EMR.1: An EMR primary node has a public IP

What does AWS Security Hub EMR.1 check?

EMR.1 checks whether an EMR cluster's primary (master) node has a public IPv4 address on its network interface. It reads the `PublicIp` field, evaluates only clusters in `RUNNING` or `WAITING` state on a periodic schedule, and reports FAILED the moment a public address is present. It's backed by the `emr-master-no-public-ip` Config rule.

Why does EMR.1 matter?

A public IP turns the cluster's control plane into an internet-reachable target. The primary node exposes the YARN/Spark management UIs and SSH, and it typically holds broad IAM permissions over sensitive data in S3, HDFS, and Hive metastores. With a routable address, any misconfigured security group or inbound rule becomes direct exposure. The cruel part: you can't disassociate a public IP from a running primary node — the only fix is to relaunch.

How do I fix EMR.1?

1. Relaunch the offending cluster into a private subnet.
2. Fix the subnet's auto-assign-public-IP attribute that caused it.
3. Turn on EMR block public access at the account level.
4. Enforce private-by-default with a Config rule and launch templates.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'