EMR clusters should not be publicly accessible
Description
This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed. Amazon EMR block public access prevents the launching of a cluster in a public subnet if the cluster's security configuration allows inbound traffic from public IP addresses on a port. When a user attempts to launch a cluster, Amazon EMR inspects the port rules in the cluster's security group and compares them with the account's inbound traffic rules. If the security group has an inbound rule that opens ports to public IP addresses (IPv4 0.0.0.0/0 or IPv6 ::/0) and these ports are not explicitly specified as exceptions for the account, Amazon EMR will prevent the user from creating the cluster.
Remediation
To enable EMR block public access for your account, you need to configure the block public access settings.
Steps
- Navigate to the Amazon EMR console
- Go to 'Block public access' in the left navigation
- Click 'Edit' to modify the configuration
- Enable 'Block public access'
- Ensure no ports other than port 22 are permitted
- Save the configuration to apply block public access
- Verify that the setting is active