AWS EMR cluster is not enabled with local disk encryption
Description
This policy verifies whether the EMR (Elastic MapReduce) Cluster security configuration in AWS (Amazon Web Services) is set up to encrypt local disks. Not having an appropriate encryption for local disks exposes the data stored in them to potential attacks, breaches, or unauthorized disclosures. This encryption is critical to protect sensitive data and maintain the confidentiality and integrity of the information.
Code Example
go
resource "aws_emr_security_configuration" "pass" {
name = "emrsc_other"
configuration = <<EOF
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EnableEbsEncryption": true,
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:eu-west-2:680235478471:key/27b6fd31-ca6d-4c71-8dca-06ebd0f94174"
}
},
"EnableInTransitEncryption": false,
"EnableAtRestEncryption": true
}
}
EOF
}Remediation
Terraform
- Resource: aws_emr_security_configuration
- Arguments: configuration.EncryptionConfiguration.EnableAtRestEncryption
To fix the issue, you should enable the local disk encryption in your EMR cluster configuration. You will need to specify the "SecurityConfiguration" property in your AWS EMR Cluster resource. This property should reference a Security Configuration resource that has "LocalDiskEncryptionConfiguration" enabled.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0396 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_349 |