π‘οΈ AWS EMR Cluster Logging is disabledπ’βͺ
- Contextual name: π‘οΈ EMR Cluster logging disabledπ’βͺ
- ID:
/ce/ca/aws/emr/cluster-logging - Tags:
- βͺ Impossible policy
- π’ Policy with categories
- π’ Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Similar Policiesβ
- Cloud Conformity: EMR Cluster Logging
Descriptionβ
Descriptionβ
This policy identifies Amazon EMR clusters that do not have logging enabled. Ensure that all Amazon EMR cluster logs are archived and uploaded to Amazon S3 to support long-term retention, historical analysis, and operational troubleshooting.
Rationaleβ
Amazon EMR clusters are often ephemeral, created to perform specific workloads and terminated after completion. If logging is not enabled, all detailed records of cluster activity are lost upon termination. Logs are critical for diagnosing failures in Hadoop jobs, Spark applications, and cluster bootstrap or configuration processes. Centralizing EMR logs in Amazon S3 enables long-term retention, supports forensic analysis, and improves visibility into operational and security-related events across EMR workloads.
Auditβ
This policy flags an AWS EMR Cluster as
INCOMPLIANTif theLog Urlfield is empty, indicating that cluster logging is not configured.
Remediationβ
Remediationβ
Enable Amazon EMR Cluster Loggingβ
Amazon EMR does not support enabling or modifying logging configuration after a cluster has been launched. Ensure that all new EMR clusters are created with logging explicitly enabled.
Cluster logs must be delivered to Amazon S3 to support troubleshooting, operational analysis, and long-term retention.
From Command Lineβ
When creating a new EMR cluster, include the
--log-uriparameter to specify the Amazon S3 location where logs will be stored:aws emr create-cluster \
--name {{cluster-name}} \
--log-uri s3://{{bucket-name}}/{{prefix}} \
# ... other propertiesReplace the placeholders with values appropriate for your environment.
Using AWS CloudFormationβ
When provisioning EMR clusters using AWS CloudFormation, configure the
LogUriproperty in theAWS::EMR::Clusterresource definition:Resources:
MyEmrCluster:
Type: AWS::EMR::Cluster
Properties:
LogUri: s3://{{bucket-name}}/{{prefix}}
# ... other properties
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Well-Architected β πΌ SEC04-BP02 Capture logs, findings, and metrics in standardized locations | 3 | no data | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 71 | no data |