EMR cluster local storage should be encrypted to prevent sensitive data leaks
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | LOW | AWS | DATA |
Description
Sensitive data can be stored on local persistent drives. This data should be encrypted to prevent an attacker with access to the drive to leak sensitive data. Keep in mind that local storage can also hold other types of sensitive information such as cache, buffers, scratch data, temporary files.
NVMe instances local drives are encrypted by default, using a hardware module to manage the encryption keys. Only some HDD are encrypted by default (H1, D3, and D3en instances).
Local storage encryption is an important part of At-Rest encryption; it is complementary to the data encryption on the HDFS or EMRFS volumes.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | False |
An attacker with low level access to the drive can perform dumps of the disk, for future exploitation.
Remediation guidelines
Add a LocalDiskEncryptionConfiguration to your AWS EMR security configuration, like so:
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "<your_kms_key_reference>"
}
},
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true
}
}