v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2 Amazon EMR block public access setting should be enabled

Description

This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed.

Amazon EMR block public access prevents you from launching a cluster in a public subnet if the cluster has a security configuration that allows inbound traffic from public IP addresses on a port. When a user from your AWS account launches a cluster, Amazon EMR checks the port rules in the security group for the cluster and compares them with your inbound traffic rules. If the security group has an inbound rule that opens ports to the public IP addresses IPv4 0.0.0.0/0 or IPv6 ::/0, and those ports aren't specified as exceptions for your account, Amazon EMR doesn't let the user create the cluster.

Remediation

To configure block public access for Amazon EMR, see Using Amazon EMR block public access in the Amazon EMR Management Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_emr_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_emr_2 --share

SQL

This control uses a named query:

emr_account_public_access_blocked

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_not_publicly_accessible
foundational_security_item_id = emr_2
plugin = aws
service = AWS/EMR