Skip to content

Block or Unblock STS endpoint access

EMRFS has a security issue which is specified by AWS itself, where any user who can log in to an EMR cluster can leverage the STS service to assume an IAM role and access S3 data. To mitigate this, we use IPTables to block STS endpoint access for all users on the cluster, except for application superusers such as Hadoop, Hive, Presto, and Yarn. This prevents unauthorized users from making AssumeRole requests via STS, enhancing security.

Unblock STS endpoint access for specific user

To block or unblock certain users on the cluster, follow these steps:

  1. SSH into the instance where Privacera Manager is installed.
  2. Run the following command to edit the vars.emr.yml file:
    Bash
    1
2
    cd ~/privacera/privacera-manager
vi config/custom-vars/vars.emr.yml

  3. Modify the following properties:

    Feature Description Default Value Possible Values
    EMR_BLOCK_STS_ENDPOINTS Enables or disables the blocking of AWS STS endpoints access on the EMR cluster. When set to true, non-privileged users will be blocked from making STS requests true true/false
    EMR_STS_STATE Defines whether STS is blocked or unblocked for the cluster.
    - block: Blocks STS for all users except those in EMR_STS_USERS_LIST.
    - unblock: Unblocks STS for users in EMR_STS_USERS_LIST.
    - unblock_all: Removes all STS restrictions, allowing all users to access STS.    		 unblock block/unblock/unblock_all
    EMR_STS_USERS_LIST Comma-separated list of users affected by STS blocking. If EMR_BLOCK_STS_ENDPOINTS is enabled, only the users in this list will have STS access. All other users will be blocked. hive,presto,trino Comma-separated list of users

  4. Once the properties are configured, update your Privacera Manager platform instance by following the commands

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Block or Unblock STS for Users on Running EMR Clusters

The block_sts_endpoints.sh script is used to control access to AWS Security Token Service (STS) endpoints from an EMR cluster. It can block or unblock STS requests for specific users or all users on the cluster. To block/unblock certain users or the hadoop user on running EMR clusters, follow these steps:

  1. SSH into the EMR master and core nodes.
  2. Run the following command to navigate to the below directory:
    Bash
    1
    cd /opt/privacera/downloads/scripts

  3. Run the following commands based on your requirement:

    1. Unblock STS access for a specific user:
      Bash
      1
      sudo sh block_sts_endpoints.sh unblock <user>,hadoop,trino
      This command updates IPTables rules to allow the specified user to access STS endpoints.
    2. Unblock STS access for all users:
      Bash
      1
      sudo sh block_sts_endpoints.sh unblock_all
      This command removes all STS endpoint access restrictions, allowing unrestricted access.
    3. Block STS access for specific users:
      Bash
      1
      sudo sh block_sts_endpoints.sh block <user>
      This command adds IPTables rules to prevent the specified user from accessing STS endpoints.

Important

To ensure the script functions correctly, run it as the hadoop user. Executing block_sts_endpoints.sh as root user may lead to incorrect IPTables rules.

Comments