The aws:emr/blockPublicAccessConfiguration:BlockPublicAccessConfiguration resource, part of the Pulumi AWS provider, controls region-level security restrictions that prevent EMR clusters from launching with security groups permitting public access on unspecified ports. This guide focuses on three capabilities: enforcing AWS default security posture, permitting specific port ranges, and disabling restrictions for development.
This is a region-level configuration that affects all EMR cluster launches in the configured region. The examples are intentionally small. Each represents a different security posture for your EMR environment.
Enforce AWS default security posture with SSH access
Most organizations start with AWS’s default EMR security posture, which blocks public access on all ports except SSH.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {
blockPublicSecurityGroupRules: true,
permittedPublicSecurityGroupRuleRanges: [{
minRange: 22,
maxRange: 22,
}],
});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example",
block_public_security_group_rules=True,
permitted_public_security_group_rule_ranges=[{
"min_range": 22,
"max_range": 22,
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(true),
PermittedPublicSecurityGroupRuleRanges: emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArray{
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(22),
MaxRange: pulumi.Int(22),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = true,
PermittedPublicSecurityGroupRuleRanges = new[]
{
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 22,
MaxRange = 22,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import com.pulumi.aws.emr.inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(true)
.permittedPublicSecurityGroupRuleRanges(BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(22)
.maxRange(22)
.build())
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: true
permittedPublicSecurityGroupRuleRanges:
- minRange: 22
maxRange: 22
When blockPublicSecurityGroupRules is true, EMR prevents cluster launches if their security groups allow public access on ports outside the permitted ranges. The permittedPublicSecurityGroupRuleRanges array defines exceptions; here, port 22 (SSH) is allowed. The minRange and maxRange properties define inclusive port boundaries. If you destroy this resource, the configuration resets to this default.
Allow public access on multiple port ranges
Some workloads require public access to custom services beyond SSH, such as web UIs or monitoring endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {
blockPublicSecurityGroupRules: true,
permittedPublicSecurityGroupRuleRanges: [
{
minRange: 22,
maxRange: 22,
},
{
minRange: 100,
maxRange: 101,
},
],
});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example",
block_public_security_group_rules=True,
permitted_public_security_group_rule_ranges=[
{
"min_range": 22,
"max_range": 22,
},
{
"min_range": 100,
"max_range": 101,
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(true),
PermittedPublicSecurityGroupRuleRanges: emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArray{
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(22),
MaxRange: pulumi.Int(22),
},
&emr.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs{
MinRange: pulumi.Int(100),
MaxRange: pulumi.Int(101),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = true,
PermittedPublicSecurityGroupRuleRanges = new[]
{
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 22,
MaxRange = 22,
},
new Aws.Emr.Inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs
{
MinRange = 100,
MaxRange = 101,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import com.pulumi.aws.emr.inputs.BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(true)
.permittedPublicSecurityGroupRuleRanges(
BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(22)
.maxRange(22)
.build(),
BlockPublicAccessConfigurationPermittedPublicSecurityGroupRuleRangeArgs.builder()
.minRange(100)
.maxRange(101)
.build())
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: true
permittedPublicSecurityGroupRuleRanges:
- minRange: 22
maxRange: 22
- minRange: 100
maxRange: 101
Multiple permittedPublicSecurityGroupRuleRanges blocks permit different port ranges. This configuration allows SSH (port 22) and custom application ports (100-101) while blocking all other public access. Each range is evaluated independently; EMR permits clusters if their security groups only expose ports within these ranges.
Disable block public access entirely
Development or testing environments sometimes need unrestricted cluster launch capabilities.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.emr.BlockPublicAccessConfiguration("example", {blockPublicSecurityGroupRules: false});
import pulumi
import pulumi_aws as aws
example = aws.emr.BlockPublicAccessConfiguration("example", block_public_security_group_rules=False)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/emr"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := emr.NewBlockPublicAccessConfiguration(ctx, "example", &emr.BlockPublicAccessConfigurationArgs{
BlockPublicSecurityGroupRules: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Emr.BlockPublicAccessConfiguration("example", new()
{
BlockPublicSecurityGroupRules = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.emr.BlockPublicAccessConfiguration;
import com.pulumi.aws.emr.BlockPublicAccessConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BlockPublicAccessConfiguration("example", BlockPublicAccessConfigurationArgs.builder()
.blockPublicSecurityGroupRules(false)
.build());
}
}
resources:
example:
type: aws:emr:BlockPublicAccessConfiguration
properties:
blockPublicSecurityGroupRules: false
Setting blockPublicSecurityGroupRules to false removes all port restrictions. EMR clusters can launch regardless of their security group rules. This configuration is useful for development environments but should be avoided in production.
Beyond these examples
These snippets focus on specific block public access features: port range restrictions, SSH access preservation, and complete access control disabling. They’re intentionally minimal rather than full EMR security configurations.
The examples don’t require pre-existing infrastructure; they configure region-level EMR behavior directly. They focus on access control policy rather than cluster provisioning.
To keep things focused, configuration aspects are omitted, including:
- Region-specific configuration (region property)
- Import of existing configurations
- Interaction with EMR cluster security groups
- Behavior when resource is destroyed (resets to default)
These omissions are intentional: the goal is to illustrate how block public access is configured, not provide drop-in EMR security modules. See the EMR BlockPublicAccessConfiguration resource reference for all available configuration options.
Let's configure AWS EMR Block Public Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Defaults
permittedPublicSecurityGroupRuleRanges blocks with minRange and maxRange to define allowed port ranges. You can specify multiple ranges by adding multiple blocks.blockPublicSecurityGroupRules to false to permit EMR clusters to launch regardless of security group rules.Lifecycle & Immutability
blockPublicSecurityGroupRules and permittedPublicSecurityGroupRuleRanges are immutable. Changing these properties requires replacing the resource.