You can specify security groups using the AWS Management Console, the AWS CLI, or the Amazon EMR API. If you don't specify security groups, Amazon EMR creates default security groups. Specifying additional security groups is optional. You can assign additional security groups for primary instances, core and task instances, and service access (private subnets only).
To specify security groups with the console
-
Sign in to the AWS Management Console, and open the Amazon EMR console at https://console.aws.amazon.com/emr
. -
Under EMR on EC2 in the left navigation pane, choose Clusters, and then choose Create cluster.
-
Under Networking, select the arrow next to EC2 security groups (firewall) to expand this section. Under Primary node and Core and task nodes, the default Amazon EMR managed security groups are selected by default. If you use a private subnet, you also have the option to select a security group for Service access.
-
To change your Amazon EMR managed security group, use the Choose security groups dropdown menu to select a different option from the Amazon EMR-managed security group list of options. You have one Amazon EMR managed security group for both Primary node and Core and task nodes.
-
To add custom security groups, use the same Choose security groups dropdown menu to select up to four custom security groups from the Custom security group list of options. You can have up to four custom security groups for both Primary node and Core and task nodes.
-
Choose any other options that apply to your cluster.
-
To launch your cluster, choose Create cluster.
Specifying security groups with the
AWS CLI
To specify security groups using the AWS CLI you use the create-cluster
command with the following parameters of the --ec2-attributes
option:
| Parameter | Description |
|---|---|
|
|
Use this parameter to specify a custom managed security group
for the primary instance. If this parameter is specified,
|
|
|
Use this parameter to specify a custom managed security group
for core and task instances. If this parameter is specified,
|
|
|
Use this parameter to specify a custom managed security group
for service access, which applies only to clusters in private
subnets. The security group you specify as
|
|
|
Use this parameter to specify up to four additional security groups for the primary instance. |
|
|
Use this parameter to specify up to four additional security groups for core and task instances. |
Example — specify custom Amazon EMR-managed security groups and additional security groups
The following example specifies custom Amazon EMR managed security groups for a cluster in a private subnet, multiple additional security groups for the primary instance, and a single additional security group for core and task instances.
Note
Linux line continuation characters (\) are included for readability. They can be removed or used in Linux commands. For Windows, remove them or replace with a caret (^).
aws emr create-cluster --name "ClusterCustomManagedAndAdditionalSGs" \ --release-label emr-emr-7.8.0--applications Name=HueName=Hive\ Name=Pig--use-default-roles --ec2-attributes \ SubnetIds=subnet-xxxxxxxxxxxx,KeyName=myKey,\ ServiceAccessSecurityGroup=sg-xxxxxxxxxxxx,\ EmrManagedPrimarySecurityGroup=sg-xxxxxxxxxxxx,\ EmrManagedCoreSecurityGroup=sg-xxxxxxxxxxx,\ AdditionalPrimarySecurityGroups=['sg-xxxxxxxxxxx',\ 'sg-xxxxxxxxxxx','sg-xxxxxxxxxx'],\ AdditionalCoreSecurityGroups=sg-xxxxxxxxxxx\ --instance-typem5.xlarge
For more information, see create-cluster in the AWS CLI Command Reference.
