EMR Without VPC
- Query id: bf89373a-be40-4c04-99f5-746742dfd7f3
- Query name: EMR Without VPC
- Platform: CloudFormation
- Severity: Low
- Category: Networking and Firewall
- CWE: Ongoing
- URL: Github
Description¶
Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CustomAmiId:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
ElasticMapReducePrincipal:
Type: String
Ec2Principal:
Type: String
Resources:
cluster:
Type: AWS::EMR::Cluster
Properties:
CustomAmiId: !Ref CustomAmiId
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Name: CFNtest
JobFlowRole: !Ref emrEc2InstanceProfile
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1
emrRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref ElasticMapReducePrincipal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref Ec2Principal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"CustomAmiId" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"ElasticMapReducePrincipal" : {
"Type" : "String"
},
"Ec2Principal" : {
"Type" : "String"
}
},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"CustomAmiId" : {"Ref" : "CustomAmiId"},
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnCore"
},
"TerminationProtected" : {"Ref" : "TerminationProtected"}
},
"Name": "CFNtest",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "ElasticMapReducePrincipal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"]
}
},
"emrEc2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "Ec2Principal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CustomAmiId:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
ElasticMapReducePrincipal:
Type: String
Ec2Principal:
Type: String
Resources:
cluster:
Type: AWS::EMR::Cluster
Properties:
CustomAmiId: !Ref CustomAmiId
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Ec2SubnetId: !Ref SubnetId
Name: CFNtest
JobFlowRole: !Ref emrEc2InstanceProfile
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1
emrRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref ElasticMapReducePrincipal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref Ec2Principal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"CustomAmiId" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"ElasticMapReducePrincipal" : {
"Type" : "String"
},
"Ec2Principal" : {
"Type" : "String"
}
},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"CustomAmiId" : {"Ref" : "CustomAmiId"},
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnCore"
},
"TerminationProtected" : {"Ref" : "TerminationProtected"},
"Ec2SubnetId" : {"Ref" : "SubnetId"}
},
"Name": "CFNtest",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "ElasticMapReducePrincipal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"]
}
},
"emrEc2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "Ec2Principal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
}
}