Minimum Amazon S3 policy for private subnet
For private subnets, at a minimum you must provide the ability for Amazon EMR to
access Amazon Linux repositories. This private subnet policy is a part of the VPC
endpoint policies for accessing Amazon S3. With Amazon EMR 5.25.0 or later, to enable
one-click access to persistent Spark history server, you must allow Amazon EMR to
access the system bucket that collects Spark event logs. If you enable logging,
provide PUT permissions to a aws157-logs-* bucket. For more
information, see One-click
access to persistent Spark History Server.
It is up to you to determine the policy restrictions that meet your business
needs. For example, you can specify the Region
packages.us-east-1.amazonaws.com to avoid an ambiguous Amazon S3
bucket name. The following example policy provides permissions to access Amazon Linux
repositories and the Amazon EMR system bucket for collecting Spark event logs.
Replace MyRegion with the Region where your log
buckets reside, for example us-east-1.
For more information about using IAM policies with Amazon VPC endpoints, see Endpoint policies for Amazon S3.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AmazonLinuxAMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::packages.MyRegion.amazonaws.com/*", "arn:aws:s3:::repo.MyRegion.amazonaws.com/*", "arn:aws:s3:::repo.MyRegion.emr.amazonaws.com/*" ] }, { "Sid": "EnableApplicationHistory", "Effect": "Allow", "Principal": "*", "Action": [ "s3:Put*", "s3:Get*", "s3:Create*", "s3:Abort*", "s3:List*" ], "Resource": [ "arn:aws:s3:::prod.MyRegion.appinfo.src/*" ] } ] }
The following example policy provides the permissions required to access Amazon Linux 2 repositories. Amazon Linux 2 AMI is the default.
{ "Statement": [ { "Sid": "AmazonLinux2AMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::amazonlinux.MyRegion.amazonaws.com/*", "arn:aws:s3:::amazonlinux-2-repos-MyRegion/*" ] } ] }
