AWS EMR cluster is not enabled with data encryption in transit
Description
This policy is checking for whether the security configuration of an Elastic Map Reduce (EMR) Cluster in AWS is set up to encrypt data 'InTransit'.
InTransit encryption is important for data security, especially when data is moving between nodes or between a node and the client. If this feature is not enabled, it leaves potential vulnerabilities for cyber attackers to intercept sensitive information during the transmission process. Hence, having data unencrypted 'InTransit' is considered a bad or risky practice that could potentially lead to data breaches or unauthorized data access. This policy helps ensure the security and privacy of the transmitted data.
Code Example
resource "aws_emr_security_configuration" "tf_emr_security_config" {
name = "emr_security_config"
configuration = <<EOH
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "${aws_kms_key.tf_emr.key_id}"
}
},
"EnableInTransitEncryption": true,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"AwsKmsKey": "${aws_kms_key.tf_emr.key_id}"
}
}
}
}
EOH
}Remediation
Terraform
- Resource: aws_emr_security_configuration
- Arguments: configuration.EncryptionConfiguration.EnableInTransitEncryption
To fix the issue, you need to provide the security configuration details with encryption settings. In the security configuration, include the `"EnableInTransitEncryption": true` setting under `aws_emr_security_configuration` resource. Here is what that might look like:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0398 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_351 |