EMR clusters should be encrypted at rest

• GG_ID: GG_IAC_0072
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

AWS Elastic MapReduce (EMR) is a managed cluster platform that assists running big data frameworks to process and analyze data.

The cluster should always be encrypted at rest to protect the data if accesses are compromised.

Impact

Not encrypting storages at rest could lead to data leak in case of an attack.

Remediation guidelines

For AWS EMR version 4.8.0 or later, update the security configuration attached to the EMR cluster so that EncryptionConfiguration.EnableAtRestEncryption is set to true. See this AWS documentation page for configuration examples.

For earlier versions, you will need to manually create a security configuration and then specify your S3 data encryption. The steps are described in the following pages:

• https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html
• https://aws.amazon.com/blogs/big-data/secure-amazon-emr-with-encryption/

Please note that you may encounter service disruption after you reconfigure your cluster as explained in this section

External documentation

• Encrypt data at rest and in transit