Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Block Public Access to Amazon EMR Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Block Public Access security feature is enabled for your Amazon EMR clusters in order to prevent EMR cluster launch if any of the cluster's security groups have a rule that allows inbound traffic from all public IPv4/IPv6 addresses (i.e. 0.0.0.0/0 or ::/0). The feature can be enabled and configured for each individual region within your AWS account, meaning that each region has a Block Public Access configuration that applies to all EMR clusters created within that region.

This rule can help you work with the AWS Well-Architected Framework.

Security

When your Amazon EMR clusters are publicly accessible, any machine on the Internet can establish a connection to them, increasing the attack surface and the risk of malicious activity. The level of access to your EMR clusters depends on their use cases; however, for most use cases, the clusters should only be accessible from within your Virtual Private Cloud (VPC). With the Block Public Access feature, the Amazon EMR service can prevent a cluster from launching if any security group associated with it contains a rule that allows inbound (ingress) traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 on a port, unless the port is specified as an exception. For fine-grained access, you can configure exceptions to allow temporary public access on specific ports or port ranges (port 22 is an exception by default).

For AWS accounts that created EMR clusters before November 25 2019, Block Public Access is disabled by default in that region.

Audit

To determine if Block Public Access is enabled for your Amazon EMR clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EMR console available at https://console.aws.amazon.com/emr/.

03 In the left navigation panel, under EMR on EC2, choose Block public access to view the public access configuration settings available for your EMR clusters.

04 In the Block public access settings section, check the Block public access setting status. If the setting status is set to Off, the Block Public Access feature is not enabled for the Amazon EMR clusters provisioned within the current AWS region.

05 Change the AWS region from the navigation bar and repeat the Audit process for other AWS cloud regions.

Using AWS CLI

01 Run get-block-public-access-configuration command (OSX/Linux/UNIX) to get the configuration status of the Amazon EMR Block Public Access feature set for the selected AWS region: 

aws emr get-block-public-access-configuration
	--region us-east-1
	--query 'BlockPublicAccessConfiguration.BlockPublicSecurityGroupRules'

02 The command output should return the requested feature status (true for enabled, false for disabled): 

false

If the get-block-public-access-configuration command output returns false, as shown in the output example above, the Block Public Access feature is not enabled for the Amazon EMR clusters deployed in the selected AWS cloud region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the Audit process for other AWS cloud regions.

Remediation / Resolution

To restrict access to your Amazon Elastic MapReduce (EMR) clusters by enabling the Block Public Access feature, perform the following operations:

If Amazon EMR Block Public Access is enabled, the security groups associated with EMR clusters cannot have rules that allow inbound traffic from 0.0.0.0/0 or ::/0 on a port (i.e., unrestricted access), unless the port is specified as an exception using "PermittedPublicSecurityGroupRuleRanges" within the "BlockPublicAccessConfiguration" object. By default, Port 22 (SSH) is an exception, however, based on your application and compliance requirements you may need to remove this exception and/or add more ports as exceptions. As an example, this conformity rules demonstrates how to enable Block Public Access feature, remove the default exception (port 22 – SSH) and add a new exception for port 8443 (Apache Tomcat – HTTPS).

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EMR console available at https://console.aws.amazon.com/emr/.

03 In the left navigation panel, under EMR on EC2, choose Block public access to view the public access configuration settings available for your EMR clusters, in the current AWS region.

04 In the Block public access settings section, choose Edit and perform the following actions:

  1. Under Block public access, choose Turn on - recommended. This will enable the Block Public Access feature for the Amazon EMR clusters provisioned within the current AWS cloud region.
  2. (Optional) An EMR cluster can be configured to launch with security group rules that permit inbound traffic from all IP addresses on the ports configured as exceptions. By default, port 22 is included as an exception for SSH access. To add new ports to the list of exceptions, choose Add a port range under Port range exceptions, and enter a new port or port range. For example, type 8443 in the Port range exceptions box to allow access on port 8443 (Apache Tomcat HTTPS) to your EMR clusters. The port or port range defined as exception can be configured for public inbound access using the Amazon EMR cluster security groups.
  3. Choose Save to apply the configuration changes.

05 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run put-block-public-access-configuration command (OSX/Linux/UNIX) to enable the Block Public Access feature for the Amazon EMR clusters deployed in the specified AWS cloud region. After the feature is enabled, security groups associated with your cluster can't have rules that allow inbound traffic from 0.0.0.0/0 or ::/0 on a port, unless the port is specified as an exception using the "PermittedPublicSecurityGroupRuleRanges" parameter. To define any port exceptions use the "PermittedPublicSecurityGroupRuleRanges" parameter as specified below. If the default exception, i.e., port 22 (SSH), is not specified in the list of "PermittedPublicSecurityGroupRuleRanges", the exception is removed from the port exceptions list. As an example, the following command defines only port 8443 (Apache Tomcat HTTPS) as an exception (the command does not produce an output): 

aws emr put-block-public-access-configuration
	--region us-east-1
	--block-public-access-configuration '{ "BlockPublicSecurityGroupRules": true, "PermittedPublicSecurityGroupRuleRanges": [ { "MinRange": 8443, "MaxRange": 8443 } ] }'

02 Change the AWS cloud region by updating the --region command parameter value and repeat step no. 1 to perform the Remediation process for other AWS regions.

References

Publication date Dec 4, 2024

Related EMR rules