PlatformResourcesSign inSign Up

Ensure Amazon EMR clusters' security groups are not open to the world

Error: Amazon EMR clusters' security groups are open to the world

Bridgecrew Policy ID: BC_AWS_NETWORKING_40
Checkov Check ID: CKV2_AWS_7
Severity: LOW

Suggest Edits

Amazon EMR clusters' security groups are open to the world

Description

Least privilege, it's is best practice to limit any database access only to those groups or instances that require it.

Fix - Buildtime

Terraform

  • Resource: aws_emr_cluster and aws_security_group
  • Argument: ingress of aws_security_group
resource "aws_emr_cluster" "cluster_ok" {
  name          = "emr-test-arn"
  release_label = "emr-4.6.0"
  applications  = ["Spark"]

  ec2_attributes {
    emr_managed_master_security_group = aws_security_group.block_access_ok.id
    emr_managed_slave_security_group  = aws_security_group.block_access_ok.id
    instance_profile                  = "connected_to_aws_iam_instance_profile"
  }
}

resource "aws_security_group" "block_access_ok" {
  name        = "block_access"
  description = "Block all traffic"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["10.0.0.0/16"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["10.0.0.0/16"]
  }
}

Updated over 1 year ago