turbot/aws_perimeter
GitHub
Loading controls...

Control: EMR cluster master nodes should not have a public IP address

Description

This control checks whether master nodes on Amazon EMR clusters have public IP addresses. This control only checks Amazon EMR clusters that are in RUNNING or WAITING state.

Usage

Run the control in your terminal:

steampipe check aws_perimeter.control.emr_cluster_master_nodes_no_public_ip

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_perimeter.control.emr_cluster_master_nodes_no_public_ip

Plugins & Tables

SQL

select
c.cluster_arn as resource,
case
when c.status ->> 'State' not in ('RUNNING', 'WAITING') then 'skip'
when s.map_public_ip_on_launch then 'alarm'
else 'ok'
end as status,
case
when c.status ->> 'State' not in ('RUNNING', 'WAITING') then c.title || ' is in ' || (c.status ->> 'State') || ' state.'
when s.map_public_ip_on_launch then c.title || ' master nodes assigned with public IP.'
else c.title || ' master nodes not assigned with public IP.'
end as reason,
c.region,
c.account_id
from
aws_emr_cluster as c
left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id;

Tags