Minimum Amazon S3 policy for private subnet
For private subnets, at a minimum you must provide the ability for Amazon EMR to access
Amazon Linux repositories. This private subnet policy is a part of the VPC endpoint
policies for accessing Amazon S3.
With Amazon EMR 5.25.0 or later, to enable one-click access to
persistent Spark history server, you must allow Amazon EMR to access the system
bucket
that collects Spark event logs. If you enable logging, provide PUT permissions
to a aws157-logs-* bucket.
For more information, see One-click access to persistent Spark History
Server.
It is up to you to determine the policy restrictions that meet your business needs.
For
example, you can specify the Region "packages.us-east-1.amazonaws.com" to avoid
an
ambiguous Amazon S3 bucket name. The following example policy provides permissions
to
access Amazon Linux repositories and the Amazon EMR system bucket for collecting
Spark event logs.
Replace MyRegion with the Region where your log buckets
reside, for example us-east-1.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AmazonLinuxAMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::packages.*.amazonaws.com/*", "arn:aws:s3:::repo.*.amazonaws.com/*" ] }, { "Sid": "EnableApplicationHistory", "Effect": "Allow", "Principal": "*", "Action": [ "s3:Put*", "s3:Get*", "s3:Create*", "s3:Abort*", "s3:List*" ], "Resource": [ "arn:aws:s3:::prod.MyRegion.appinfo.src/*" ] } ] }
The following example policy provides the permissions required to
access Amazon Linux 2 repositories. Amazon Linux 2 AMI is the default. Replace
MyRegion with the Region where your log buckets
reside, for example us-east-1. For more information, see Endpoint policies for Amazon S3.
{ "Statement": [ { "Sid": "AmazonLinux2AMIRepositoryAccess", "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amazonlinux.MyRegion.amazonaws.com/*" "arn:aws:s3:::amazonlinux-2-repos-MyRegion/*" ] } ] }
