Specifying Amazon EMR-managed and additional security groups - Amazon EMR
Specifying security groups with the Amazon CLI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Specifying Amazon EMR-managed and additional security groups

You can specify security groups using the Amazon Web Services Management Console, the Amazon CLI, or the Amazon EMR API. If you don't specify security groups, Amazon EMR creates default security groups. Specifying additional security groups is optional. You can assign additional security groups for primary instances, core and task instances, and service access (private subnets only).

New console
Note

We’ve redesigned the Amazon EMR console to make it easier to use. See Amazon EMR console to learn about the differences between the old and new console experiences.

To specify security groups with the new console

  1. Sign in to the Amazon Web Services Management Console, and open the Amazon EMR console at https://console.amazonaws.cn/emr.

  2. Under EMR on EC2 in the left navigation pane, choose Clusters, and then choose Create cluster.

  3. Under Networking, select the arrow next to EC2 security groups (firewall) to expand this section. Under Primary node and Core and task nodes, the default Amazon EMR managed security groups are selected by default. If you use a private subnet, you also have the option to select a security group for Service access.

  4. To change your Amazon EMR managed security group, use the Choose security groups dropdown menu to select a different option from the Amazon EMR-managed security group list of options. You have one Amazon EMR managed security group for both Primary node and Core and task nodes.

  5. To add custom security groups, use the same Choose security groups dropdown menu to select up to four custom security groups from the Custom security group list of options. You can have up to four custom security groups for both Primary node and Core and task nodes.

  6. Choose any other options that apply to your cluster.

  7. To launch your cluster, choose Create cluster.

Old console
To specify security groups with the old console

  1. Navigate to the new Amazon EMR console and select Switch to the old console from the side navigation. For more information on what to expect when you switch to the old console, see Using the old console.

  2. Choose Create cluster, Go to advanced options.

  3. Choose options for your cluster until you reach Step 4: Security.

  4. Choose EC2 Security Groups to expand the section.

    Under EMR managed security groups, the default managed security groups are selected by default. If a default doesn't exist in the VPC for Master, Core & Task, or Service Access (private subnet only), Create appears before the associated security group name.

  5. If you use custom managed security groups, select them from the EMR managed security groups lists.

    If you select a custom managed security group, a message notifies you to select a custom security group for other instances. You can use only custom or only default managed security groups for a cluster.

  6. Optionally, under Additional security groups, choose the pencil icon, select up to four security groups from the list, and then choose Assign security groups. Repeat for each of Master, Core & Task, and Service Access as desired.

  7. Choose Create Cluster.

Specifying security groups with the Amazon CLI

To specify security groups using the Amazon CLI you use the create-cluster command with the following parameters of the --ec2-attributes option:

Parameter Description

EmrManagedPrimarySecurityGroup

Use this parameter to specify a custom managed security group for the primary instance. If this parameter is specified, EmrManagedCoreSecurityGroup must also be specified. For clusters in private subnets, ServiceAccessSecurityGroup must also be specified.

EmrManagedCoreSecurityGroup

Use this parameter to specify a custom managed security group for core and task instances. If this parameter is specified, EmrManagedPrimarySecurityGroup must also be specified. For clusters in private subnets, ServiceAccessSecurityGroup must also be specified.

ServiceAccessSecurityGroup

Use this parameter to specify a custom managed security group for service access, which applies only to clusters in private subnets. The security group you specify as ServiceAccessSecurityGroup should not be used for any other purpose and should also be reserved for Amazon EMR. If this parameter is specified, EmrManagedPrimarySecurityGroup must also be specified.

AdditionalPrimarySecurityGroups

Use this parameter to specify up to four additional security groups for the primary instance.

AdditionalCoreSecurityGroups

Use this parameter to specify up to four additional security groups for core and task instances.
Example — specify custom Amazon EMR-managed security groups and additional security groups

The following example specifies custom Amazon EMR managed security groups for a cluster in a private subnet, multiple additional security groups for the primary instance, and a single additional security group for core and task instances.

Note

Linux line continuation characters (\) are included for readability. They can be removed or used in Linux commands. For Windows, remove them or replace with a caret (^).

aws emr create-cluster --name "ClusterCustomManagedAndAdditionalSGs" \
--release-label emr-emr-7.2.0 --applications Name=Hue Name=Hive \
Name=Pig --use-default-roles --ec2-attributes \
SubnetIds=subnet-xxxxxxxxxxxx,KeyName=myKey,\
ServiceAccessSecurityGroup=sg-xxxxxxxxxxxx,\
EmrManagedPrimarySecurityGroup=sg-xxxxxxxxxxxx,\
EmrManagedCoreSecurityGroup=sg-xxxxxxxxxxx,\
AdditionalPrimarySecurityGroups=['sg-xxxxxxxxxxx',\
'sg-xxxxxxxxxxx','sg-xxxxxxxxxx'],\
AdditionalCoreSecurityGroups=sg-xxxxxxxxxxx \
--instance-type m5.xlarge

For more information, see create-cluster in the Amazon CLI Command Reference.