EMR clusters should be encrypted at rest
- GG_ID: GG_IAC_0072
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
#
DescriptionAWS Elastic MapReduce (EMR) is a managed cluster platform that assists running big data frameworks to process and analyze data.
The cluster should always be encrypted at rest to protect the data if accesses are compromised.
#
ImpactNot encrypting storages at rest could lead to data leak in case of an attack.
#
Remediation guidelinesFor AWS EMR version 4.8.0 or later, update the security configuration attached to the
EMR cluster so that EncryptionConfiguration.EnableAtRestEncryption
is set to true
.
See this AWS documentation page for configuration examples.
For earlier versions, you will need to manually create a security configuration and then specify your S3 data encryption. The steps are described in the following pages:
- https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html
- https://aws.amazon.com/blogs/big-data/secure-amazon-emr-with-encryption/
Please note that you may encounter service disruption after you reconfigure your cluster as explained in this section