Profile Applicability

  • Level 1

Description:

Amazon EMR (Elastic MapReduce) is a cloud-native big data platform that provides managed Hadoop and Spark clusters. Public Access Block is a feature in AWS designed to prevent accidental exposure of data stored in Amazon S3 and other AWS services. The EMR Account Public Access Block setting ensures that EMR clusters and their associated resources cannot be accessed from public internet sources, helping maintain privacy and security.

Rationale:

Enabling the EMR Account Public Access Block prevents unauthorized users from gaining access to your EMR clusters and the data processed within them. Without this block, sensitive data could be exposed to the public internet due to misconfigurations or incorrect access controls, potentially resulting in data breaches, financial loss, or legal violations.

Impact:

If the EMR Account Public Access Block is not enabled:

  • Data Exposure: Sensitive data could be accessed by unauthorized parties via the public internet.

  • Security Vulnerabilities: The risk of data breaches or unauthorized changes to the cluster increases.

  • Non-compliance: This could lead to violations of compliance standards, such as GDPR, HIPAA, or SOC 2, especially if sensitive data is exposed.

Default Value:

The default setting for EMR account public access is not enabled. It is essential to enable this block manually to ensure your EMR resources are secure.

Pre-requisites:

  • Access to the AWS Management Console or AWS CLI with sufficient IAM permissions to modify EMR settings.

  • Familiarity with EMR account configurations.

  • Understanding of security practices related to data exposure and public access.

Remediation

Test Plan:

Using AWS Console:

  1. Open the AWS Management Console and navigate to EMR.

  2. Select the Account Settings section.

  3. Under the Public Access Block section, check whether the Public Access Block configuration is enabled for the EMR account.

  4. Ensure that the following settings are enabled:

    • Block all public access to Amazon S3 buckets used by EMR.

    • Block public access to any EMR clusters by default.

  5. If any setting is disabled, enable the Public Access Block options to prevent public access to EMR resources.

Using AWS CLI:

List the EMR public access block settings using the following command:

aws emr describe-security-configurations --cluster-id <cluster-id>

  1. Check the configuration for the Public Access Block settings.

If the block is not enabled, run the following command to enable public access block:

aws emr put-account-public-access-block --block-public-acls true --ignore-public-acls true --block-public-policy true --restrict-public-buckets true

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to the EMR section.

  2. Click on Account Settings under the EMR Cluster settings.

  3. Locate the Public Access Block section and ensure that all relevant settings are enabled to block public access:

    • Block public ACLs.

    • Ignore public ACLs.

    • Block public policies.

    • Restrict public buckets.

  4. If any settings are disabled, click on Edit, enable the relevant settings, and save the changes.

  5. Document the changes made to maintain an audit trail for security reviews.

Using AWS CLI:

Run the following command to enable public access block settings:

aws emr put-account-public-access-block --block-public-acls true --ignore-public-acls true --block-public-policy true --restrict-public-buckets true

Verify that the settings are applied correctly using:

aws emr describe-security-configurations --cluster-id <cluster-id>

  1. Document the applied settings and confirm that no EMR cluster or S3 buckets have unintended public access.

Backout Plan

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EMR > Block Public Access.

  3. If you previously enabled the Public Access Block and need to revert, click Edit under the Block Public Access Settings.

  4. Disable the Block Public Access option by unchecking the box.

  5. Save the changes to apply the updated configuration.

Using AWS CLI:

Retrieve the current Block Public Access configuration:

aws emr describe-security-configurations --cluster-id <cluster-id>

Update the configuration to disable the Block Public Access setting:

aws emr set-block-public-access-configuration \
--block-public-access-configuration "BlockPublicSecurityGroupRules=false"

  1. Verify the updated configuration:

    aws emr get-block-public-access-configuration

Note (Optional):

The Public Access Block should be a part of your standard EMR security configuration to prevent accidental data exposure. Regularly audit this setting and any other security controls associated with your EMR resources.

Reference:

CIS Controls :

           

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.