# Amazon EMR managed policies Managed policies The easiest way to grant full access or read-only access to required Amazon EMR actions is to use the IAM managed policies for Amazon EMR. Managed policies offer the benefit of updating automatically if permission requirements change. If you use inline policies, service changes may occur that cause permission errors to appear. Amazon EMR will be deprecating existing managed policies (v1 policies) in favor of new managed policies (v2 policies). The new managed policies have been scoped-down to align with AWS best practices. After the existing v1 managed policies are deprecated, you will not be able to attach these policies to any new IAM roles or users. Existing roles and users that use deprecated policies can continue to use them. The v2 managed policies restrict access using tags. They allow only specified Amazon EMR actions and require cluster resources that are tagged with an EMR-specific key. We recommend that you carefully review the documentation before using the new v2 policies. The v1 policies will be marked deprecated with a warning icon next to them in the **Policies** list in the IAM console. The deprecated policies will have the following characteristics: + They will continue to work for all currently attached users, groups, and roles. Nothing breaks. + They cannot be attached to new users, groups, or roles. If you detach one of the policies from a current entity, you cannot reattach it. + After you detach a v1 policy from all current entities, the policy will no longer be visible and can no longer be used. The following table summarizes the changes between current policies (v1) and v2 policies. **Amazon EMR managed policy changes** | Policy type | Policy names | Policy purpose | Changes to v2 policy | | --- | --- | --- | --- | | Default EMR service role and attached managed policy | Role name: **EMR\$1DefaultRole** V1 policy (to be deprecated): **AmazonElasticMapReduceRole** (EMR Service Role) V2 (scoped-down) policy name: [`AmazonEMRServicePolicy_v2`](emr-iam-role.md) | Allows Amazon EMR to call other AWS services on your behalf when provisioning resources and performing service-level actions. This role is required for all clusters. | Policy adds the new permission `"ec2:DescribeInstanceTypeOfferings"`. This API operation returns a list of instance types that are supported by a list of given Availability Zones. | | IAM managed policy for full Amazon EMR access by attached user, role, or group | V2 (scoped) policy name: [`AmazonEMRServicePolicy_v2`](emr-managed-policy-fullaccess-v2.md) | Allows users full permissions for EMR actions. Includes iam:PassRole permissions for resources. | Policy adds a prerequisite that users must add user tags to resources before they can use this policy. See [Tagging resources to use managed policies](#manually-tagged-resources). iam:PassRole action requires iam:PassedToService condition set to specified service. Access to Amazon EC2, Amazon S3, and other services is not allowed by default. See [IAM Managed Policy for Full Access (v2 Managed Default Policy)](emr-managed-policy-fullaccess-v2.md). | | IAM managed policy for read-only access by attached user, role, or group | V1 policy (to be deprecated): [`AmazonElasticMapReduceReadOnlyAccess`](emr-managed-policy-readonly.md) V2 (scoped) policy name: [`AmazonEMRReadOnlyAccessPolicy_v2`](emr-managed-policy-readonly-v2.md) | Allows users read-only permissions for Amazon EMR actions. | Permissions allow only specified elasticmapreduce read-only actions. Access to Amazon S3 is access not allowed by default. See [IAM Managed Policy for Read-Only Access (v2 Managed Default Policy)](emr-managed-policy-readonly-v2.md). | | Default EMR service role and attached managed policy | Role name: **EMR\$1DefaultRole** V1 policy (to be deprecated): **AmazonElasticMapReduceRole** (EMR Service Role) V2 (scoped-down) policy name: [`AmazonEMRServicePolicy_v2`](emr-iam-role.md) | Allows Amazon EMR to call other AWS services on your behalf when provisioning resources and performing service-level actions. This role is required for all clusters. | The v2 service role and v2 default policy replace the deprecated role and policy. The policy adds a prerequisite that users must add user tags to resources before they can use this policy. See [Tagging resources to use managed policies](#manually-tagged-resources). See [Service role for Amazon EMR (EMR role)](emr-iam-role.md). | | Service role for cluster EC2 instances (EC2 instance profile) | Role name: **EMR\$1EC2\$1DefaultRole** Deprecated policy name: **AmazonElasticMapReduceforEC2Role** | Allows applications running on an EMR cluster to access other AWS resources, such as Amazon S3. For example, if you run Apache Spark jobs that process data from Amazon S3, the policy needs to allow access to such resources. | Both default role and default policy are on the path to deprecation. There is no replacement AWS default managed role or policy. You need to provide a resource-based or identity-based policy. This means that, by