EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Home
»
AWS Documentation
»
General
»
EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Enabling Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) for your Amazon Elastic MapReduce (EMR) cluster’s security configuration can help to protect the data stored in your cluster.
SSE-KMS uses a customer master key (CMK) in the AWS KMS to encrypt and decrypt data stored in Amazon S3.

Fix - Buildtime

Terraform

Resource: aws_emr_security_configuration
Argument: EnableAtRestEncryption

go aws_emr_security_configuration.test.tf resource “aws_emr_security_configuration” “test” { … configuration = <<EOF { “EncryptionConfiguration”: { “EnableAtRestEncryption”: true, “AtRestEncryptionConfiguration”: { “S3EncryptionConfiguration”: { + “EncryptionMode”: “SSE-KMS”, + “AwsKmsKey”: “${module.encryption_module.kms_key_alias}” }, “LocalDiskEncryptionConfiguration”: { “EncryptionKeyProviderType”: “AwsKms”, “AwsKmsKey”: “${module.encryption_module.kms_key_alias}” } }, “EnableInTransitEncryption”: true } } EOF }