EMR clusters should use in-transit encryption
- GG_ID: GG_IAC_0073
- Severity: HIGH
- Complexity: HIGH
- Categories: DATA, NETWORK, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
#
DescriptionAWS Elastic MapReduce (EMR) is a managed cluster platform that assists running big data frameworks to process and analyze data.
Enabling in-transit encryption helps protect data when it is moving from one location to another.
#
ImpactNot encrypting data in-transit could lead to data leak in case of an attack.
#
Remediation guidelinesFor AWS EMR version 4.8.0 or later, update the security configuration attached to the
EMR cluster so that EncryptionConfiguration.EnableInTransitEncryption
is set to true
.
See this AWS documentation page for configuration examples.
For earlier versions, you will need to manually create a security configuration and then specify your S3 data encryption.
The steps are described in the following pages:
- https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html
- https://aws.amazon.com/blogs/big-data/secure-amazon-emr-with-encryption/
Please note that you may encounter service disruption after you reconfigure your cluster as explained in this section