Overview

Configure EMR Block Public Access on the AWS account level, for all EMR clusters in that region. This feature prevents a cluster from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception.

Multiple port exceptions can be entered by using commans to separate them, and dashes can be used to indicate port ranges. For example: (443,1022-1024,1066)

CloudFormation template includes a custom resource using lambda to deploy the configuration.

Configuration Templates

Items
3
Size
1.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  EmrBlockPublicAccess:
    Type: 'Custom::EmrBlockPublicAccess'
    Properties:
      ServiceToken:
        'Fn::GetAtt':
          - EmrBlockPublicAccessLambda
          - Arn
  EmrBlockPublicAccessLambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
      Policies:
        - PolicyName: emrInline
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'elasticmapreduce:GetBlockPublicAccessConfiguration'
                  - 'elasticmapreduce:PutBlockPublicAccessConfiguration'
                Resource: '*'
  EmrBlockPublicAccessLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        S3Bucket:
          'Fn::Sub':
            - 'asecure-cloud-cf-aux-${Region}'
            - Region:
                Ref: 'AWS::Region'
        S3Key: emr-block-public-access-lambda.zip
      Handler: index.handler
      MemorySize: 128
      Role:
        'Fn::GetAtt':
          - EmrBlockPublicAccessLambdaRole
          - Arn
      Runtime: nodejs10.x
      Timeout: 120
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field

Sources and Documentation

Configuration Source: AWS Documentation: Using EMR Block Public Access

Additional Documentation:

© 2020 asecurecloud Inc. All Rights Reserved.