Before you connect: Authorize inbound traffic - Amazon EMR

Before you connect: Authorize inbound traffic

Before you connect to an Amazon EMR cluster, you must authorize inbound SSH traffic (port 22) from trusted clients such as your computer's IP address. In order to do so, edit the managed security group rules for the nodes to which you want to connect. For example, the following instructions show you how to add an inbound rule for SSH access to the default ElasticMapReduce-master security group.

For more information about using security groups with Amazon EMR, see Control network traffic with security groups.

To allow SSH access for trusted sources for the ElasticMapReduce-master security group

You must first be logged in to AWS as a root user or as an IAM principal that is allowed to manage security groups for the VPC that the cluster is in. For more information, see Changing Permissions for an IAM User and the Example Policy that allows managing EC2 security groups in the IAM User Guide.

  1. Open the Amazon EMR console at

  2. Choose Clusters.

  3. Choose the Name of the cluster.

  4. Under Security and access choose the Security groups for Master link.

  5. Choose ElasticMapReduce-master from the list.

  6. Choose Inbound, Edit.

  7. Check for an inbound rule that allows public access with the following settings. If it exists, choose Delete to remove it.

    • Type


    • Port


    • Source



    Before December 2020, the default EMR-managed security group for the master instance in public subnets was created with a pre-configured rule to allow inbound traffic on Port 22 from all sources. This rule was created to simplify initial SSH connections to the master node. We strongly recommend that you remove this inbound rule and restrict traffic only from trusted sources.

  8. Scroll to the bottom of the list of rules and choose Add Rule.

  9. For Type, select SSH.

    This automatically enters TCP for Protocol and 22 for Port Range.

  10. For source, select My IP.

    This automatically adds the IP address of your client computer as the source address. Alternatively, you can add a range of Custom trusted client IP addresses and choose Add rule to create additional rules for other clients. Many network environments dynamically allocate IP addresses, so you might need to periodically edit security group rules to update IP addresses for trusted clients.

  11. Choose Save.

  12. Optionally, choose ElasticMapReduce-slave from the list and repeat the steps above to allow SSH client access to core and task nodes from trusted clients.