If required by the security policy of your organization, you need to set up SSE KMS for the S3 bucket to be used.
Note: SSE KMS and bucket policy require EMR with KMS encryption. However, Kerberos is not mandatory
for EMR in this example.
Before you begin
Prerequisite: you must have created the CMK key to be used. For detailed
instructions about how to do this, see
this tutorial from the AWS
documentation.
About this task
This procedure explains only the
SSE KMS related operations for getting started with the security configuration for EMR.
If you need the complete information about all the available EMR security configurations
provided by AWS, see
Create a Security Configuration from the
Amazon documentation.
Procedure
-
Open your S3 service at https://s3.console.aws.amazon.com/.
-
From the S3 bucket list, select the bucket to be used. Ensure
that you have proper rights and permissions to access this bucket.
-
Select the Properties tab
and then Default encryption.
-
Select AWS-KMS.
-
Select the KMS CMK key to be used.
-
Select the Permissions tab, then select
Bucket Policy and enter your policy in the
console.
-
Click Save to save your policy.
Results
Now your bucket policy is set up. When you need to use this bucket with a Job, enter
the following parameter about AWS signature versions to the JVM argument list of this Job:
-Dcom.amazonaws.services.s3.enableV4
For further information about AWS Signature Versions, see
Specifying the Signature Version in Request
Authentication.
