The aws:emr/blockPublicAccessConfiguration:BlockPublicAccessConfiguration resource, part of the Pulumi AWS provider, controls region-level security rules that restrict EMR cluster launches based on security group configurations. This guide focuses on three capabilities: managing the AWS default SSH-only configuration, permitting public access on custom port ranges, and disabling restrictions entirely.
This is a region-level singleton resource. Each AWS region has exactly one block public access configuration. Destroying the resource resets it to AWS defaults (SSH-only access). The examples are intentionally small. Combine them with your organization’s security policies and monitoring.
Maintain AWS default configuration with SSH access
Each AWS region starts with a configuration that blocks EMR clusters from launching if their security groups allow public access on any port except SSH (port 22).
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {
blockPublicSecurityGroupRules: true,
permittedPublicSecurityGroupRuleRanges: [{
minRange: 22,
maxRange: 22,
}],
});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example",
block_public_security_group_rules=True,
permitted_public_security_group_rule_ranges=[{
"min_range": 22,
"max_range": 22,
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(true),
PermittedPublicSecurityGroupRuleRanges: emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArray{
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(22),
MaxRange: pulumi.Int(22),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = true,
PermittedPublicSecurityGroupRuleRanges = new[]
{
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 22,
MaxRange = 22,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import com.pulumi.aws.emr.inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(true)
.permittedPublicSecurityGroupRuleRanges(BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(22)
.maxRange(22)
.build())
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: true
permittedPublicSecurityGroupRuleRanges:
- minRange: 22
maxRange: 22
When blockPublicSecurityGroupRules is true, EMR validates security groups at cluster launch time. The permittedPublicSecurityGroupRuleRanges array defines which ports are exempt from blocking. Here, minRange and maxRange both set to 22 permit SSH while blocking all other public access.
Allow public access on multiple port ranges
Some workloads require public access on additional ports beyond SSH, such as custom application endpoints or monitoring interfaces.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {
blockPublicSecurityGroupRules: true,
permittedPublicSecurityGroupRuleRanges: [
{
minRange: 22,
maxRange: 22,
},
{
minRange: 100,
maxRange: 101,
},
],
});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example",
block_public_security_group_rules=True,
permitted_public_security_group_rule_ranges=[
{
"min_range": 22,
"max_range": 22,
},
{
"min_range": 100,
"max_range": 101,
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(true),
PermittedPublicSecurityGroupRuleRanges: emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArray{
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(22),
MaxRange: pulumi.Int(22),
},
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(100),
MaxRange: pulumi.Int(101),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = true,
PermittedPublicSecurityGroupRuleRanges = new[]
{
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 22,
MaxRange = 22,
},
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 100,
MaxRange = 101,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import com.pulumi.aws.emr.inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(true)
.permittedPublicSecurityGroupRuleRanges(
BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(22)
.maxRange(22)
.build(),
BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(100)
.maxRange(101)
.build())
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: true
permittedPublicSecurityGroupRuleRanges:
- minRange: 22
maxRange: 22
- minRange: 100
maxRange: 101
You can define multiple permittedPublicSecurityGroupRuleRanges blocks to exempt additional port ranges. This configuration permits SSH (port 22) and a custom range (ports 100-101). Each range requires both minRange and maxRange, even for single-port exemptions.
Disable block public access entirely
Development or testing environments sometimes need to launch EMR clusters without port restrictions, accepting the security trade-off for operational flexibility.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {blockPublicSecurityGroupRules: false});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example", block_public_security_group_rules=False)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(false)
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: false
Setting blockPublicSecurityGroupRules to false removes all port-based launch restrictions. EMR clusters can launch with any security group configuration, regardless of public access rules. This configuration is appropriate only when you accept the security implications.
Beyond these examples
These snippets focus on specific configuration features: region-level security controls and port range exemptions. They’re intentionally minimal rather than complete security policies.
The examples don’t reference pre-existing infrastructure; this is a region-level singleton that controls EMR launch behavior. They focus on configuring the block public access rules rather than the security groups themselves.
To keep things focused, common patterns are omitted, including:
- Security group rule validation and testing
- Integration with organizational security policies
- Monitoring and alerting on configuration changes
- Multi-region configuration management
These omissions are intentional: the goal is to illustrate how the block public access configuration is wired, not provide drop-in security modules. See the EMR BlockPublicAccessConfiguration resource reference for all available configuration options.
Let's configure AWS EMR Block Public Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Defaults
Port Range Management
blockPublicSecurityGroupRules to true and define permittedPublicSecurityGroupRuleRanges with minRange and maxRange for each allowed port range. You can specify multiple port ranges.blockPublicSecurityGroupRules to false to permit EMR clusters to launch regardless of their security group rules.Immutability & Updates
blockPublicSecurityGroupRules and permittedPublicSecurityGroupRuleRanges are immutable. Changing these properties forces resource replacement.