Posted On: Nov 21, 2017

You can now enable authentication with Kerberos and fine-grained EMRFS authorization for Amazon S3 access on your Amazon EMR clusters. You can use Kerberos to authenticate requests between services running on your cluster, user actions on your cluster, and external client requests from remote services. Amazon EMR will create a MIT KDC on the master node of your cluster, and utilize the open-source Kerberos authentication settings for certain application components on your cluster. Additionally, you can easily enable a cross-realm trust with a Microsoft Active Directory to seamlessly allow users in the directory to authenticate using Kerberos to access and run workloads on a cluster. 

Additionally, you can now use EMRFS authorization to specify the AWS Identity and Access Management (IAM) role to use when certain user accesses Amazon S3. Applications like Apache Spark and Apache Hive use EMRFS, Amazon EMR’s connector for Amazon S3, for data access. By default, the policy attached to the EC2 role (instance profile) on your cluster determines the data that can be accessed in Amazon S3. With EMRFS authorization, you can now specify the IAM role to assume when a user or group uses EMRFS to access Amazon S3. Choosing the IAM role for each user or group enables fine-grained access control for Amazon S3 on multi-user Amazon EMR clusters. Furthermore, you can specify the IAM role to use for different Amazon S3 buckets, which makes it easier to enable cross-account Amazon S3 access.

To enable authentication with Kerberos and EMRFS authorization on your Amazon EMR cluster, specify these options in your security configuration and corresponding cluster configuration. You can create a security configuration on the security configuration page in Amazon EMR console, AWS Command Line Interface (CLI), or the AWS SDK with the Amazon EMR API. If you are creating a cross-realm domain join with a Microsoft Active Directory, please follow these additional steps. Authentication with Kerberos and EMRFS authorization is available on Amazon EMR release 5.10.0 and later. Please visit the Amazon EMR documentation for more information about authentication with Kerberos, EMRFS authorization, and security configurations.

Authentication with Kerberos and EMRFS authorization is available in US East (N. Virginia), EU (Ireland), and South America (São Paulo). These features will be available in all supported regions for Amazon EMR soon.