Amazon EMR

EMR Encryption At Rest Disabled

Risk Level: Medium

Description: 

This plugin guarantees that encryption at rest for local drives is enabled for EMR clusters.

PingSafe strongly recommends updating the security configuration associated with the EMR cluster to enable encryption at rest for local disks.

About the Service :

Amazon EMR (Amazon Elastic MapReduce) is a managed cluster platform that makes it easier to run big data frameworks on AWS, such as Apache Hadoop and Apache Spark, to process and analyse large amounts of data. You may process data for analytics and business intelligence tasks using these frameworks and related open-source projects. Amazon EMR also allows you to convert and transport massive volumes of data into and out of other AWS data storage and databases, such as Amazon S3 and Amazon DynamoDB.

Impact : 

When working with production data, encryption is strongly advised to safeguard the data from unwanted access and to meet your organization's compliance needs for data-at-rest and in-transit encryption.

Steps to reproduce :

  1. Log in to your AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the EMR Dashboard.
    https://console.aws.amazon.com/elasticmapreduce/ 
  3. In the left navigation panel, click on Clusters.
  4. Click on the cluster that you want to examine.
  5. In the Security and Access section, check the Security Configuration attribute. If there is no such attribute then EMR encryption at rest is disabled.
  6. Repeat the steps for other clusters as well.

Steps for remediation :

  1. Log in to your AWS Management Console.
    https://console.aws.amazon.com/ 
  2. Navigate to the EMR Dashboard.
    https://console.aws.amazon.com/elasticmapreduce/ 
  3. In the left navigation panel, click on Clusters.
  4. Click on the cluster that you want to examine.
  5. In the Security and Access section, check the Security Configuration attribute. If there is no such attribute then EMR encryption at rest is disabled.
  6. Click on the Security Configuration in the left navigation pane and then click on Create.
  7. In the Local Disk Encryption check the Enable at rest encryption for local disks and fill the required fields.
  8. Next, click on Create and head back to the clusters page and click on Clone for the cluster that you want to relaunch. In the cloning page within the security options click Authentication and Encryption and then select the name of the security configuration created earlier.
  9. Click Next and once this cluster is up terminate the old cluster by clicking on Terminate.
  10. Repeat the steps for other clusters as well.

References: