v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_perimeter
Overview
3Dashboards
62Controls
0Queries
5Variables
GitHub

Control: EMR cluster master nodes should not have a public IP address

Description

This control checks whether master nodes on Amazon EMR clusters have public IP addresses. This control only checks Amazon EMR clusters that are in RUNNING or WAITING state.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.emr_cluster_master_nodes_no_public_ip

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.emr_cluster_master_nodes_no_public_ip --share

Steampipe Tables

aws_emr_cluster
aws_vpc_subnet
Amazon Web Services plugin

SQL

select
  c.cluster_arn as resource,
  case
    when c.status ->> 'State' not in ('RUNNING', 'WAITING') then 'skip'
    when s.map_public_ip_on_launch then 'alarm'
    else 'ok'
  end as status,
  case
    when c.status ->> 'State' not in ('RUNNING', 'WAITING') then c.title || ' is in ' || (c.status ->> 'State') || ' state.'
    when s.map_public_ip_on_launch then c.title || ' master nodes assigned with public IP.'
    else c.title || ' master nodes not assigned with public IP.'
  end as reason
  
  , c.region, c.account_id
from
  aws_emr_cluster as c
  left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id;

Tags

category = Perimeter
plugin = aws
service = AWS/EMR