Ensure EMR Cluster Primary Nodes Do Not Have Public IP Addresses
Checks if primary nodes in Amazon EMR clusters are assigned public IP addresses, which could expose them to potential external threats.
| Rule | Amazon EMR cluster primary nodes should not have public IP addresses |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
Amazon EMR cluster primary nodes should not have public IP addresses to adhere to AWS Foundational Security Best Practices. Public IP addresses can expose the primary nodes to external threats and unauthorized access.
Troubleshooting
If the primary nodes of your EMR cluster have public IP addresses, you need to disable them to enhance security.
Remediation Steps
- 1.
Identify the EMR Cluster:
- Log in to the AWS Management Console.
- Navigate to the Amazon EMR service.
- Select the specific cluster that needs to be updated.
- 2.
Update the Cluster Configuration:
- Click on the "Hardware" tab.
- Find the primary nodes section.
- Modify the network configuration to remove the public IP addresses.
- 3.
Update Security Group:
- Adjust the security group settings to restrict access to the cluster from authorized IP addresses only.
- 4.
Verify Changes:
- Validate that the primary nodes no longer have public IP addresses assigned.
Example CLI Command
To update the EMR cluster configuration using the AWS Command Line Interface (CLI), you can use the following command:
aws emr modify-cluster --cluster-id your-cluster-id --ec2-attributes AdditionalMasterSecurityGroups=your-security-group-id,AdditionalSlaveSecurityGroups=your-security-group-id
Ensure you replace
your-cluster-idyour-security-group-idBy following these steps, you can ensure that the primary nodes of your Amazon EMR cluster do not have public IP addresses, aligning with AWS Foundational Security Best Practices.