AWS EMR terminated with validation error - security group error

2
votes

When we try launch AWS EMR in Mumbai region, it gets terminated in 5-6 seconds with the following validation error.

"Terminated with errors The EC2 Security Groups [sg-XXXXXXXXXX] contain one or more ingress rules to ports other than [22] which allow public access."

These are default security groups created for AWS EMR in Mumbai region. How to overcome this?

3
amazon-web-servicesamazon-ec2amazon-emraws-security-group
See if this helps cloudconformity.com/knowledge-base/aws/EC2/… - Snigdhajyoti
The issue arose because of a new security feature of EMR clusters to prevent customers from mistakenly exposing them to the internet. This is solved by AWS - Kavya shree
@Kavyashree Can you please share how this issue was resolved by AWS? - Madhanlal

3 Answers

1
votes

I faced this issue and resolved it by doing the below.

Before creating your EMR cluster go to our Security Groups( for ElasticMapReduce-master and ElasticMapReduce-slave) and delete all the inbound rules other than for SSH(Port 22).This will resolve the issue.

0
votes

Make sure you're not blocking the ports yore using (from public nets). You can go to Amazon EMR, then Block public access and add the ports you want to access from public network in Exceptions (or just disabling the option Block public access).

Final cluster's Block public access settings

0
votes

Read the message carefully: this occurs if your security group allows public access to a port or port range other than 22 (ssh), for example having an inbound rule that allows access from any IP with 0.0.0.0. This is a security risk and you should restrict access to known static IPs, such as "My IP" in "Source" dropdown.

See this document for more information https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-policy-reference/configuration-policies/configuration-policies-build-phase/amazon-web-services-configuration-policies/policy_617b9138-584b-4e8e-ad15-7fbabafbed1a.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html?icmpid=docs_ec2_console#security-group-rules