AWS Security ChangesHomeSearch

AWS emr documentation change

Service: emr · 2026-06-04 · Documentation low

File: emr/latest/ManagementGuide/emr-man-sec-groups.md

Summary

Updated security group rules for EMR releases: Added version-specific requirements (7.x vs 8.0.0+), changed S3 access from HTTP/HTTPS to HTTPS-only, and added new VPC endpoint communication rules for EMR 8.0.0+.

Security assessment

Changes clarify security group configurations for different EMR versions but don't reference any vulnerability fix. The HTTPS enforcement improves security posture by removing HTTP access. New VPC endpoint rules (port 443) enhance security but aren't response to a specific incident.

Diff

diff --git a/emr/latest/ManagementGuide/emr-man-sec-groups.md b/emr/latest/ManagementGuide/emr-man-sec-groups.md
index 835829fee..0db06cccf 100644
--- a//emr/latest/ManagementGuide/emr-man-sec-groups.md
+++ b//emr/latest/ManagementGuide/emr-man-sec-groups.md
@@ -139 +139 @@ All UDP | UDP | All
-HTTPS (8443) | TCP | 8443 | The Group ID of the managed security group for service access in a private subnet. | This rule allows the cluster manager to communicate with the primary node.  
+HTTPS (8443) | TCP | 8443 | The Group ID of the managed security group for service access in a private subnet. | This rule allows the cluster manager to communicate with the primary node. Required for Amazon EMR releases 7.x and earlier.  
@@ -142 +142 @@ All traffic | All | All | 0.0.0.0/0 | Provides outbound access to the internet.
-Custom TCP | TCP | 9443 | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR 5.30.0 and later.
+Custom TCP | TCP | 9443 | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR releases 5.30.0 to 7.x.
@@ -147 +147 @@ Amazon EMR does not add this rule when you use a custom managed security group.
-Custom TCP | TCP | 80 (http) or 443 (https) | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR 5.30.0 and later to connect to Amazon S3 over https.
+Custom TCP | TCP | 443 (https) | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR 5.30.0 and later to connect to Amazon S3 over https. For Amazon EMR 8.0.0 and later and Amazon EMR Spark 8.0.0 and later, this rule is also required for the primary instance to communicate with the cluster manager through the VPC endpoint.
@@ -166 +166 @@ All UDP | UDP | All
-HTTPS (8443) | TCP | 8443 | The Group ID of the managed security group for service access in a private subnet. | This rule allows the cluster manager to communicate with core and task nodes.  
+HTTPS (8443) | TCP | 8443 | The Group ID of the managed security group for service access in a private subnet. | This rule allows the cluster manager to communicate with core and task nodes. Required for Amazon EMR releases 7.x and earlier.  
@@ -169 +169 @@ All traffic | All | All | 0.0.0.0/0 | See Editing outbound rules below.
-Custom TCP | TCP | 80 (http) or 443 (https) | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR 5.30.0 and later to connect to Amazon S3 over https.
+Custom TCP | TCP | 443 (https) | The Group ID of the managed security group for service access in a private subnet. | If the above "All traffic" default outbound rule is removed, this rule is a minimum requirement for Amazon EMR 5.30.0 and later to connect to Amazon S3 over https.
@@ -184 +184 @@ All Traffic | All | All | sg-`xxxxxxxxxxxxxxxxx` | The ID of the `ElasticMapRedu
-Custom TCP | TCP | 9443 | sg-`xxxxxxxxxxxxxxxxx` | The ID of the `ElasticMapReduce-ServiceAccess` security group.  
+Custom TCP | TCP | 9443 | sg-`xxxxxxxxxxxxxxxxx` | The ID of the `ElasticMapReduce-ServiceAccess` security group. Required for Amazon EMR releases 7.x and earlier.  
@@ -188 +188,10 @@ Custom TCP | TCP | 9443 | sg-`xxxxxxxxxxxxxxxxx` | The ID of the `ElasticMapRedu
-The default managed security group for service access in private subnets has the **Group Name** of **ElasticMapReduce-ServiceAccess**. It has inbound rules, and outbound rules that allow traffic over HTTPS (port 8443, port 9443) to the other managed security groups in private subnets. These rules allow the cluster manager to communicate with the primary node and with core and task nodes. The same rules are needed if you are using custom security groups.
+The default managed security group for service access in private subnets has the **Group Name** of **ElasticMapReduce-ServiceAccess**.
+
+For Amazon EMR 8.0.0 and later and Amazon EMR Spark 8.0.0 and later, this security group is attached to the Amazon EMR service VPC endpoint and must allow inbound traffic over HTTPS (port 443) from cluster instances. The same rule is needed if you are using custom security groups.
+
+Type | Protocol | Port range | Source | Details  
+---|---|---|---|---  
+_Inbound rules_  
+HTTPS | TCP | 443 | The CIDR block(s) of the cluster's VPC. |  This rule allows communication between EMR cluster instances and the cluster manager.  
+  
+For Amazon EMR releases 7.x and earlier, this security group is attached to an ENI in your subnet. It has inbound rules, and outbound rules that allow traffic over HTTPS (port 8443, port 9443) to the other managed security groups in private subnets. These rules allow the cluster manager to communicate with the primary node and with core and task nodes. The same rules are needed if you are using custom security groups.
@@ -192 +201 @@ Type | Protocol | Port range | Source | Details
-_Inbound rules_ Required for Amazon EMR clusters with Amazon EMR release 5.30.0 and later.  
+_Inbound rules_ Required for Amazon EMR clusters with Amazon EMR release 5.30.0 to 7.x.  
@@ -194 +203 @@ Custom TCP | TCP | 9443 | The Group ID of the managed security group for primary
-_Outbound rules_ Required for all Amazon EMR clusters  
+_Outbound rules_ Required for Amazon EMR clusters with releases 7.x or earlier.  
@@ -196 +205 @@ Custom TCP | TCP | 8443 | The Group ID of the managed security group for primary
-Custom TCP | TCP | 8443 | The Group ID of the managed security group for core and task instances.  |  These rules allow the cluster manager to communicate with the primary node and with core and task nodes.   
+Custom TCP | TCP | 8443 | The Group ID of the managed security group for core and task instances.