Control: EMR cluster master nodes should not have a public IP address

Description

This control checks whether master nodes on Amazon EMR clusters have public IP addresses. This control only checks Amazon EMR clusters that are in RUNNING or WAITING state.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.emr_cluster_master_nodes_no_public_ip

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.emr_cluster_master_nodes_no_public_ip --share

Steampipe Tables

aws_emr_cluster

aws_vpc_subnet

SQL

select
  c.cluster_arn as resource,
  case
    when c.status ->> 'State' not in ('RUNNING', 'WAITING') then 'skip'
    when s.map_public_ip_on_launch then 'alarm'
    else 'ok'
  end as status,
  case
    when c.status ->> 'State' not in ('RUNNING', 'WAITING') then c.title || ' is in ' || (c.status ->> 'State') || ' state.'
    when s.map_public_ip_on_launch then c.title || ' master nodes assigned with public IP.'
    else c.title || ' master nodes not assigned with public IP.'
  end as reason,
  c.region,
  c.account_id
from
  aws_emr_cluster as c
  left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id;

Control: EMR cluster master nodes should not have a public IP address

Description

Usage

Steampipe Tables

SQL

Tags