If required by the security policy of your organization, you need to set up SSE KMS, the server-side encryption service of Amazon, for the EMR cluster to be used, before creating this cluster.
This procedure explains only the SSE KMS related operations for getting started with the security configuration for EMR. If you need the complete information about all the available EMR security configurations provided by AWS, see Create a Security Configuration from the Amazon documentation.
About this task
If not yet done, go to https://console.aws.amazon.com/kms
to create a customer managed CMK to be used by the SSE KMS service. For detailed
instructions about how to do this, see this tutorial from the AWS
When adding roles, among other roles to be added depending on your security policy, you must add the EMR_EC2_DefaultRole role.
The EMR_EC2_DefaultRole role allows your Jobs for Apache Spark to read or write files encrypted with SSE-KMS on S3.
This role is a default AWS role that is automatically created along with the creation of your first EMR cluster. If this role and its associated policies do not exist in your account, see Use Default IAM Roles and Managed Policies from the AWS documentation
- On the Amazon EMR page of AWS, select the Security configurations tab and click Create to open the Create security configuration view.
- Select the At-rest encryption check box to enable SSE KMS.
- Under S3 data encryption, select SSE-KMS for Encryption mode and select the CMK key mentioned at the beginning of this procedure for AWS KMS Key.
- Under Local disk encryption, select AWS KMS for Key provider type and select the CMK key mentioned at the beginning of this procedure for AWS KMS Key.
Click Create to validate your security configuration.
In the real-world practice, you can also configure the other security options such as Kerberos and IAM roles for EMRFS before clicking this Create button.
- Click Clusters and once the Create Cluster page is open, click Go to advanced options to start creating the EMR cluster step by step.
- At the last step called Security, in the Authentication and encryption section, select the Security Configuration created in the previous steps.