Description:
The Amazon EMR Account Public Access Block (PAB) prevents unauthorized access to EMR clusters from the internet. By enabling the PAB, you can help to protect your data and applications from unauthorized access.

Rationale:
Following this policy helps to protect your data and applications from unauthorized access. By enabling the PAB, you can help to prevent attackers from gaining access to your cluster and your data.

Impact:
Following this policy can have a number of positive impacts, including:

  • Increased security: By enabling the PAB, you can help to prevent attackers from gaining access to your cluster and your data.
  • Reduced risk of unauthorized access: By enabling the PAB, you can help to reduce the risk of unauthorized access to your cluster and your data.
  • Improved compliance: By following this policy, you can help to ensure that your EMR clusters are compliant with security best practices.

Default Value:
AWS EMR does not enable the PAB by default. However, it is recommended that you enable the PAB for all EMR clusters.

Pre-requisites:

  • You must have an AWS account and be signed in to the AWS Management Console.
  • You must have the AWS EMR permissions to create and manage EMR clusters.

Remediation Steps:
To remediate an EMR cluster that does not have the PAB enabled, you can follow these steps:

  1. Go to the AWS EMR console.
  2. Click on the "Clusters" tab.
  3. Select the EMR cluster that you want to remediate.
  4. Click on the "Edit" button.
  5. In the "Network" section, expand the "Account Public Access Block" section.
  6. Check the "Enable Account Public Access Block" checkbox.
  7. Click on the "Save" button.

Test Plan:
To test whether an EMR cluster has the PAB enabled, you can follow these steps:

  1. Go to the AWS EMR console.
  2. Click on the "Clusters" tab.
  3. Select the EMR cluster that you want to test.
  4. Click on the "Details" tab.
  5. In the "Network" section, expand the "Account Public Access Block" section.
  6. Verify that the "Enable Account Public Access Block" checkbox is checked.

Implementation Plan:
To implement this policy, you can follow these steps:

  1. Create a new EMR cluster.
  2. In the "Network" section, expand the "Account Public Access Block" section.
  3. Check the "Enable Account Public Access Block" checkbox.
  4. Save the EMR cluster.

AWS CLI Process:
To use the AWS CLI to implement this policy, you can use the following command:

aws emr create-cluster --enable-account-public-access-block=true

Using AWS GUI:
To use the AWS Management Console to implement this policy, you can follow these steps:

  1. Go to the AWS EMR console.
  2. Click on the "Clusters" tab.
  3. Click on the "Create cluster" button.
  4. In the "Network" section, expand the "Account Public Access Block" section.
  5. Check the "Enable Account Public Access Block" checkbox.
  6. Click on the "Create" button.

Backout Plan:
To backout of this policy, you can follow these steps:

  1. Go to the AWS EMR console.
  2. Click on the "Clusters" tab.
  3. Select the EMR cluster that you want to backout of.
  4. Click on the "Edit" button.
  5. In the "Network" section, expand the "Account Public Access Block" section.
  6. Uncheck the "Enable Account Public Access Block" checkbox.
  7. Click on the "Save" button.


Note:

  • This policy does not apply to EMR clusters that are created using the AWS EMR API.


Reference:

https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-vpc-subnet.html

https://docs.aws.amazon.com/cli/latest/reference/emr/

https://docs.aws.amazon.com/emr/latest/APIReference/