Amazon EMR cluster's master node with public IP

Network misconfigurations

Amazon EMR cluster’s master node with public IP

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

AWS Foundational Security Best Practices Controls

Description

EMR, Elastic MapReduce, is a managed cluster platform that simplifies running big data frameworks. EMR cluster is a collection of Amazon Elastic Compute Cloud (Amazon EC2) instances. Each instance in the cluster is called a node. The master node manages the cluster and coordinates the distribution of data and tasks among other nodes for processing. Master node {AwsEmrInstance} has an associated public IP address. Although it allows to create a secure access using SSH tunnel, associating the master node with public IP address directly and not within a VPC or a private subnet that has IPv4 does not stand with security best practices.

Recommended Mitigation

It is recommended to create a new cluster in VPC private subnet. After launch, it is not possible to manually disassociate a public IPv4 address from that instance. For more information: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.html

Amazon EMR cluster’s master node with public IP

Description

Need help?