Ensure EMR Cluster security configuration encryption uses SSE-KMS

Error: EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Bridgecrew Policy ID: BC_AWS_GENERAL_94
Checkov Check ID: CKV_AWS_171
Severity: MEDIUM

EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Enabling Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) for your Amazon Elastic MapReduce (EMR) cluster's security configuration can help to protect the data stored in your cluster.
SSE-KMS uses a customer master key (CMK) in the AWS KMS to encrypt and decrypt data stored in Amazon S3.

Fix - Buildtime

Terraform

  • Resource: aws_emr_security_configuration
  • Argument: EnableAtRestEncryption
resource "aws_emr_security_configuration" "test" {
  ...
  configuration = <<EOF
{
  "EncryptionConfiguration": {
    "EnableAtRestEncryption": true,
    "AtRestEncryptionConfiguration": {
      "S3EncryptionConfiguration": {
+       "EncryptionMode": "SSE-KMS",
+       "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      },
      "LocalDiskEncryptionConfiguration": {
        "EncryptionKeyProviderType": "AwsKms",
        "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      }
    },
    "EnableInTransitEncryption": true
  }
}
EOF
}