default, applications running on an EMR cluster do not have access to Amazon S3 or other resource unless you manually add these to the policy. See [Default role and managed policy](emr-iam-role-for-ec2.md#emr-ec2-role-default). | | Other EC2 service role policies | Current policy names: **AmazonElasticMapReduceforAutoScalingRole, AmazonElasticMapReduceEditorsRole, AmazonEMRCleanupPolicy** | Provides permissions that Amazon EMR needs to access other AWS resources and perform actions if using auto scaling, notebooks, or to clean up EC2 resources. | No changes for v2. | ## Securing iam:PassRole Secure iam:PassRole The Amazon EMR full-permissions default managed policies incorporate `iam:PassRole` security configurations, including the following: + `iam:PassRole` permissions only for specific default Amazon EMR roles. + `iam:PassedToService` conditions that allow you to use the policy with only specified AWS services, such as `elasticmapreduce.amazonaws.com` and `ec2.amazonaws.com`. You can view the JSON version of the [AmazonEMRFullAccessPolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEMRFullAccessPolicy_v2) and [AmazonEMRServicePolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2) policies in the IAM console. We recommend that you create new clusters with the v2 managed policies. To create custom policies, we recommend that you begin with the managed policies and edit them according to your requirements. For information about how to attach policies to a users (principals), see [Working with managed policies using the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#policies_using-managed-console) in the *IAM User Guide*. ## Tagging resources to use managed policies Tag resources to use managed policies **AmazonEMRServicePolicy\$1v2** and **AmazonEMRFullAccessPolicy\$1v2** depend on scoped-down access to resources that Amazon EMR provisions or uses. The scope down is achieved by restricting access to only those resources that have a predefined user tag associated with them. When you use either of these two policies, you must pass the predefined user tag `for-use-with-amazon-emr-managed-policies = true` when you provision the cluster. Amazon EMR will then automatically propagate that tag. Additionally, you must add a user tag to the resources listed in the following section. If you use the Amazon EMR console to launch your cluster, see [Considerations for using the Amazon EMR console to launch clusters with v2 managed policies](#emr-cluster-v2policy-awsconsole-launch). To use managed policies, pass the user tag `for-use-with-amazon-emr-managed-policies = true` when you provision a cluster with the CLI, SDK, or another method. When you pass the tag, Amazon EMR propagates the tag to private subnet ENI, EC2 instance, and EBS volumes that it creates. Amazon EMR also automatically tags security groups that it creates. However, if you want Amazon EMR to launch with a certain security group, you must tag it. For resources that are not created by Amazon EMR, you must add tags to those resources. For example, you must tag Amazon EC2 subnets, EC2 security groups (if not created by Amazon EMR), and VPCs (if you want Amazon EMR to create security groups). To launch clusters with v2 managed policies in VPCs, you must tag those VPCs with the predefined user tag. See, [Considerations for using the Amazon EMR console to launch clusters with v2 managed policies](#emr-cluster-v2policy-awsconsole-launch). **Propagated user-specified tagging** Amazon EMR tags resources that it creates using the Amazon EMR tags that you specify when creating a cluster. Amazon EMR applies tags to the resources it creates during the lifetime of the cluster. Amazon EMR propagates user tags for the following resources: + Private Subnet ENI (service access elastic network interfaces) + EC2 Instances + EBS Volumes + EC2 Launch Template **Automatically-tagged security groups** Amazon EMR tags EC2 security groups that it creates with the tag that is required for v2 managed policies for Amazon EMR, `for-use-with-amazon-emr-managed-policies`, regardless of which tags you specify in the create cluster command. For a security group that was created before the introduction of v2 managed policies, Amazon EMR does not automatically tag the security group. If you want to use v2 managed policies with the default security groups that already exist in the account, you need to tag the security groups manually with `for-use-with-amazon-emr-managed-policies = true`. **Manually-tagged cluster resources** You must manually tag some cluster resources so that they can be accessed by Amazon EMR default roles. + You must manually tag EC2 security groups and EC2 subnets with the Amazon EMR managed policy tag `for-use-with-amazon-emr-managed-policies`. + You must manually tag a VPC if you want Amazon EMR to create default security groups. EMR will try to create a security group with the specific tag if the default security group doesn't already exist. Amazon EMR automatically tags the following resources: + EMR-created EC2 Security Groups You