diff --git a/emr/README.md b/emr/README.md
index a8c6895..4ca7e4f 100644
--- a/emr/README.md
+++ b/emr/README.md
@@ -44,6 +44,56 @@ Passing a null or empty list to this field will ignore the ingress setting on th
 To use all census networks but exclude cloud networks, you may use the prefix list `onprem-networks.core`.
 ```
 
+# Security Group Ports: egress
+
+Egress is not restricted. Each security group allows allows all egress traffic.
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| ALL | ALL | ALL | ALL ||
+
+# Security Group Ports: ingress
+
+## emr-master-node
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 22 | TCP | SSH | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 80 | TCP | HTTP | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 443 | TCP | HTTPS | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 8088 | TCP | Resource Manager | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 9870 | TCP | HDFS Name Node | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 18080 | TCP | Spark History Server | |
+| emr-core-tasks-node, emr-studio, emr-service-access | ALL | ALL | ALL | |
+| self | ALL | ALL | ALL | |
+
+## emr-core-tasks-node
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 9864 | TCP | HDFS Data Node | |
+| ingress\_prefix\_list\_names (all-census.core)<BR> ingress\_networks | 8042 | TCP | Node Manager | |
+| emr-master-node, emr-service-access | ALL | ALL | ALL | |
+| self | ALL | ALL | ALL | |
+
+## emr-service-access
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| emr-master-node | 9443 | TCP | Master Node | |
+
+## emr-studio-engine
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| emr-studio | 18888| TCP | EMR Studio | |
+
+## emr-studio-
+
+| Source | Port(s) | Protocol | Usage | Comments |
+|--------|---------|----------|-------|----------|
+| (none) | | | | |
+
 ## Requirements
 
 | Name | Version |
@@ -79,11 +129,11 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description_prefix"></a> [description\_prefix](#input\_description\_prefix) | Security Group Description Prefix | `string` | `"Security Group"` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports). Use null to disable built-in settings | `list(string)` | `[]` | no |
-| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | <pre>[<br>  "all-networks.core"<br>]</pre> | no |
+| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | <pre>[<br/>  "all-networks.core"<br/>]</pre> | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Security Group Name Prefix | `string` | n/a | yes |
-| <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(any)` | <pre>{<br>  "CostAllocation": "csvd:infrastructure",<br>  "Environment": "infrastructure"<br>}</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(any)` | <pre>{<br/>  "CostAllocation": "csvd:infrastructure",<br/>  "Environment": "infrastructure"<br/>}</pre> | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
 
diff --git a/emr/main.tf b/emr/main.tf
index 2e1ca8b..21b6c76 100644
--- a/emr/main.tf
+++ b/emr/main.tf
@@ -44,6 +44,56 @@
 * Passing a null or empty list to this field will ignore the ingress setting on these networks.
 * To use all census networks but exclude cloud networks, you may use the prefix list `onprem-networks.core`.
 * ```
+*
+* # Security Group Ports: egress
+* 
+* Egress is not restricted. Each security group allows allows all egress traffic.
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | ALL | ALL | ALL | ALL || 
+* 
+* # Security Group Ports: ingress
+* 
+* ## emr-master-node
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 22 | TCP | SSH | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 80 | TCP | HTTP | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 443 | TCP | HTTPS | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 8088 | TCP | Resource Manager | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 9870 | TCP | HDFS Name Node | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 18080 | TCP | Spark History Server | |
+* | emr-core-tasks-node, emr-studio, emr-service-access | ALL | ALL | ALL | |
+* | self | ALL | ALL | ALL | |
+* 
+* ## emr-core-tasks-node
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 9864 | TCP | HDFS Data Node | |
+* | ingress_prefix_list_names (all-census.core)<BR> ingress_networks | 8042 | TCP | Node Manager | |
+* | emr-master-node, emr-service-access | ALL | ALL | ALL | |
+* | self | ALL | ALL | ALL | |
+* 
+* ## emr-service-access
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | emr-master-node | 9443 | TCP | Master Node | |
+* 
+* ## emr-studio-engine
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | emr-studio | 18888| TCP | EMR Studio | |
+* 
+* ## emr-studio-
+* 
+* | Source | Port(s) | Protocol | Usage | Comments |
+* |--------|---------|----------|-------|----------|
+* | (none) | | | | |
 */
 
 data "aws_vpc" "this_vpc" {