By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

EMR Security

EMR Block Public Access (Account-Level)

Configure EMR Block Public Access on the AWS account level, for all EMR clusters in that region. This feature prevents a cluster from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception.

Multiple port exceptions can be entered by using commans to separate them, and dashes can be used to indicate port ranges. For example: (443,1022-1024,1066)

CloudFormation template includes a custom resource using lambda to deploy the configuration.

Items
3
Size
1.5 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  EmrBlockPublicAccess:
    Type: "Custom::EmrBlockPublicAccess"
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - "EmrBlockPublicAccessLambda"
          - "Arn"
  EmrBlockPublicAccessLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: "emrInline"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "elasticmapreduce:GetBlockPublicAccessConfiguration"
                  - "elasticmapreduce:PutBlockPublicAccessConfiguration"
                Resource: "*"
  EmrBlockPublicAccessLambda:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        S3Bucket:
          Fn::Sub:
            - "asecure-cloud-cf-aux-${Region}"
            - Region:
                Ref: "AWS::Region"
        S3Key: "emr-block-public-access-lambda.zip"
      Handler: "index.handler"
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - "EmrBlockPublicAccessLambdaRole"
          - "Arn"
      Runtime: "nodejs10.x"
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field