How do I create an EMR cluster with EBS volume encryption?

Last updated: 2023-01-09

I want to turn on Amazon Elastic Block Store (Amazon EBS) encryption in Amazon EMR. Or, I want to use an AWS Key Management Service (AWS KMS) key to encrypt an EBS volume that's attached to my EMR cluster.

Short description

Amazon EBS encryption integrates with AWS KMS to provide the encryption keys that protect your data. Beginning with Amazon EMR version 5.24.0, you can choose to turn on EBS encryption. The EBS encryption option encrypts the EBS root device volume and attached storage volumes. For considerations and limitations, see Local disk encryption.

There are two options to encrypt EBS volumes on your EMR cluster:

  • Turn on encryption by default for EBS volumes at the account level.
  • Create a KMS key and Amazon EMR security configuration to encrypt EBS volumes for a specific EMR cluster.

Resolution

Turn on encryption by default for EBS volumes at the account level

For more information, see Encryption by default.

Create a KMS key and Amazon EMR security configuration to encrypt EBS volumes for a specific EMR cluster

To use this option, do the following:

  1. Create a KMS key.
  2. Create and configure the Amazon EMR security configuration.
  3. Provision an EMR cluster with the security configuration.

Step 1: Create a KMS key

If you don’t have a KMS key ready for this purpose, then do the following to create the key:

  1. Open the AWS KMS console.
  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
  3. In the navigation pane, choose Customer managed keys.
  4. Choose Create key.
  5. To create a symmetric encryption KMS key, for Key type choose Symmetric.
  6. In Key usage, the Encrypt and decrypt option is selected for you.
  7. Choose Next.
  8. Enter an alias for the key.
  9. Choose Next.
  10. Choose the Key administrator.
  11. Choose Next.
  12. Select the Amazon EMR service role. The default role is EMR_DefaultRole.
  13. Select the Amazon Elastic Compute Cloud (Amazon EC2) instance profile role. The default role for the instance profile is EMR_EC2_DefaultRole.
  14. Choose Next.
  15. Choose Finish.

If you're using a custom Amazon EMR service role, then add the following policy to the role before provisioning the EMR cluster.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey",
            "kms:CreateGrant",
            "kms:ListGrants"
        ],
        "Resource": [
            "arn:aws:kms:region:account-id:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        ]
    }]
}

Step 2: Create and configure the Amazon EMR security configuration

  1. Open the Amazon EMR console.
  2. Choose Security configurations.
  3. Choose Create.
  4. Under Local disk encryption, choose Enable at-rest encryption for local disks.
  5. For Key provider type, choose AWS KMS.
  6. For AWS KMS customer master key, choose the key ARN of your KMS key.
  7. Select Encrypt EBS volumes with EBS encryption.
  8. Choose Create.

Step 3: Provision an EMR cluster with the security configuration

If you create your EMR cluster using the EMR console, then in Step 4: Security, choose the security configuration that you just created.

When creating EMR clusters through other methods, specify the security configuration using the configuration you just created.


Did this article help?


Do you need billing or technical support?