Enable local-disk encryption for EMR clusters.
Default Severity: high
Explanation
Data stored within an EMR instances should be encrypted to ensure sensitive data is kept private.
Possible Impact
Local-disk data in the EMR cluster could be compromised if accessed.
Suggested Resolution
Enable local-disk encryption for EMR cluster
Insecure Example
The following example will fail the aws-emr-enable-local-disk-encryption check.
resource "aws_emr_security_configuration" "bad_example" {
name = "emrsc_other"
configuration = <<EOF
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "",
"AwsKmsKey": ""
}
},
"EnableInTransitEncryption": false,
"EnableAtRestEncryption": false
}
}
EOF
}
Secure Example
The following example will pass the aws-emr-enable-local-disk-encryption check.
resource "aws_emr_security_configuration" "good_example" {
name = "emrsc_other"
configuration = <<EOF
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-west-2:187416307283:alias/tf_emr_test_key"
}
},
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true
}
}
EOF
}