Disk Encryption
EMR
To encrypt the disk for EMR workloads, perform following actions:
[1] Create a new CMK KMS key to be used for encryption with below policy (substituting with your account id):
{
"Id": "encryption-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-id>:role/EMR_EC2_DefaultRole"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-id>:role/EMR_EC2_DefaultRole"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
[2] Create a new EMR security configuration with below configuration (substitute with kms key you had created previously):
{
"EncryptionConfiguration": {
"EnableInTransitEncryption": false,
"EnableAtRestEncryption": true,
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "<kms-arn>"
}
}
},
"InstanceMetadataServiceConfiguration" : {
"MinimumInstanceMetadataServiceVersion": 2,
"HttpPutResponseHopLimit":1
}
}
[3] Configure your EMR workloads to use the new security configuration from previous step.
e.g. If you are using Step Functions to trigger your EMR jobs, you will update your template to below:
{
"States": {
"SPIN_UP_THE_CLUSTER": {
"Parameters": {
"ReleaseLabel": "emr-5.32.0",
"SecurityConfiguration": "<security-configuration-name>",
...
}
}
}
}