet your business
needs. For example, you can specify the Region
packages.us-east-1.amazonaws.com to avoid an ambiguous Amazon S3 bucket
name. The following example policy provides permissions to access Amazon Linux repositories
and the Amazon EMR system bucket for collecting Spark event logs. Replace
MyRegion with the Region where your log buckets
reside, for example us-east-1.
For more information about using IAM policies with Amazon VPC endpoints, see Endpoint policies for Amazon S3.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AmazonLinuxAMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::packages.MyRegion.amazonaws.com/*", "arn:aws:s3:::repo.MyRegion.amazonaws.com/*", "arn:aws:s3:::repo.MyRegion.emr.amazonaws.com/*" ] }, { "Sid": "EnableApplicationHistory", "Effect": "Allow", "Principal": "*", "Action": [ "s3:Put*", "s3:Get*", "s3:Create*", "s3:Abort*", "s3:List*" ], "Resource": [ "arn:aws:s3:::prod.MyRegion.appinfo.src/*" ] } ] }
The following example policy provides the permissions required to access Amazon Linux 2 repositories. Amazon Linux 2 AMI is the default.
{ "Statement": [ { "Sid": "AmazonLinux2AMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::amazonlinux.MyRegion.amazonaws.com/*", "arn:aws:s3:::amazonlinux-2-repos-MyRegion/*" ] } ] }
