About this task
If not yet done, go to https://console.aws.amazon.com/kms
to create a customer managed CMK to be used by the SSE KMS service. For detailed
instructions about how to do this, see this tutorial from the AWS
When adding roles, among other roles to be added depending on your security policy, you must add the EMR_EC2_DefaultRole role.
The EMR_EC2_DefaultRole role allows your Jobs for Apache Spark to read or write files encrypted with SSE-KMS on S3.
This role is a default AWS role that is automatically created along with the creation of your first EMR cluster. If this role and its associated policies do not exist in your account, see Use Default IAM Roles and Managed Policies from the AWS documentation
- On the Amazon EMR page of AWS, select the Security configurations tab and click Create to open the Create security configuration view.
- Select the At-rest encryption check box to enable SSE KMS.
- Under S3 data encryption, select SSE-KMS for Encryption mode and select the CMK key mentioned at the beginning of this procedure for AWS KMS Key.
- Under Local disk encryption, select AWS KMS for Key provider type and select the CMK key mentioned at the beginning of this procedure for AWS KMS Key.
Click Create to validate your security configuration.
In the real-world practice, you can also configure the other security options such as Kerberos and IAM roles for EMRFS before clicking this Create button.
- Click Clusters and once the Create Cluster page is open, click Go to advanced options to start creating the EMR cluster step by step.
- At the last step called Security, in the Authentication and encryption section, select the Security Configuration created in the previous steps.