EMR clusters should use in-transit encryption
- GG_ID: GG_IAC_0073
- Severity: HIGH
- Complexity: HIGH
- Categories: DATA, NETWORK, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
AWS Elastic MapReduce (EMR) is a managed cluster platform that assists running big data frameworks to process and analyze data.
Enabling in-transit encryption helps protect data when it is moving from one location to another.
Not encrypting data in-transit could lead to data leak in case of an attack.
For AWS EMR version 4.8.0 or later, update the security configuration attached to the
EMR cluster so that
EncryptionConfiguration.EnableInTransitEncryption is set to
See this AWS documentation page for configuration examples.
For earlier versions, you will need to manually create a security configuration and then specify your S3 data encryption.
The steps are described in the following pages:
Please note that you may encounter service disruption after you reconfigure your cluster as explained in this section