Denying the ModifyInstanceGroup action in Amazon EMR
The ModifyInstanceGroups action in Amazon EMR does not require that you provide a cluster ID with the action. Instead, you can specify only an instance group ID. For this reason, an apparently simple deny policy for this action based on cluster ID or a cluster tag may not have the intended effect. Consider the following example policy.
If a user with this policy attached performs a ModifyInstanceGroup
action and specifies only the instance group ID, the policy does not apply. Because
the action is allowed on all other resources, the action is successful.
A solution to this issue is to attach a policy statement to the identity that uses
a NotResource element to deny any ModifyInstanceGroup action
issued without a cluster ID. The following example policy adds such a deny statement
so that any ModifyInstanceGroups request fails unless a cluster ID is
specified. Because an identity must specify a cluster ID with the action, deny
statements based on cluster ID are therefore effective.
A similar issue exists when you want to deny the ModifyInstanceGroups
action based on the value associated with a cluster tag. The solution is similar. In
addition to a deny statement that specifies the tag value, you can add a policy
statement that denies the ModifyInstanceGroup action if the tag that
you specify is not present, regardless of value.
The following example demonstrates a policy that, when attached to an identity,
denies the identity the ModifyInstanceGroups action any cluster with
the tag department set to dev. This statement is only
effective because of the deny statement that uses the StringNotLike
condition to deny the action unless the department tag is
present.
