Menu
Amazon EMR
Management Guide

Rules in Amazon EMR–Managed Security Groups

The tables in this section list the inbound and outbound access rules added to the Amazon EMR–managed security groups. IP address ranges and rules are automatically updated for Amazon EMR–managed security groups.

Warning

We do not recommend creating an inbound rule for any protocol or port that allows inbound traffic from all IP addresses (0.0.0.0/0). This opens access to everyone and creates a security vulnerability.

The following rules are added to Amazon EMR–managed master security groups:

Type Protocol Port Range Source Details
Inbound rules
All ICMP ICMP All The default ElasticMapReduce-master security group ID or the master security group ID that you specify; for example, sg-88XXXXed

Allows inbound traffic from any instance in the ElasticMapReduce-master security group. By default, the master nodes in all Amazon EMR clusters in a single VPC can communicate with each other over any TCP, UDP, or ICMP port.

If you choose your own master security group, only master instances in the group can communicate with each other over any TCP, UDP, or ICMP port.

All TCP TCP All
All UDP UDP All
All ICMP ICMP All The default ElasticMapReduce-slave security group ID or the core/task security group ID that you specify; for example, sg-8bXXXXee

Allows inbound traffic from any instance in the ElasticMapReduce-slave security group. By default, the master node accepts inbound communication from any core/task node in any Amazon EMR cluster in a single VPC over any TCP, UDP, or ICMP port.

If you choose your own core/task security group, only core/task instances in this group can communicate with the master node over any TCP, UDP, or ICMP port.

All TCP TCP All
All UDP UDP All
HTTPS TCP 8443 Various Amazon IP address ranges Allows the cluster manager to communicate with the master nodes in each Amazon EMR cluster in a single VPC.
Outbound rules
All traffic All All 0.0.0.0/0 Provides outbound access to the Internet from any instance in the ElasticMapReduce-master security group or the group that you specify.

The following rules are added to Amazon EMR–managed core/task security groups:

Type Protocol Port Range Source Details
Inbound rules
All ICMP ICMP All The default ElasticMapReduce-master security group ID or the master security group ID that you specify; for example, sg-88XXXXed

Allows inbound traffic from any instance in the ElasticMapReduce-master security group or the group that you specify. By default, the core/task nodes in all Amazon EMR clusters in a single VPC accept inbound communication from master nodes over any TCP, UDP, or ICMP port.

If you choose your own master security group, only master instances in this group can communicate with the core/task nodes over any TCP, UDP, or ICMP port.

All TCP TCP All
All UDP UDP All
All ICMP ICMP All The default ElasticMapReduce-slave security group ID or the core/task security group ID that you specify; for example, sg-8bXXXXee

Allows inbound traffic from any instance in the ElasticMapReduce-slave security group. By default, the core/task nodes accept inbound communication from any other core/task node in any Amazon EMR cluster in a single VPC over any TCP, UDP, or ICMP port.

If you choose your own core/task security group, only core/task instances in this group can communicate with each other over any TCP, UDP, or ICMP port.

All TCP TCP All
All UDP UDP All
Custom TCP TCP 8443
Outbound rules
All traffic All All 0.0.0.0/0 Provides outbound access to the Internet from all instances in the ElasticMapReduce-slave security group or the group that you specify.