Exam AWS Certified Data Analytics - Specialty topic 1 question 34 discussion

C?? https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html

https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html

--- workflow --- data with PII -> s3 analyst 1 -> EMR 1 analyst 2 -> EMR 2 ... analyst n -> EMR n (In fact, what company allows its analysts to create an individual EMR for each person?! o.O) --- objective --- ensure the EMR is not accessible by public internet --- way to make this with the least effort and least cost --- block all account emr public access --- have another way to make this? --- yes, if a data analyst specialist designs a AMI for all EMR clusters and schedules a daily job to create an EMR for all analysts... buuuuuuuuuut, have a lot of effort rsrsrs

https://aws.amazon.com/about-aws/whats-new/2019/08/amazon-emr-introduces-block-public-access-configuration-to-secure-emr-clusters-from-unintentional-network-exposure/

C: I passed the test

Answer is C

Correct answer is C as the EMR clusters can be configured with a block public access setting which is applied to all regions within an account. Amazon EMR block public access prevents a cluster in a public subnet from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception. Port 22 is an exception by default. You can configure exceptions to allow public access on a port or range of ports. Block public access does not take effect in private subnets. A is wrong as security configurations can be used to configure data encryption, Kerberos authentication, and Amazon S3 authorization for EMRFS. B is wrong Although this approach is possible, it entails a management overhead of regularly updating the security groups of the EMR cluster. Option D is wrong as WAF does not work with EMR clusters.

the company must ensure the data is not publicly accessible throughout this process. How to ensure SG not be modified during the whole process if you choose C?

B ---- as Block public access does not block IAM principals with appropriate permissions from updating security group configurations to allow public access on running clusters.... https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html I would suggest customer to use config to trigger auto mitigation if any port is opened to public access.

"with LEAST amount of effort" - this is the key statement here.

Selected Answer: C

B is obviously wrong. AWS Exams would never allow a compliance solution to manually check if the settings are correct every now and then. C is better

My Answer is C

Option C does not make sense since this is already enabled by default. Option B is better. I think the best solution is to use a custom config rule with SSM remediation https://asecure.cloud/a/cfgrule_c_emr_security_groups_restricted/

Ans C This is a textbook question. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html

Ans C https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-block-public-access.html

I think C is Default. The question is what we need to do to ensure that, and we have to make sure the ports are not open as public.. Do you think the correct answer is B?