EMR Cluster Master Node Should Not Have Public IP
More Info:
Ensure that EMR Cluster Master nodes don’t have public IpsRisk Level
HighAddresses
SecurityCompliance Standards
SOC2,ISO27001,HITRUST,NISTCSF,PCIDSS,SEBI,RBI_MD_ITF,RBI_UCBTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of EMR Cluster Master Node having a public IP in AWS, you can follow these steps using the AWS Management Console:
- Access the AWS Management Console: Go to the AWS Management Console (https://aws.amazon.com/console/).
- Navigate to EMR Service: Click on the “Services” dropdown in the top left corner, search for “EMR” (Elastic MapReduce), and click on it to open the EMR dashboard.
- Select the EMR Cluster: From the list of EMR clusters, select the cluster where the Master Node has a public IP address that needs to be remediated.
-
Update Security Configuration:
- Click on the “Security and access” tab in the cluster details.
- Under the “Security groups” section, click on the security group associated with the Master Node.
-
Edit Security Group Rules:
- In the security group settings, locate the inbound rule that allows inbound traffic to the Master Node from the internet (0.0.0.0/0).
- Edit the inbound rule to restrict access to the Master Node by changing the source IP range to a specific IP or CIDR block that needs access.
-
Remove Public IP:
- In the EMR Cluster settings, find the Master Node configuration.
- Update the network settings to remove the public IP assignment for the Master Node.
- Save Changes: Once you have made the necessary changes to the security group rules and network settings, save the configuration changes.
-
Verify Configuration:
- After saving the changes, verify that the Master Node no longer has a public IP address assigned to it.
- Test the connectivity to ensure that the necessary access is still available without exposing the Master Node to the public internet.
Using CLI
Using CLI
To remediate the misconfiguration of having a public IP assigned to the EMR Cluster Master Node in AWS, you can follow these steps using the AWS CLI:
-
Identify the EMR Cluster Master Node:
Run the following AWS CLI command to describe the cluster and identify the Master Node’s public IP address:
-
Modify the Security Group associated with the EMR Cluster:
Run the following AWS CLI command to identify the security group attached to the EMR Cluster:
-
Update the Security Group to remove the inbound rule allowing SSH (port 22) access from 0.0.0.0/0:
Run the following AWS CLI command to revoke the ingress rule for port 22:
-
Verify the Public IP has been removed:
Run the following AWS CLI command to describe the cluster and confirm that the Master Node no longer has a public IP address:
Using Python
Using Python
To remediate the misconfiguration of the EMR Cluster Master Node having a public IP in AWS, you can follow these steps using Python and Boto3:
- Import the necessary libraries:
- Initialize the AWS client for EMR:
- Identify the EMR Cluster ID for the cluster with the Master Node having a public IP:
- Describe the cluster to get the current configuration:
- Check if the Master Public DNS Name is present in the response:
- Run the Python script to remediate the misconfiguration and remove the public IP from the Master Node of the EMR Cluster.