Profile Applicability:         

  • Level 1         

Description:

Publicly accessible EMR clusters can expose data to unauthorized access, compromising the security and integrity of sensitive data. It is recommended to ensure that EMR Clusters are not publicly accessible unless absolutely required. By disabling public access, you ensure that the EMR cluster is only accessible from within your Virtual Private Cloud (VPC) or through secure channels.

Rationale:

Public access to your EMR clusters increases the surface area for potential attacks and unauthorized access. Disabling public access limits the exposure of your clusters and ensures that only authorized users within your VPC or other specified resources can access the clusters, thus improving security and protecting sensitive data.

Impact:   

  • Positive Impact: By disabling public access, you enhance the security posture of your EMR clusters by ensuring they are not directly accessible from the internet.

  • Negative Impact: In rare cases, disabling public access may limit the ability to troubleshoot or access EMR resources from external sources. This limitation should be carefully evaluated for specific use cases.

Default Value:  

  • Off by default.

Pre-Requisite:

  • AWS Account Access: Requires IAM permissions to manage EMR configurations.

  • EMR Cluster: Ensure there are running EMR clusters in your AWS account.

  • VPC: Ensure your EMR cluster is associated with a VPC that has appropriate security controls.

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EMR by visiting Amazon EMR Console.

  3. In the left navigation panel, choose Clusters, then select the EMR cluster you want to check.

  4. Under the Cluster Details, check the Publicly Accessible setting.

    • If the Publicly Accessible setting is enabled (set to "Yes"), disable it by changing the setting to "No".

  5. Click Save to apply changes.

  6. Change the AWS region from the navigation bar and repeat for other regions if applicable.

Using AWS CLI:

Run the following command to list the EMR clusters and check their public accessibility:

aws emr describe-cluster --cluster-id <cluster-id> --query 'Cluster.PubliclyAccessible'

 The expected output should show false to confirm the cluster is not publicly accessible:
 "false"

If the result is true, run the following command to modify the cluster and disable public access:

aws emr modify-cluster-attributes --cluster-id <cluster-id> --no-public-access

  1. Change the AWS region by updating the --region parameter value and repeat the steps for other regions.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EMR at Amazon EMR Console.

  3. In the left panel, choose Clusters, then select the EMR cluster you want to modify.

  4. Under Cluster Details, click on the Publicly Accessible setting and change it to No.

  5. Save Changes to apply the new setting.

Using AWS CLI:

Use the describe-cluster command to list the EMR cluster:

aws emr describe-cluster --cluster-id <cluster-id> --query 'Cluster.PubliclyAccessible'

Modify the cluster attributes to disable public access using:

aws emr modify-cluster-attributes --cluster-id <cluster-id> --no-public-access

  1. Run the describe-cluster command again to confirm that the cluster is no longer publicly accessible.

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EMR > Clusters.

  3. Select the cluster for which public access was disabled.

  4. Under Security Groups, update the configuration to re-enable public access by modifying the associated Security Group rules.

    • Add inbound rules to allow public traffic from specific IP ranges or 0.0.0.0/0 for complete public access.

  5. Save the changes to apply the updated settings.

Using AWS CLI:

Describe the EMR cluster to identify its security group settings:

aws emr describe-cluster --cluster-id <cluster-id>
Update the security group rules to allow public access by adding inbound rules:
aws ec2 authorize-security-group-ingress \
--group-id <security-group-id> \
--protocol tcp \
--port <port-number> \
--cidr 0.0.0.0/0
Verify the updated security group configuration:
aws ec2 describe-security-groups --group-ids <security-group-id>


  1. Confirm that the cluster is now publicly accessible.

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

3.3

Configure data access control lists based on the need to know. Apply data access control lists to secure resources.

v7

9.4

Apply host-based firewalls or port filtering tools to secure systems.