By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

EMR Security

EMR Cluster Security Configuration

Create an EMR cluster security configuration to configure data encryption at-rest and in-transit as well as Kerberos authentication. Security configurations are then specified when creating a new cluster, and can be re-used it for any number of clusters.

The following security settings can be configured:

  • S3 Encryption: Determine how Amazon EMR encrypts Amazon S3 data with EMRFS.
  • Local Disk Encryption: Specify how data on EMR clusters is encrypted.
  • In-Transit Encryption: Enable the open-source TLS encryption features for in-transit data.
  • Kerberos Authentication: Amazon EMR can utilize Kerberos for the applications, components, and subsystems that it installs on the cluster so that they are authenticated with each other.
AWS Documentation: Use EMR Security Configurations to Set Up Cluster Security
Items
2
Size
1.1 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  EmrSecurityConfiguration:
    Type: "AWS::EMR::SecurityConfiguration"
    Properties:
      Name: "EMR Security Configuration"
      SecurityConfiguration:
        EncryptionConfiguration:
          AtRestEncryptionConfiguration:
            S3EncryptionConfiguration:
              EncryptionMode: "SSE-KMS"
              AwsKmsKey:
                Ref: "S3KmsCmkEmrSecurityConfiguration"
          EnableAtRestEncryption: true
          EnableInTransitEncryption: false
  S3KmsCmkEmrSecurityConfiguration:
    Type: "AWS::KMS::Key"
    Properties:
      EnableKeyRotation: true
      Description: "KMS Key for S3 encryption"
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal:
              AWS:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:iam::"
                    - Ref: "AWS::AccountId"
                    - ":root"
            Action: "kms:*"
            Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

* Required field