Using Amazon EMR Block Public Access
Amazon EMR block public access prevents a cluster from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception. Port 22 is an exception by default. You can configure exceptions to allow public access on a port or range of ports.
Block public access is enabled for each AWS Region for your AWS account. In other words, each Region has block public access enabled for all clusters created by your account in that Region.
Block public access is only applicable during cluster creation. Block public access does not block IAM principals with appropriate permissions from updating security group configurations to allow public access on running clusters.
Amazon EMR block public access is available in the following regions:
-
US East (N. Virginia) — us-east-1
-
US East (Ohio) — us-east-2
-
Europe (Stockholm) — eu-north-1
-
Asia Pacific (Mumbai) — ap-south-1
-
Europe (Paris) — eu-west-3
-
Europe (Ireland) — eu-west-1
-
Europe (Frankfurt) — eu-central-1
-
South America (São Paulo) — sa-east-1
-
Asia Pacific (Seoul) — ap-northeast-2
-
Europe (London) — eu-west-2
-
Asia Pacific (Osaka-Local) — ap-northeast-1
-
US West (Oregon) — us-west-2
-
US West (N. California) — us-west-1
-
Asia Pacific (Singapore) — ap-southeast-1
-
Asia Pacific (Sydney) — ap-southeast-2
-
Canada (Central) — ca-central-1
Configure Block Public Access
You can enable and disable block public access settings using the AWS Management Console, the AWS CLI, and the Amazon EMR API. Settings apply across your account on a Region-by-Region basis. To maintain cluster security, it’s recommended that you keep BPA enabled.
-
Open the Amazon EMR console at https://console.aws.amazon.com/elasticmapreduce/
. -
On the navigation bar, make sure that the Region you want to configure is selected.
-
Choose Block public access.
-
Under Block public access settings, complete the following steps.
To... Do this... Turn block public access on or off
Choose Change, choose On or Off as appropriate, and then choose the check mark to confirm.
Edit ports in the list of exceptions
-
Under Exceptions, choose Edit.
-
To add ports to the list of exceptions, choose Add a port range and enter a new port or port range. Repeat for each port or port range to add.
-
To remove a port or port range, choose the x next to the entry in the Port ranges list.
-
Choose Save Changes.
-
Use the aws emr put-block-public-access-configuration
command
to configure block public access as shown in the following examples.
To... | Do this... |
---|---|
Turn block public access on |
Set
|
Turn block public access off |
Set
|
Turn block public access on and specify ports as exceptions |
The following example turns on block public access, and specifies Port 22 and Ports 100-101 as exceptions. This allows clusters to be created if an associated security group has an inbound rule that allows public access on Port 22, Port 100, or Port 101.
|