AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Enabling Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) for your Amazon Elastic MapReduce (EMR) cluster's security configuration can help to protect the data stored in your cluster. SSE-KMS uses a customer master key (CMK) in the AWS KMS to encrypt and decrypt data stored in Amazon S3.

Code Example

resource "aws_emr_security_configuration" "test" {
  ...
  configuration = <<EOF
{
  "EncryptionConfiguration": {
    "EnableAtRestEncryption": true,
    "AtRestEncryptionConfiguration": {
      "S3EncryptionConfiguration": {
+       "EncryptionMode": "SSE-KMS",
+       "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      },
      "LocalDiskEncryptionConfiguration": {
        "EncryptionKeyProviderType": "AwsKms",
        "AwsKmsKey": "${module.encryption_module.kms_key_alias}"
      }
    },
    "EnableInTransitEncryption": true
  }
}
EOF
}

Remediation

Terraform

Resource: aws_emr_security_configuration
Arguments: EnableAtRestEncryption

Rule Details

Field	Value
ID	IAC-0220
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_AWS_171

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS) ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)

Description

Code Example

Remediation

Rule Details

References