Posted On: Jul 7, 2020

Amazon EMR now supports encrypting log files using Customer-managed Customer master keys (CMKs) stored in AWS Key Management Service (KMS). Amazon EMR automatically upload log files to Amazon S3 when logging and debugging is enabled With this new feature, you can associate Customer managed CMKs in AWS KMS when launching a cluster. Amazon EMR will automatically encrypt logs using the Customer managed CMKs in AWS KMS. Previously you could only encrypt log files written to S3 using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3). Click here to learn more about encrypting log files please see the documentation.

Log encryption using customer managed CMKs is available in EMR version 5.30, in all regions where EMR is available - see Region table. For KMS pricing see KMS Pricing Page. To learn more about data protection in Amazon EMR, see our Security Documentation.