Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I create an EMR cluster with EBS volume encryption?

3 minute read
0

I want to create an EMR cluster with Amazon Elastic Block Store (Amazon EBS) encryption. Or, I want to use an AWS Key Management Service (AWS KMS) key to encrypt an EBS volume that's attached to my EMR cluster.

Short description

Amazon EBS encryption integrates with AWS KMS to provide the encryption keys that protect your data. With Amazon EMR version 5.24.0 and later, you can turn on Amazon EBS encryption. The Amazon EBS encryption option encrypts the Amazon EBS root device volume and attached storage volumes. For more information, see Local disk encryption.

To encrypt EBS volumes on your EMR cluster, turn on encryption by default for EBS volumes at the account level. Or, create a KMS key and Amazon EMR security configuration to encrypt EBS volumes for a specific EMR cluster.

Resolution

Turn on encryption by default for EBS volumes at the account level

For more information, see Enable Amazon EBS encryption by default.

Create an AWS KMS key and Amazon EMR security configuration to encrypt EBS volumes for a specific EMR cluster

Create a KMS key

To create a new KMS key, complete the following steps:

  1. Open the AWS KMS console.
  2. In the navigation pane, choose Customer managed keys.
  3. Choose Create key.
  4. For Key type select Symmetric.
  5. For Key usage, select Encrypt and decrypt.
  6. Choose Next.
  7. For Alias, enter an alias for the key.
  8. Choose Next.
  9. For Key administrator, choose a key administrator.
  10. Choose Next.
  11. Select the Amazon EMR service role. The default role is EMR_DefaultRole.
  12. Select the Amazon Elastic Compute Cloud (Amazon EC2) instance profile role. The default role for the instance profile is EMR_EC2_DefaultRole.
  13. Choose Next.
  14. Choose Finish.

If you use a custom Amazon EMR service role, then add the following policy to the role before you provision the EMR cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Resource": [
                "arn:aws:kms:region:account-id:key/########-####-####-####-############"
            ]
        }
    ]
}

Create and configure the Amazon EMR security configuration

Complete the following steps:

  1. Open the Amazon EMR console.
  2. In the navigation pane, under EMR on EC2, choose Security configurations.
  3. Choose Create.
  4. Enter your Security configuration name and select Choose custom settings.
  5. Under Encryption, choose Turn on at-rest encryption for local disk.
  6. For Encryption mode, choose AWS KMS.
  7. For Choose your AWS KMS key, choose the key ARN of your KMS key.
  8. Under EBS Volumes Encryption, select Encrypt EBS volumes with EBS encryption.
  9. Choose Next and then choose Create.

Provision an EMR cluster with the security configuration

If you use the Amazon EMR console to create your EMR cluster, then for Security configuration choose the security configuration that you created in the preceding section.

When you create EMR clusters through other methods, use the configuration you just created to specify the security configuration.

Topics
Analytics
Tags
Amazon EMR
Language
English
AWS OFFICIALUpdated 5 months ago
No comments

Relevant content