🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 2 Amazon EMR block public access setting should be enabled

Description

This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed.

Amazon EMR block public access prevents you from launching a cluster in a public subnet if the cluster has a security configuration that allows inbound traffic from public IP addresses on a port. When a user from your AWS account launches a cluster, Amazon EMR checks the port rules in the security group for the cluster and compares them with your inbound traffic rules. If the security group has an inbound rule that opens ports to the public IP addresses IPv4 0.0.0.0/0 or IPv6 ::/0, and those ports aren't specified as exceptions for your account, Amazon EMR doesn't let the user create the cluster.

Remediation

To configure block public access for Amazon EMR, see Using Amazon EMR block public access in the Amazon EMR Management Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_emr_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_emr_2 --share

SQL

This control uses a named query:

with emr_port_configuration as(
  select
    region,
    account_id
  from
    aws_emr_block_public_access_configuration,
    jsonb_array_elements(permitted_public_security_group_rule_ranges) as r
  where
    (r -> 'MaxRange')::int = 22
    and (r-> 'MinRange')::int = 22
    and block_public_security_group_rules
)
select
  'arn:' || c.partition || '::' || c.region || ':' || c.account_id as resource,
  case
    when not block_public_security_group_rules then 'alarm'
    when block_public_security_group_rules and p.region is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when not block_public_security_group_rules then c.region || ' EMR block public access disabled.'
    when block_public_security_group_rules and p.region is not null then c.region || ' EMR block public access enabled.'
    else c.region || ' EMR block public access enabled for ports other than 22.'
  end as reason
  , c.region, c.account_id
from
  aws_emr_block_public_access_configuration as c
  left join emr_port_configuration as p on p.region = c.region and p.account_id = c.account_id

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_not_publicly_accessible
foundational_security_item_id = emr_2
plugin = aws
service = AWS/EMR