Sample policies for private subnets that access Amazon S3
For private subnets, at a minimum you must provide the ability for Amazon EMR to access Amazon Linux repositories. This private subnet policy is a part of the VPC endpoint policies for accessing Amazon S3.
With Amazon EMR 5.25.0 or later, to enable one-click access to persistent Spark history server, you must allow Amazon EMR to access the system bucket that collects Spark event logs. If you enable logging, provide PUT permissions to the following bucket:
aws157-logs-${AWS::
Region
}/*
For more information, see One-click access to persistent Spark History Server.
It is up to you to determine the policy restrictions that meet your business needs. The following example policy provides permissions to access Amazon Linux repositories and the Amazon EMR system bucket for collecting Spark event logs. It shows a few sample resource names for the buckets.
For more information about using IAM policies with Amazon VPC endpoints, see Endpoint policies for Amazon S3.
The following policy example contains sample resources in the us-east-1 region.
{ "Version": "2008-10-17", "Statement": [ { "Sid": "AmazonLinuxAMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::packages.us-east-1.amazonaws.com/*", "arn:aws:s3:::repo.us-east-1.amazonaws.com/", "arn:aws:s3:::repo.us-east-1.amazonaws.com/*" ] }, { "Sid": "EnableApplicationHistory", "Effect": "Allow", "Principal": "*", "Action": [ "s3:Put*", "s3:Get*", "s3:Create*", "s3:Abort*", "s3:List*" ], "Resource": [ "arn:aws:s3:::prod.us-east-1.appinfo.src/*" ] } ] }
The following example policy provides the permissions required to access Amazon Linux 2 repositories. Amazon Linux 2 AMI is the default.
{ "Statement": [ { "Sid": "AmazonLinux2AMIRepositoryAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::amazonlinux.us-east-1.amazonaws.com/*", "arn:aws:s3:::amazonlinux-2-repos-us-east-1/*" ] } ] }
Available regions
The following table contains a list of buckets by region, and includes both an Amazon Resource Name (ARN) for the respository and a string that represents
the ARN for the appinfo.src
. The ARN, or Amazon Resource Name, is a string that uniquely identifies an AWS resource.
Region | Repository buckets | AppInfo bucket |
---|---|---|
US East (Ohio) | "arn:aws:s3:::packages.us-east-2.amazonaws.com/","arn:aws:s3:::repo.us-east-2.amazonaws.com/","arn:aws:s3:::repo.us-east-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.us-east-2.appinfo.src/*" |
US East (N. Virginia) | "arn:aws:s3:::packages.us-east-1.amazonaws.com/","arn:aws:s3:::repo.us-east-1.amazonaws.com/","arn:aws:s3:::repo.us-east-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.us-east-1.appinfo.src/*" |
US West (N. California) | "arn:aws:s3:::packages.us-west-1.amazonaws.com/","arn:aws:s3:::repo.us-west-1.amazonaws.com/","arn:aws:s3:::repo.us-west-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.us-west-1.appinfo.src/*" |
US West (Oregon) | "arn:aws:s3:::packages.us-west-2.amazonaws.com/","arn:aws:s3:::repo.us-west-2.amazonaws.com/","arn:aws:s3:::repo.us-west-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.us-west-2.appinfo.src/*" |
Africa (Cape Town) | "arn:aws:s3:::packages.af-south-1.amazonaws.com/","arn:aws:s3:::repo.af-south-1.amazonaws.com/","arn:aws:s3:::repo.af-south-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.af-south-1.appinfo.src/*" |
Africa (Cape Town) | "arn:aws:s3:::packages.ap-east-1.amazonaws.com/","arn:aws:s3:::repo.ap-east-1.amazonaws.com/","arn:aws:s3:::repo.ap-east-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-east-1.appinfo.src/*" |
Asia Pacific (Hyderabad) | "arn:aws:s3:::packages.ap-south-2.amazonaws.com/","arn:aws:s3:::repo.ap-south-2.amazonaws.com/","arn:aws:s3:::repo.ap-south-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-south-2.appinfo.src/*" |
Asia Pacific (Jakarta) | "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-3.appinfo.src/*" |
Asia Pacific (Malaysia) | "arn:aws:s3:::packages.ap-southeast-5.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-5.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-5.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-5.appinfo.src/*" |
Asia Pacific (Melbourne) | "arn:aws:s3:::packages.ap-southeast-4.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-4.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-4.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-south-2.appinfo.src/*" |
