EMR Account Block Public Access Enabled

Overview

This check verifies that Amazon EMR's account-level Block Public Access (BPA) setting is enabled in your AWS region. When enabled, BPA prevents EMR clusters from launching with security groups that allow inbound traffic from public IP addresses (0.0.0.0/0 or ::/0) on non-excepted ports.

BPA is enabled by default on new AWS accounts. AWS strongly recommends keeping it enabled.

Risk

If Block Public Access is disabled, EMR clusters can be created with security groups that expose them to the entire internet. This could allow attackers to:

• Access cluster nodes and management interfaces (Spark UI, YARN, Ganglia, etc.)
• Exfiltrate sensitive data processed by your jobs
• Tamper with data processing operations
• Use compromised clusters as a pivot point to attack other resources in your VPC

Severity: High

Remediation Steps

Prerequisites

• AWS account access with permissions to modify EMR settings
• Access to the AWS Console or AWS CLI configured with appropriate credentials

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to Amazon EMR
3. In the left navigation, under EMR on EC2, click Block public access
4. Review the current setting. If it shows "Off", click Edit
5. Select Turn on
6. (Optional) Review port range exceptions - Port 22 (SSH) is allowed by default
7. Click Save

Repeat these steps for each AWS region where you use EMR.

AWS CLI (optional)

Enable Block Public Access:

aws emr put-block-public-access-configuration \
    --region us-east-1 \
    --block-public-access-configuration BlockPublicSecurityGroupRules=true

Enable with specific port exceptions (e.g., SSH on port 22):

aws emr put-block-public-access-configuration \
    --region us-east-1 \
    --block-public-access-configuration '{
        "BlockPublicSecurityGroupRules": true,
        "PermittedPublicSecurityGroupRuleRanges": [
            {"MinRange": 22, "MaxRange": 22}
        ]
    }'

Check the current configuration:

aws emr get-block-public-access-configuration --region us-east-1

Enable across all regions (script):

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    echo "Enabling BPA in $region..."
    aws emr put-block-public-access-configuration \
        --region "$region" \
        --block-public-access-configuration BlockPublicSecurityGroupRules=true
done

CloudFormation (optional)

There is no native CloudFormation resource for EMR Block Public Access configuration. Use a CloudFormation Custom Resource with a Lambda function to manage this setting.

Template:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable EMR Block Public Access via Custom Resource

Resources:
  EMRBPALambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: EMRBlockPublicAccessLambdaRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: EMRBlockPublicAccessPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - elasticmapreduce:PutBlockPublicAccessConfiguration
                  - elasticmapreduce:GetBlockPublicAccessConfiguration
                Resource: '*'

  EMRBPALambda:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: EnableEMRBlockPublicAccess
      Runtime: python3.12
      Handler: index.handler
      Role: !GetAtt EMRBPALambdaRole.Arn
      Timeout: 60
      Code:
        ZipFile: |
          import boto3
          import cfnresponse

          def handler(event, context):
              try:
                  if event['RequestType'] in ['Create', 'Update']:
                      emr = boto3.client('emr')
                      emr.put_block_public_access_configuration(
                          BlockPublicAccessConfiguration={
                              'BlockPublicSecurityGroupRules': True,
                              'PermittedPublicSecurityGroupRuleRanges': [
                                  {'MinRange': 22, 'MaxRange': 22}
                              ]
                          }
                      )
                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
              except Exception as e:
                  print(f"Error: {e}")
                  cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})

  EnableEMRBPA:
    Type: Custom::EMRBlockPublicAccess
    Properties:
      ServiceToken: !GetAtt EMRBPALambda.Arn

Outputs:
  Status:
    Description: EMR Block Public Access configuration status
    Value: Enabled

Deploy the stack:

aws cloudformation deploy \
    --template-file emr-bpa.yaml \
    --stack-name emr-block-public-access \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1

Terraform (optional)

Terraform does not have a native resource for EMR Block Public Access. Use a null_resource with a local-exec provisioner or the AWS provider's aws_emr_block_public_access_configuration resource if available in your provider version.

Using local-exec provisioner:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "null_resource" "emr_block_public_access" {
  provisioner "local-exec" {
    command = <<-EOT
      aws emr put-block-public-access-configuration \
        --region us-east-1 \
        --block-public-access-configuration '{
          "BlockPublicSecurityGroupRules": true,
          "PermittedPublicSecurityGroupRuleRanges": [
            {"MinRange": 22, "MaxRange": 22}
          ]
        }'
    EOT
  }

  triggers = {
    always_run = timestamp()
  }
}

Using native Terraform resource (if available):

resource "aws_emr_block_public_access_configuration" "this" {
  block_public_security_group_rules = true

  permitted_public_security_group_rule_range {
    min_range = 22
    max_range = 22
  }
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After enabling Block Public Access, verify the setting is active:

1. In the AWS Console, navigate to Amazon EMR > Block public access
2. Confirm the status shows On
3. Review the permitted port exceptions to ensure only necessary ports are listed

CLI verification

aws emr get-block-public-access-configuration --region us-east-1

Expected output when properly configured:

{
    "BlockPublicAccessConfiguration": {
        "BlockPublicSecurityGroupRules": true,
        "PermittedPublicSecurityGroupRuleRanges": [
            {
                "MinRange": 22,
                "MaxRange": 22
            }
        ]
    },
    "BlockPublicAccessConfigurationMetadata": {
        "CreationDateTime": "2024-01-15T10:30:00.000Z",
        "CreatedByArn": "arn:aws:iam::123456789012:user/admin"
    }
}

Verify BlockPublicSecurityGroupRules is true.

Additional Resources

• AWS EMR Block Public Access Documentation
• EMR Security Best Practices
• Prowler EMR Check Source Code

Notes

• Region-specific: Block Public Access is configured per region. You must enable it in each region where you run EMR clusters.

• Default port exception: Port 22 (SSH) is permitted by default to allow administrative access. Consider whether this exception is needed for your use case.

• Running clusters: If security group rules are modified on a running cluster to violate BPA, EMR will attempt to revoke the rule automatically (if the service role has ec2:RevokeSecurityGroupIngress permission). If EMR cannot revoke the rule, it creates an AWS Health dashboard event.

• Private subnets: BPA does not apply to clusters in private subnets since they are not directly exposed to the internet.

• Port exceptions: Keep the list of permitted ports as small as possible. Each exception creates potential exposure. Remove exceptions when no longer needed.

• Service role permissions: For automatic rule revocation to work, attach the AmazonEMRServicePolicy_v2 managed policy to your EMR service role, or ensure it has the ec2:RevokeSecurityGroupIngress permission.