This rule detects termination of a EMR cluster. Impact The alert indicates the termination of an EMR cluster, potentially leading to abrupt cessation of data processing tasks, loss of computation progress, and disruption of ongoing operations. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic:TA0040 MITRE Technique:T1485

This alert indicates changes made to auto-scaling policies within an AWS EMR cluster. Impact Auto-scaling policy changes can impact cluster performance, resource allocation, cost management, and may affect the ability to handle varying workloads efficiently. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0005 MITRE Technique: T1098

This alert monitors the deletion of EMR security configurations. EMR security configurations are predefined settings that enhance the security of clusters. Impact This alert signifies a potential security or operational risk within Amazon EMR due to the deletion of a security configuration, which could result in unauthorized access or data breaches. Mitigation Monitor security configuration deletion and validate that the action was approved, investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert monitors modifications made to instance groups within Amazon EMR. Instance groups in Amazon EMR are categorized sets of instances with specific roles within a cluster: master, core, and task instances. They optimize cluster management, storage, and computation for efficient data processing and analysis. Impact Changes to instance groups can affect cluster performance, resource allocation, and processing capabilities, potentially impacting data processing tasks. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0005 MITRE Technique: T1098

This alert monitors the creation of EMR security configurations. EMR security configurations in are predefined settings that enhance the security of clusters. Impact Creating security configurations can impact cluster security, access controls, and potentially introduce vulnerabilities if not properly configured. Mitigation Monitor security configuration creation and validate that the action was approved, investigate further if not. MITRE Tactic: TA0003 MITRE Technique: T1098

Detects when there are more than 10 failed access attempts by a single user within a 5-minute interval to list/describe cluster. Impact The alert indicates excessive denied access attempts to list or describe EMR clusters, potentially indicating unauthorized or abnormal activity that could strain resources and impact EMR operations. Mitigation Investigate the cause of the increased failed access attempts, ensure proper access controls are in place, and consider implementing strong authentication mechanisms such as IAM to prevent brute force or unauthorized access attempts. MITRE Tactic: TA0001 MITRE Technique: T1110

This alert triggers when a single user attempts more than 10 cluster creations within a 5-minute interval. Impact This alert indicates an excessive EMR cluster creation, potentially suggesting misconfigurations, operational issues, or security risks within the Amazon EMR environment. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0007 MITRE Technique: T1082

This alert triggers when a single user attempts more than 10 EMR Studio creations within a 5-minute interval. Impact This alert indicates an excessive EMR Studio creation, potentially suggesting misconfigurations, operational issues, or security risks within the Amazon EMR environment. Mitigation Validate that the action was approved, investigate further if not. MITRE Tactic: TA0007 MITRE Technique: T1082