If required by the security policy of your organization, you need to set up SSE KMS, the server-side encryption service of Amazon, for the EMR cluster to be used, before creating this cluster.
About this task
This procedure explains only the
SSE KMS related operations for getting started with the security configuration for EMR.
If you need the complete information about all the available EMR security configurations
provided by AWS, see Create a Security Configuration from the
Amazon documentation.
When adding roles, among other roles to be added depending on your
security policy, you must add the EMR_EC2_DefaultRole role.
The EMR_EC2_DefaultRole role allows your
Jobs for Apache Spark to read or write files encrypted with SSE-KMS on
S3.
This role is a default AWS role that is
automatically created along with the creation of your first EMR
cluster. If this role and its associated policies do not exist in
your account, see Use Default IAM Roles and
Managed Policies from the AWS documentation
On the Amazon EMR page of
AWS, select the Security configurations
tab and click Create to open the
Create security configuration
view.
Select the At-rest encryption check box
to enable SSE KMS.
Under S3 data encryption, select
SSE-KMS for Encryption mode
and select the CMK key mentioned at the beginning of this procedure for
AWS KMS Key.
Under Local disk encryption, select AWS
KMS for Key provider type and select the
CMK key mentioned at the beginning of this procedure for AWS KMS
Key.
Click Create to validate your security configuration.
In the real-world practice, you can also configure the other security options such as Kerberos and IAM roles for EMRFS before clicking this Create button.
Click Clusters and once the Create Cluster page is open, click Go to advanced options to start creating the EMR cluster step by step.
At the last step called Security, in the Authentication and
encryption section, select the Security Configuration created in the previous steps.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!