🛡️ AWS EMR Cluster encryption is disabled🟢⚪

Contextual name: 🛡️ Cluster encryption is disabled🟢⚪
ID: /ce/ca/aws/emr/cluster-encryption
Tags:
- ⚪ Impossible policy
- 🟢 Policy with categories
- 🟢 Policy with type
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Similar Policies

AWS Security Hub: [EMR.3] Amazon EMR security configurations should be encrypted at rest
AWS Security Hub: [EMR.4] Amazon EMR security configurations should be encrypted in transit
Cloud Conformity: EMR In-Transit and At-Rest Encryption

Description

Description

This policy identifies Amazon EMR clusters that are not associated with an EMR security configuration. Security configurations enable encryption and other protective controls to safeguard sensitive data processed and stored by EMR clusters.

Data encryption helps prevent unauthorized access to sensitive information within EMR clusters and their associated storage systems. This includes data stored on persistent media (data at rest) and data transmitted across the network (data in transit).

Rationale

Protecting data throughout its lifecycle is a fundamental security requirement for distributed data processing environments such as Amazon EMR.

Encryption at Rest

Prevents unauthorized access to data stored on local disks or attached Amazon EBS volumes in the event of underlying infrastructure compromise.

Encryption in Transit

Protects data exchanged between EMR nodes (for example, primary and core nodes in the Hadoop ecosystem), reducing the risk of man-in-the-middle attacks within the VPC.

... see more

Remediation

Open File

Remediation

Associate an EMR Cluster with a Security Configuration

Amazon EMR security configurations define encryption settings for data at rest and data in transit, as well as other security controls such as Kerberos authentication. Ensure that all new clusters are launched with a security configuration applied.

Note: Security configurations cannot be applied to an existing cluster after it is launched. This remediation applies only to new clusters.

From Command Line
Create or identify an existing security configuration:
aws emr list-security-configurations
aws emr create-security-configuration --name "{{security-config}}" --security-configuration '{
    "EncryptionConfiguration": {
        "EnableInTransitEncryption": true,
        "EnableAtRestEncryption": true,
        "InTransitEncryptionConfiguration": {
            "TLSCertificateConfiguration": {
                "CertificateProviderType": "PEM",
                "S3Object": "arn:aws:s3:::{{MyConfigStore}}/{{artifacts}}/{{MyCerts}}.zip"
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.3] Amazon EMR security configurations should be encrypted at rest			1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.4] Amazon EMR security configurations should be encrypted in transit			1	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			19	no data
💼 AWS Well-Architected → 💼 SEC09-BP02 Enforce encryption in transit			1	no data
💼 Cloudaware Framework → 💼 Data Encryption			66	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	95	no data
💼 FedRAMP High Security Controls → 💼 CP-9(8) Cryptographic Protection (M)(H)			2	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	23	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	22	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	40	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	19	no data
💼 FedRAMP High Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			6	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Low Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			6	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		79	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9(8) Cryptographic Protection (M)(H)			2	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SI-12 Information Management and Retention (L)(M)(H)			6	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			81	no data
💼 NIST CSF v2.0 → 💼 ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained			6	no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			26	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			173	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			149	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			169	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			112	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	110	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			39	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9(8) System Backup _ Cryptographic Protection			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			41	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		13	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		6	no data

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Associate an EMR Cluster with a Security Configuration​

From Command Line​

policy.yaml​

Linked Framework Sections​

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Associate an EMR Cluster with a Security Configuration

From Command Line

policy.yaml

Linked Framework Sections