Area | User-defined roles | Default roles |
|---|---|---|
Creation of master and worker roles | You have greater visibility of the master and worker roles and the policies that are attached to each role. | Roles are created automatically and it is more difficult to monitor the policies that are attached to each role. |
Ability to edit policies | You can restrict some resources in the policies. | You cannot edit the policies. |
Number of IAM permissions that the cluster operator role requires | Fewer IAM permissions are required. | More IAM permissions are required. |
Credential-based security for direct access to Amazon data sources | No impact on master and worker roles. | No impact on master and worker roles. |
Role-based security for direct access to Amazon data sources | You must manually verify that the worker role and the Secure Agent role can both access the data sources that you use in an advanced job. You can also configure cross-account access to S3 buckets in multiple Amazon accounts. | You must only verify that the Secure Agent role can access the data sources that you use in an advanced job. The worker role can always access the same data sources as the Secure Agent role because the policies that are attached to the Secure Agent role are automatically attached to the worker role. You cannot configure cross-account access to S3 buckets in multiple Amazon accounts. |
Role-sharing | You can use the same master and worker roles across multiple advanced configurations. | Separate master and worker roles are created for each advanced configuration. You cannot reuse roles. |
Modifying staging and log locations | You must manually update the staging and log locations in the policies. | Policies are automatically updated. |
Product upgrades | A product upgrade might change the policies that the master and worker roles require. If the policies change, you must regenerate the policy content and restrict access to resources again. | Policies are automatically updated. |