must manually tag the following resources: + EC2 Subnet + EC2 Security Groups Optionally, you can manually tag the following resources: + VPC - only when you want Amazon EMR to create security groups ## Considerations for using the Amazon EMR console to launch clusters with v2 managed policies Launch a cluster in console with v2 policies You can provision clusters with v2 managed policies using the Amazon EMR console. Here are some considerations when you use the console to launch Amazon EMR clusters. + You do not need to pass the predefined tag. Amazon EMR automatically adds the tag and propagates it to the appropriate components. + For components that need to be manually tagged, the old Amazon EMR console tries to automatically tag them if you have the required permissions to tag resources. If you don’t have the permissions to tag resources or if you want to use the console, ask your administrator to tag those resources. + You cannot launch clusters with v2 managed policies unless all the prerequisites are met. + The old Amazon EMR console shows you which resources (VPC/Subnets) need to be tagged. # IAM managed policy for full access (v2 managed default policy) for Amazon EMR Full access (v2 scoped) The v2 scoped EMR default managed policies grant specific access privileges to users. They require a predefined Amazon EMR resource tag and `iam:PassRole` condition keys to resources used by Amazon EMR, such as the `Subnet` and `SecurityGroup` you use to launch your cluster. To grant required actions scoped for Amazon EMR, attach the `AmazonEMRFullAccessPolicy_v2` managed policy. This updated default managed policy replaces the [`AmazonElasticMapReduceFullAccess`](emr-managed-policy-fullaccess.md) managed policy. `AmazonEMRFullAccessPolicy_v2` depends on scoped-down access to resources that Amazon EMR provisions or uses. When you use this policy, you need to pass the user tag `for-use-with-amazon-emr-managed-policies = true` when provisioning the cluster. Amazon EMR will automatically propagate the tag. Additionally, you may need to manually add a user tag to specific types of resources, such as EC2 security groups that were not created by Amazon EMR. For more information, see [Tagging resources to use managed policies](emr-managed-iam-policies.md#manually-tagged-resources). The [https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2) policy secures resources by doing the following: + Requires resources to be tagged with the pre-defined Amazon EMR managed policies tag `for-use-with-amazon-emr-managed-policies` for cluster creation and Amazon EMR access. + Restricts the `iam:PassRole` action to specific default roles and `iam:PassedToService` access to specific services. + No longer provides access to Amazon EC2, Amazon S3, and other services by default. Following are the contents of this policy. **Note** You can also use the console link [https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2) to view the policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "RunJobFlowExplicitlyWithEMRManagedTag", "Effect": "Allow", "Action": [ "elasticmapreduce:RunJobFlow" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "ElasticMapReduceActions", "Effect": "Allow", "Action": [ "elasticmapreduce:AddInstanceFleet", "elasticmapreduce:AddInstanceGroups", "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:AddTags", "elasticmapreduce:CancelSteps", "elasticmapreduce:CreateEditor", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:CreateSecurityConfiguration", "elasticmapreduce:DeleteEditor", "elasticmapreduce:DeleteSecurityConfiguration", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeEditor", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:DescribeStep", "elasticmapreduce:DescribeReleaseLabel", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:GetManagedScalingPolicy", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetAutoTerminationPolicy", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListEditors", "elasticmapreduce:ListInstanceFleets", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListInstances", "elasticmapreduce:ListSecurityConfigurations", "elasticmapreduce:ListSteps", "elasticmapreduce:ListSupportedInstanceTypes", "elasticmapreduce:ModifyCluster", "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:PutAutoScalingPolicy", "elasticmapreduce:PutBlockPublicAccessConfiguration", "elasticmapreduce:PutManagedScalingPolicy", "elasticmapreduce:RemoveAutoScalingPolicy", "elasticmapreduce:RemoveManagedScalingPolicy", "elasticmapreduce:RemoveTags", "elasticmapreduce:SetTerminationProtection", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:TerminateJobFlows", "elasticmapreduce:ViewEventsFromAllClustersInConsole" ], "Resource": [ "*" ] }, { "Sid": "ViewMetricsInEMRConsole", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] }, { "Sid": "PassRoleForElasticMapReduce", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/EMR_DefaultRole", "arn:aws:iam::*:role/EMR_DefaultRole_V2" ], "Condition": { "StringLike": { "iam:PassedToService": "elasticmapreduce.amazonaws.com*" } } }, { "Sid": "PassRoleForEC2", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ], "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com*" } } }, { "Sid": "PassRoleForAutoScaling", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/EMR_AutoScaling_DefaultRole" ], "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com*" } } }, { "Sid": "ElasticMapReduceServiceLinkedRole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup*" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticmapreduce.amazonaws.com", "elasticmapreduce.amazonaws.com.rproxy.govskope.ca.cn" ] } } }, { "Sid": "ConsoleUIActions", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "s3:ListAllMyBuckets", "iam:ListRoles" ], "Resource": [ "*" ] } ] } ``` ------ # IAM managed policy for full access (on path to deprecation) Full access (path to deprecation) The `AmazonElasticMapReduceFullAccess` and `AmazonEMRFullAccessPolicy_v2` AWS Identity and Access Management (IAM) managed policies grant all the required actions for Amazon EMR and other services. **Important** The `AmazonElasticMapReduceFullAccess` managed policy is on the path to deprecation, and no longer recommended for use with Amazon EMR. Instead, use [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md). When the IAM service eventually deprecates the v1 policy, you won't be able to attach it to a role. However, you can attach an existing role to a cluster even if that role uses the deprecated policy. The Amazon EMR full-permissions default managed policies incorporate `iam:PassRole` security configurations, including the following: + `iam:PassRole` permissions only for specific default Amazon EMR roles. + `iam:PassedToService` conditions that allow you to use the policy with only specified AWS services, such as `elasticmapreduce.amazonaws.com` and `ec2.amazonaws.com`. You can view the JSON version of the [AmazonEMRFullAccessPolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEMRFullAccessPolicy_v2) and [AmazonEMRServicePolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2) policies in the IAM console. We recommend that you create new clusters with the v2 managed policies. You can view the contents of the deprecated v1 policy in the AWS Management Console at [https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess). The `ec2:TerminateInstances` action in the policy grants permission to the a user or role to terminate any of the Amazon EC2 instances associated with the IAM account. This includes instances that are not part of an EMR cluster. # IAM managed policy for read-only access (v2 managed default policy) for Amazon EMR Read-only (v2 scoped) To grant read-only privileges to Amazon EMR, attach the **AmazonEMRReadOnlyAccessPolicy\$1v2** managed policy. This default managed policy replaces the [`AmazonElasticMapReduceReadOnlyAccess`](emr-managed-policy-readonly.md) managed policy. The content of this policy statement is shown in the following snippet. Compared with the `AmazonElasticMapReduceReadOnlyAccess` policy, the `AmazonEMRReadOnlyAccessPolicy_v2` policy does not use wildcard characters for the `elasticmapreduce` element. Instead, the default v2 policy scopes the allowable `elasticmapreduce` actions. **Note** You can also use the AWS Management Console link [https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRReadOnlyAccessPolicy_v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEMRReadOnlyAccessPolicy_v2) to view the policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ElasticMapReduceActions", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeEditor", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:DescribeStep", "elasticmapreduce:DescribeReleaseLabel", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:GetManagedScalingPolicy", "elasticmapreduce:GetAutoTerminationPolicy", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListEditors", "elasticmapreduce:ListInstanceFleets", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListInstances", "elasticmapreduce:ListSecurityConfigurations", "elasticmapreduce:ListSteps", "elasticmapreduce:ListSupportedInstanceTypes", "elasticmapreduce:ViewEventsFromAllClustersInConsole" ], "Resource": [ "*" ] }, { "Sid": "ViewMetricsInEMRConsole", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] } ] } ``` ------ # IAM managed policy for read-only access (on path to deprecation) Read-only (path to deprecation) The `AmazonElasticMapReduceReadOnlyAccess` managed policy is on the path to deprecation. You cannot attach this policy when launching new clusters. `AmazonElasticMapReduceReadOnlyAccess` has been replaced with [`AmazonEMRReadOnlyAccessPolicy_v2`](emr-managed-policy-readonly-v2.md) as the Amazon EMR default managed policy. The content of this policy statement is shown in the following snippet. Wildcard characters for the `elasticmapreduce` element specify that only actions that begin with the specified strings are allowed. Keep in mind that because this policy does not explicitly deny actions, a different policy statement may still be used