turbot/aws_compliance

Query: emr_account_public_access_blocked

Usage

powerpipe query aws_compliance.query.emr_account_public_access_blocked

SQL

with emr_port_configuration as(
select
region,
account_id
from
aws_emr_block_public_access_configuration,
jsonb_array_elements(permitted_public_security_group_rule_ranges) as r
where
(r -> 'MaxRange')::int = 22
and (r-> 'MinRange')::int = 22
and block_public_security_group_rules
)
select
'arn:' || c.partition || '::' || c.region || ':' || c.account_id as resource,
case
when not block_public_security_group_rules then 'alarm'
when block_public_security_group_rules and p.region is not null then 'ok'
else 'alarm'
end as status,
case
when not block_public_security_group_rules then c.region || ' EMR block public access disabled.'
when block_public_security_group_rules and p.region is not null then c.region || ' EMR block public access enabled.'
else c.region || ' EMR block public access enabled for ports other than 22.'
end as reason
, c.region, c.account_id
from
aws_emr_block_public_access_configuration as c
left join emr_port_configuration as p on p.region = c.region and p.account_id = c.account_id

Controls

The query is being used by the following controls: