A collection of AWS Security controls for Amazon EMR. Controls include EMR Security Settings and Config rules for monitoring compliance status of EMR Clusters. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

EMR
EMR Block Public Access (Account-Level)

Configure EMR Block Public Access on the AWS account level, for all EMR clusters in that region. This feature prevents a cluster from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception.

CloudFormationAWS CLI
EMR Cluster Security Configuration

Create an EMR cluster security configuration to configure data encryption at-rest and in-transit as well as Kerberos authentication

CloudFormationAWS CLI
Amazon EMR Cluster with Custom AMI

This template creates an EMR cluster using a custom Amazon Linux AMI for the EC2 instances in the cluster. It specifies the instance type, release label, subnet ID, termination protection, and other properties. The cluster includes a master instance group, a core instance group, and two task instance groups. It also creates the necessary IAM roles and instance profiles.

CloudFormation
EMR Cluster with Root Volume Size

This template creates an EMR cluster and allows you to specify the size of the EBS root volume for the cluster instances. It also specifies the instance type, release label, subnet ID, termination protection, and other properties. The cluster includes a master instance group, a core instance group, and two task instance groups. It also creates the necessary IAM roles and instance profiles.

CloudFormation
EMR Cluster with Kerberos Authentication

This template creates an EMR cluster and enables you to specify the Kerberos authentication configuration. It includes the instance type, release label, subnet ID, termination protection, and other properties. The cluster includes a master instance group, a core instance group, and two task instance groups. It also creates the necessary IAM roles and instance profiles. The Kerberos configuration includes the cross-realm trust principal password, KDC admin password, and realm.

CloudFormation
EMR Cluster with Managed Scaling Policy

This template creates an EMR cluster and allows you to specify the managed scaling policy. It includes the instance type, release label, subnet ID, and other properties. The cluster includes a master instance group, a core instance group, and two task instance groups. It also creates the necessary IAM roles and instance profiles. The managed scaling policy includes the minimum and maximum capacity units, maximum core capacity units, maximum on-demand capacity units, and unit type.

CloudFormation
EMR Cluster with Task Instance Groups

This CloudFormation template creates an EMR cluster with EC2 instances. It allows you to specify the instance type, release label, subnet ID, and termination protection. The template also creates IAM roles and instance profiles for the EMR cluster.

CloudFormation
EMR Cluster with Task Instance Fleet

This template creates an EMR cluster and includes a task instance fleet. It specifies the instance type, release label, subnet ID, termination protection, and other properties. The cluster includes a master instance fleet, a core instance fleet, and a task instance fleet. It also creates the necessary IAM roles and instance profiles.

CloudFormation
Amazon EMR Instance Group Config to Add a Task Instance Group

This template creates an EMR Instance Group Config with the properties to add a task instance group to a cluster. It specifies the instance count, instance type, instance role, market, name, and job flow ID.

CloudFormation
Amazon EMR Instance Group Config with an Automatic Scaling Policy

This template creates an EMR Instance Group Config with the properties to specify an automatic scaling policy. It defines an AutoScalingPolicy with constraints, rules, and triggers for scale-out and scale-in. The scaling policy is based on CloudWatch alarms for YARN memory available percentage.

CloudFormation