Ensure EMR Cluster security configuration encryption uses SSE-KMS

Error: EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Bridgecrew Policy ID: BC_AWS_GENERAL_94
Checkov Check ID: CKV_AWS_171
Severity: MEDIUM

EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

TBD

Fix - Buildtime

Terraform

  • Resource: aws_emr_security_configuration
  • Argument: EnableAtRestEncryption
resource "aws_emr_security_configuration" "test" {
  ...
  configuration = <<EOF
{
  "EncryptionConfiguration": {
    "EnableAtRestEncryption": true,
    "AtRestEncryptionConfiguration": {
      "S3EncryptionConfiguration": {
+       "EncryptionMode": "SSE-KMS",
+       "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      },
      "LocalDiskEncryptionConfiguration": {
        "EncryptionKeyProviderType": "AwsKms",
        "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      }
    },
    "EnableInTransitEncryption": true
  }
}
EOF
}

Did this page help you?