Setting up SSE KMS for your S3 bucket - 7.3

Amazon EMR

EnrichVersion
Cloud
7.3
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for Big Data
Talend Open Studio for Data Integration
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
EnrichPlatform
Talend Studio
task
Data Governance > Third-party systems > Amazon services (Integration) > Amazon EMR components
Data Quality and Preparation > Third-party systems > Amazon services (Integration) > Amazon EMR components
Design and Development > Third-party systems > Amazon services (Integration) > Amazon EMR components

If required by the security policy of your organization, you need to set up SSE KMS for the S3 bucket to be used.

Note: SSE KMS and bucket policy require EMR with KMS encryption. However, Kerberos is not mandatory for EMR in this example.

Before you begin

Prerequisite: you must have created the CMK key to be used. For detailed instructions about how to do this, see this tutorial from the AWS documentation.

About this task

This procedure explains only the SSE KMS related operations for getting started with the security configuration for EMR. If you need the complete information about all the available EMR security configurations provided by AWS, see Create a Security Configuration from the Amazon documentation.

Procedure

  1. Open your S3 service at https://s3.console.aws.amazon.com/.
  2. From the S3 bucket list, select the bucket to be used. Ensure that you have proper rights and permissions to access this bucket.
  3. Select the Properties tab and then Default encryption.
  4. Select AWS-KMS.
  5. Select the KMS CMK key to be used.

    Example

  6. Select the Permissions tab, then select Bucket Policy and enter your policy in the console.
    This article from AWS provides detailed explanations and a simple policy example: How to Prevent Uploads of Unencrypted Objects to Amazon S3.
  7. Click Save to save your policy.

Results

Now your bucket policy is set up. When you need to use this bucket with a Job, enter the following parameter about AWS signature versions to the JVM argument list of this Job:
-Dcom.amazonaws.services.s3.enableV4
For further information about AWS Signature Versions, see Specifying the Signature Version in Request Authentication.