You can use conditions in your identity based policy to control access to

You can use conditions in your identity based policy

This preview shows page 213 - 215 out of 395 pages.

You can use conditions in your identity-based policy to control access to clusters and EMR notebooks based on tags. For more information about adding tags to clusters, see Tagging EMR clusters . For more information about using condition keys, see Condition Keys (p. 176) . The following examples demonstrate different scenarios and ways to use condition operators with Amazon EMR condition keys. These IAM policy statements are intended for demonstration purposes only and should not be used in production environments. There are multiple ways to combine policy statements to grant and deny permissions according to your requirements. For more information about planning and testing IAM policies, see the IAM User Guide . Example Identity-Based Policy Statements for Clusters The examples below demonstrate identity-based permissions policies that are used to control the actions that are allowed with EMR clusters. Allow Actions Only on Clusters with Specific Tag Values The examples below demonstrate a policy that allows a user to perform actions based on the cluster tag department with the value dev and also allows a user to tag clusters with that same tag. The final policy example demonstrates how to deny privileges to tag EMR clusters with anything but that same tag. Important Explicitly denying permission for tagging actions is an important consideration. This prevents users from granting permissions to themselves through cluster tags that you did not intend to grant. If the actions shown in the last example had not been denied, a user could add and remove tags of their choosing to any cluster, and circumvent the intention of the preceding policies. In the following policy example, the StringEquals condition operator tries to match dev with the value for the tag department . If the tag department hasn't been added to the cluster, or doesn't contain the value dev , the policy doesn't apply, and the actions aren't allowed by this policy. If no other policy statements allow the actions, the user can only work with clusters that have this tag with this value. { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt12345678901234", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListSteps", "elasticmapreduce:TerminateJobFlows", "elasticmapreduce:SetTerminationProtection", "elasticmapreduce:ListInstances", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:DescribeStep" ], "Resource": [ "*" ], "Condition": { "StringEquals": { 207
Image of page 213
Amazon EMR Management Guide Identity-Based Policy Examples "elasticmapreduce:ResourceTag/department": "dev" } } } ] } You can also specify multiple tag values using a condition operator. For example, to allow all actions on clusters where the department tag contains the value dev or test , you could replace the condition block in the earlier example with the following.
Image of page 214
Image of page 215

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes