Ensure that your AWS Elastic MapReduce (EMR) clusters are encrypted in order to meet security and compliance requirements. Data encryption helps prevent unauthorized users from reading sensitive data available on your EMR clusters and their associated data storage systems. This includes data saved to persistent media, known as data at-rest, and data that can be intercepted as it travels through the network, known as data in-transit.
This rule can help you with the following compliance standards:
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When working with production data it is highly recommended to implement encryption in order to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest and in-transit encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare and Telecommunications sectors.
Note: In-transit and at-rest encryption can be enabled only for clusters with Amazon EMR version 4.8.0 and above.
Audit
To determine in-transit and at-rest encryption configuration for your AWS EMR clusters, perform the following:
Remediation / Resolution
To enable in-transit and at-rest encryption for your existing AWS EMR clusters, you must define and configure an EMR security configuration then re-create these clusters with the new security configuration. To relaunch the required EMR clusters, perform the following:
References
- AWS Documentation
- Encrypt Data in Transit and at Rest
- Use Security Configurations to Set Up Cluster Security
- Create a Security Configuration
- Providing Certificates for In-Transit Data Encryption with Amazon EMR Encryption
- Cloning a Cluster Using the Console
- Specify a Security Configuration for a Cluster
- AWS Command Line Interface (CLI) Documentation
- ec2
- list-clusters
- describe-cluster
- create-security-configuration
- create-cluster
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
EMR In-Transit and At-Rest Encryption
Risk level: High