Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Before you connect: Authorize inbound
traffic
Before you connect to an Amazon EMR cluster, you must authorize inbound SSH traffic (port
22) from trusted clients such as your computer's IP address. In order to do so, edit the
managed security group rules for the nodes to which you want to connect. For example,
the following instructions show you how to add an inbound rule for SSH access to the
default ElasticMapReduce-master security group.
For more information about using security groups with Amazon EMR, see Control network traffic with security groups.
- New console
-
To grant trusted sources SSH access to the primary security group
with the new console
To edit your security groups, you must have permission to manage
security groups for the VPC that the cluster is in. For more
information, see Changing Permissions for a user and the Example Policy that allows managing EC2 security groups in
the IAM User Guide.
-
Sign in to the Amazon Web Services Management Console, and open the Amazon EMR console at
https://console.amazonaws.cn/emr.
-
Under EMR on EC2 in the left navigation pane,
choose Clusters, and then choose the cluster
that you want to update. This opens up the cluster details page. The
Properties tab on this page will be
pre-selected.
-
Under Networking in the
Properties tab, select the arrow next to
EC2 security groups (firewall) to expand
this section. Under Primary node, select the
security group link. This opens the EC2 console.
-
Choose the Inbound rules tab and then choose
Edit inbound rules.
-
Check for an inbound rule that allows public access with the
following settings. If it exists, choose Delete
to remove it.
-
Type
SSH
-
Port
22
-
Source
Custom 0.0.0.0/0
Before December 2020, the ElasticMapReduce-master security
group had a pre-configured rule to allow inbound traffic on Port
22 from all sources. This rule was created to simplify initial
SSH connections to the primary node. We strongly recommend that
you remove this inbound rule and restrict traffic to trusted
sources.
-
Scroll to the bottom of the list of rules and choose Add
Rule.
-
For Type, select SSH.
This selection automatically enters TCP for
Protocol and 22 for
Port Range.
-
For source, select My IP to automatically add
your IP address as the source address. You can also add a range of
Custom trusted client IP addresses, or
create additional rules for other clients. Many network environments
dynamically allocate IP addresses, so you might need to update your
IP addresses for trusted clients in the future.
-
Choose Save.
-
Optionally return to Step 3, choose Core and task
nodes, and repeat Steps 4 - 8. This grants core and
task nodes SSH client access.
- Old console
-
To grant trusted sources SSH access to the primary security group with the console
To edit your security groups, you must have permission to manage security groups for the VPC that the cluster is in. For more information, see Changing Permissions for a user and the Example Policy that allows managing EC2 security groups in the IAM User Guide.
Sign in to the Amazon Web Services Management Console, and open the Amazon EMR console at https://console.amazonaws.cn/emr.
Choose Clusters. Choose the ID of the cluster you want to modify.
In the Network and security pane, expand the EC2 security groups (firewall) dropdown.
Under Primary node, choose your security group.
Choose Edit inbound rules.
Check for an inbound rule that allows public access with the following settings. If it exists, choose Delete to remove it.
-
Type
SSH
-
Port
22
-
Source
Custom 0.0.0.0/0
Before December 2020, there was a pre-configured rule to allow inbound traffic on Port 22 from all sources. This rule was created to simplify initial SSH connections to the primary node. We strongly recommend that you remove this inbound rule and restrict traffic to trusted sources.
Scroll to the bottom of the list of rules and choose Add Rule.
-
For Type, select SSH.
Selecting SSH automatically enters TCP for Protocol and 22 for Port Range.
-
For source, select My IP to automatically add your IP address as the source address. You can also add a range of Custom trusted client IP addresses, or create additional rules for other clients. Many network environments dynamically allocate IP addresses, so you might need to update your IP addresses for trusted clients in the future.
Choose Save.
Optionally, choose the other security group under Core and task nodes in the Network and security pane and repeat the steps above to allow SSH client access to core and task nodes.