Description:

Amazon EMR (previously called Amazon Elastic MapReduce) is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data.


Rationale:

Blocking the Public Access in Amazon EMR helps in securing EMR clusters from unintentional network exposure. You can enable this configuration and prevent your account users from launching clusters with security group rules that open ports for inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0. You can configure exceptions in Block Public access configuration to allow public access on a port or range of ports before you launch EMR clusters.


Impact:

Block public access is an account-level configuration that helps you centrally manage public network access to Amazon EMR clusters in a Region.


Default Value:

By default, the Block public access will be ON


Pre-requisites:

Sign in as admin or IAM user with required permissions


Remediation:


Test Plan:

  1. Sign in to the Amazon Management Console

  2. Open the Amazon EMR console at https://console.aws.amazon.com/elasticmapreduce Make sure that the Region you want to configure is selected.

  3. In the left menu, Select Block Public Access

  4. Check whether the Block Public access is ON or Off

  5. If Public Block Access is Off, follow the implementation steps to enable it.


Using AWS CLI:

 get-block-public-access-configuration

If you get output as

{
  "BlockPublicSecurityGroupRules": false,
  "PermittedPublicSecurityGroupRuleRanges": [
    {
      "MinRange": 0,
      "MaxRange": 22
    }
    ...
  ]
}


Implementation Steps:

  1. Sign in to the Amazon Management Console

  2. Open the Amazon EMR console at https://console.aws.amazon.com/elasticmapreduce Make sure that the Region you want to configure is selected.

  3. In the left menu, Select Block Public Access

  4. Now Click on Change under Block public access settings and make the option Yes and click the Tick mark.

  5. Choose On and click on the Tick mark.

    Port 22 is an exception by default.

Using AWS CLI:

  put-block-public-access-configuration  
 BlockPublicSecurityGroupRules=true,PermittedPublicSecurityGroupRuleRanges=[{MinRange=0,MaxRange=22}]



Backout Plan:

  1. Sign in to the Amazon Management Console

  2. Open the Amazon EMR console at https://console.aws.amazon.com/elasticmapreduce Make sure that the Region you want to configure is selected.

  3. In the left menu, Select Block Public Access

  4. Now Click on Change and make the option No and click the Tick mark.


Notes:

This feature is available now in the US East (N.Virgina and Ohio), US West (N.California and Oregon), Canada (Central), EU(Frankfurt, Ireland, London, Paris and Stockholm), Asia Pacific (Mumbai, Seoul, Singapore, Sydney, and Tokyo), and South America (Sao Paulo) regions.


References:

Using Amazon EMR block public access - Amazon EMR

https://docs.aws.amazon.com/cli/latest/reference/emr/index.html#cli-aws-emr