Asia Pacific (Jakarta) | "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-4.appinfo.src/*" |
Asia Pacific (Mumbai) | "arn:aws:s3:::packages.ap-south-1.amazonaws.com/","arn:aws:s3:::repo.ap-south-1.amazonaws.com/","arn:aws:s3:::repo.ap-south-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-south-1.appinfo.src/*" |
Asia Pacific (Osaka) | "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-4.appinfo.src/*" |
Asia Pacific (Seoul) | "arn:aws:s3:::packages.ap-northeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-northeast-2.appinfo.src/*" |
Asia Pacific (Singapore) | "arn:aws:s3:::packages.ap-southeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-1.appinfo.src/*" |
Asia Pacific (Sydney) | "arn:aws:s3:::packages.ap-southeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-southeast-2.appinfo.src/*" |
Asia Pacific (Tokyo) | "arn:aws:s3:::packages.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-northeast-1.appinfo.src/*" |
Canada (Central) | "arn:aws:s3:::packages.ca-central-1.amazonaws.com/","arn:aws:s3:::repo.ca-central-1.amazonaws.com/","arn:aws:s3:::repo.ca-central-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ca-central-1.appinfo.src/*" |
Canada West (Calgary) | "arn:aws:s3:::packages.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.ap-northeast-1.appinfo.src/*" |
Europe (Frankfurt) | "arn:aws:s3:::packages.eu-central-1.amazonaws.com/","arn:aws:s3:::repo.eu-central-1.amazonaws.com/","arn:aws:s3:::repo.eu-central-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-central-1.appinfo.src/*" |
Europe (Ireland) | "arn:aws:s3:::packages.eu-west-1.amazonaws.com/","arn:aws:s3:::repo.eu-west-1.amazonaws.com/","arn:aws:s3:::repo.eu-west-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-west-1.appinfo.src/*" |
Europe (London) | "arn:aws:s3:::packages.eu-west-2.amazonaws.com/","arn:aws:s3:::repo.eu-west-2.amazonaws.com/","arn:aws:s3:::repo.eu-west-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-west-2.appinfo.src/*" |
Europe (Milan) | "arn:aws:s3:::packages.eu-south-1.amazonaws.com/","arn:aws:s3:::repo.eu-south-1.amazonaws.com/","arn:aws:s3:::repo.eu-south-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-south-1.appinfo.src/*" |
Europe (Paris) | "arn:aws:s3:::packages.eu-west-3.amazonaws.com/","arn:aws:s3:::repo.eu-west-3.amazonaws.com/","arn:aws:s3:::repo.eu-west-3.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-west-3.appinfo.src/*" |
Europe (Spain) | "arn:aws:s3:::packages.eu-south-2.amazonaws.com/","arn:aws:s3:::repo.eu-south-2.amazonaws.com/","arn:aws:s3:::repo.eu-south-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-south-2.appinfo.src/*" |
Europe (Stockholm) | "arn:aws:s3:::packages.eu-north-1.amazonaws.com/","arn:aws:s3:::repo.eu-north-1.amazonaws.com/","arn:aws:s3:::repo.eu-north-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-north-1.appinfo.src/*" |
Europe (Zurich) | "arn:aws:s3:::packages.eu-central-2.amazonaws.com/","arn:aws:s3:::repo.eu-central-2.amazonaws.com/","arn:aws:s3:::repo.eu-central-2.emr.amazonaws.com/*" | "arn:aws:s3:::prod.eu-central-2.appinfo.src/*" |
Israel (Tel Aviv) | "arn:aws:s3:::packages.il-central-1.amazonaws.com/","arn:aws:s3:::repo.il-central-1.amazonaws.com/","arn:aws:s3:::repo.il-central-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.il-central-1.appinfo.src/*" |
Middle East (Bahrain) | "arn:aws:s3:::packages.me-south-1.amazonaws.com/","arn:aws:s3:::repo.me-south-1.amazonaws.com/","arn:aws:s3:::repo.me-south-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.me-south-1.appinfo.src/*" |
Middle East (UAE) | "arn:aws:s3:::packages.me-central-1.amazonaws.com/","arn:aws:s3:::repo.me-central-1.amazonaws.com/","arn:aws:s3:::repo.me-central-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.me-central-1.appinfo.src/*" |
South America (São Paulo) | "arn:aws:s3:::packages.sa-east-1.amazonaws.com/","arn:aws:s3:::repo.sa-east-1.amazonaws.com/","arn:aws:s3:::repo.sa-east-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.sa-east-1.appinfo.src/*" |
AWS GovCloud (US-East) | "arn:aws:s3:::packages.us-gov-east-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-east-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-east-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.us-gov-east-1.appinfo.src/*" |
AWS GovCloud (US-West) | "arn:aws:s3:::packages.us-gov-west-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-west-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-west-1.emr.amazonaws.com/*" | "arn:aws:s3:::prod.me-south-1.appinfo.src/*" |