Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
34Dashboards
1359Benchmarks
586Queries
4Variables
GitHub

Control: EMR account public access should be blocked

Description

Manage access to resources in the AWS Cloud by ensuring Amazon EMR clusters cannot be made public.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.emr_account_public_access_blocked

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.emr_account_public_access_blocked --share

SQL

This control uses a named query:

with emr_port_configuration as(
  select
    region,
    account_id
  from
    aws_emr_block_public_access_configuration,
    jsonb_array_elements(permitted_public_security_group_rule_ranges) as r
  where
    (r -> 'MaxRange') :: int = 22
    and (r -> 'MinRange') :: int = 22
    and block_public_security_group_rules
)
select
  'arn:' || c.partition || '::' || c.region || ':' || c.account_id as resource,
  case
    when not block_public_security_group_rules then 'alarm'
    when block_public_security_group_rules
    and p.region is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when not block_public_security_group_rules then c.region || ' EMR block public access disabled.'
    when block_public_security_group_rules
    and p.region is not null then c.region || ' EMR block public access enabled.'
    else c.region || ' EMR block public access enabled for ports other than 22.'
  end as reason,
  c.region,
  c.account_id
from
  aws_emr_block_public_access_configuration as c
  left join emr_port_configuration as p on p.region = c.region
  and p.account_id = c.account_id

Tags

acsc_essential_eight = true
category = Compliance
pci_dss_v40 = true
plugin = aws
service = AWS/EMR