Skip to content

Enable local-disk encryption for EMR clusters.

Default Severity: high

Explanation

Data stored within an EMR instances should be encrypted to ensure sensitive data is kept private.

Possible Impact

Local-disk data in the EMR cluster could be compromised if accessed.

Suggested Resolution

Enable local-disk encryption for EMR cluster

Insecure Example

The following example will fail the aws-emr-enable-local-disk-encryption check.

  resource "aws_emr_security_configuration" "bad_example" {
    name = "emrsc_other"

    configuration = <<EOF
  {
    "EncryptionConfiguration": {
      "AtRestEncryptionConfiguration": {
        "S3EncryptionConfiguration": {
          "EncryptionMode": "SSE-S3"
        },
        "LocalDiskEncryptionConfiguration": {
          "EncryptionKeyProviderType": "",
          "AwsKmsKey": ""
        }
      },
      "EnableInTransitEncryption": false,
      "EnableAtRestEncryption": false
    }
  }
  EOF
  }

Secure Example

The following example will pass the aws-emr-enable-local-disk-encryption check.

  resource "aws_emr_security_configuration" "good_example" {
    name = "emrsc_other"

    configuration = <<EOF
  {
    "EncryptionConfiguration": {
      "AtRestEncryptionConfiguration": {
        "S3EncryptionConfiguration": {
          "EncryptionMode": "SSE-S3"
        },
        "LocalDiskEncryptionConfiguration": {
          "EncryptionKeyProviderType": "AwsKms",
          "AwsKmsKey": "arn:aws:kms:us-west-2:187416307283:alias/tf_emr_test_key"
        }
      },
      "EnableInTransitEncryption": true,
      "EnableAtRestEncryption": true
    }
  }
  EOF
  }