AWS-EMR-security-configuration-unset-or-data-encryption-unset

Severity: High

Description: This control ensures that data in transit in an EMR Cluster will always be encrypted. AWS EMR cluster, data will be shared between different applications in the cluster which if not encrypted can be vulnerable. AWS EMR cluster, data will be shared between different applications in the cluster which if not encrypted can be vulnerable. Data In transit should be encrypted. 

Certificates from other providers cannot be used for encryption for safety concerns.

Remediation Steps:

Perform following to configure In Transit data encryption :

1. Login to the AWS Management Console at https://console.aws.amazon.com

2. Navigate to EMR service.

3. In the Navigation pane, choose Security configurations.

4. Click on Create button.

5. Check Data in transit encryption checkbox, select Custom option in Certificate provider type dropdown

6. In Custom key provider location text box, provide location of jar file of the custom certificate provider.

7. Enter Certificate provider class name in the given location.

8. Click Create button.

Important:

We cannot modify an existing EMR cluster, new EMR cluster should be created with required configuration.

Reference:

• Encryption options for Amazon EMR - Amazon EMR