to grant access to specified actions. **Note** You can also use the AWS Management Console to view the policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elasticmapreduce:ViewEventsFromAllClustersInConsole", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "sdb:Select", "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ], "Sid": "AllowELASTICMAPREDUCEDescribe" } ] } ``` ------ # AWS managed policy: EMRDescribeClusterPolicyForEMRWAL EMRDescribeClusterPolicyForEMRWAL You can't attach `EMRDescribeClusterPolicyForEMRWAL` to your IAM entities. This policy is attached to a service-linked role that allows Amazon EMR to perform actions on your behalf. For more information on this service-linked role, see [Using service-linked roles with Amazon EMR for write-ahead logging](using-service-linked-roles-wal.md). This policy grants read-only permissions that allow the WAL service for Amazon EMR to find and return the status of a cluster. For more information about Amazon EMR WAL, see [Write-ahead logs (WAL) for Amazon EMR](https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-hbase-wal.html). **Permissions details** This policy includes the following permissions: + `emr` – Allows principals to describe cluster status from Amazon EMR. This is required so that Amazon EMR can confirm when a cluster has terminated and then, after thirty days, clean up any WAL logs left behind by the cluster. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster" ], "Resource": [ "*" ], "Sid": "AllowELASTICMAPREDUCEDescribecluster" } ] } ``` ------ ## AWS managed policies for Amazon EMR AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. # Amazon EMR updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Amazon EMR since this service began tracking these changes. | Change | Description | Date | | --- | --- | --- | | [`AmazonEMRServicePolicy_v2`](emr-iam-role.md) – Update to an existing policy | Added ec2:CreateVpcEndpoint, ec2:ModifyVpcEndpoint, and ec2:CreateTags required for optimal experience, starting with Amazon EMR release 7.5.0. | March 4, 2025 | | [`AmazonEMRServicePolicy_v2`](emr-iam-role.md) – Update to an existing policy | Added elasticmapreduce:CreatePersistentAppUI, elasticmapreduce:DescribePersistentAppUI, and elasticmapreduce:GetPersistentAppUIPresignedURL. | February 28, 2025 | | [`EMRDescribeClusterPolicyForEMRWAL`](EMRDescribeClusterPolicyForEMRWAL.md) – New policy | Added a new policy so that Amazon EMR can determine cluster status for WAL cleanup thirty days after cluster termination. | August 10, 2023 | | [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md) and [`AmazonEMRReadOnlyAccessPolicy_v2`](emr-managed-policy-readonly-v2.md) – Update to an existing policy | Added elasticmapreduce:DescribeReleaseLabel and elasticmapreduce:GetAutoTerminationPolicy. | April 21, 2022 | | [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md) – Update to an existing policy | Added ec2:DescribeImages for [Using a custom AMI to provide more flexibility for Amazon EMR cluster configuration](emr-custom-ami.md). | February 15, 2022 | | [**Amazon EMR managed policies**](emr-managed-iam-policies.md) | Updated to clarify use of predefined user tags. Added section on using the AWS console to launch clsuters with v2 managed policies. | September 29, 2021 | | [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md) – Update to an existing policy | Changed the PassRoleForAutoScaling and PassRoleForEC2 actions to use the StringLike condition operator to match "iam:PassedToService":"application-autoscaling.amazonaws.com\$1" and "iam:PassedToService":"ec2.amazonaws.com\$1", respectively. | May 20, 2021 | | [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md) – Update to an existing policy | Removed invalid action `s3:ListBuckets` and replaced with `s3:ListAllMyBuckets` action. Updated service-linked role (SLR) creation to be explicitly scoped-down to the only SLR that Amazon EMR has with explicit Service Principles. The SLRs that can be created are exactly the same as before this change. | March 23, 2021 | | [`AmazonEMRFullAccessPolicy_v2`](emr-managed-policy-fullaccess-v2.md) – New policy | Amazon EMR added new permissions to scope access to resources and to add a prerequisite that users must add predefined user tag to resources before they can use Amazon EMR managed policies. `iam:PassRole` action requires `iam:PassedToService` condition set to specified service. Access to Amazon EC2, Amazon S3, and other services is not allowed by default. | March 11, 2021 | | [`AmazonEMRServicePolicy_v2`](emr-iam-role.md) – New policy | Adds a prerequisite that users must add user tags to resources before they can use this policy. | March 11, 2021 | | [`AmazonEMRReadOnlyAccessPolicy_v2`](emr-managed-policy-readonly-v2.md) – New policy | Permissions allow only specified elasticmapreduce read-only actions. Access to Amazon S3 is access not allowed by default. | March 11, 2021 | | Amazon EMR started tracking changes | Amazon EMR started tracking changes for its AWS managed policies. | March 11, 2021 |