Skip to content

EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Enabling Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) for your Amazon Elastic MapReduce (EMR) cluster's security configuration can help to protect the data stored in your cluster.
SSE-KMS uses a customer master key (CMK) in the AWS KMS to encrypt and decrypt data stored in Amazon S3.

Fix - Buildtime

Terraform

  • Resource: aws_emr_security_configuration
  • Argument: EnableAtRestEncryption

go aws_emr_security_configuration.test.tf resource "aws_emr_security_configuration" "test" { ... configuration = <<EOF { "EncryptionConfiguration": { "EnableAtRestEncryption": true, "AtRestEncryptionConfiguration": { "S3EncryptionConfiguration": { + "EncryptionMode": "SSE-KMS", + "AwsKmsKey": "${module.encryption_module.kms_key_alias}" }, "LocalDiskEncryptionConfiguration": { "EncryptionKeyProviderType": "AwsKms", "AwsKmsKey": "${module.encryption_module.kms_key_alias}" } }, "EnableInTransitEncryption": true } } EOF }