Menu
Sign In to the Console
Amazon Elastic MapReduce
Amazon EMR Release Guide

Create a Cluster With Amazon S3 Server-Side Encryption Enabled

Amazon S3 server-side encryption (SSE) is supported with Amazon EMR. To launch a cluster with server-side encryption, you can use the AWS Management Console, AWS CLI and use the emrfs-site configuration classification to set fs.s3.enableServerSideEncryption to true.

To configure server-side encryption using the console

  1. Choose Create Cluster.

  2. Navigate to the File System Configuration section.

  3. To use Server-side encryption, choose Enabled.

  4. Choose Create cluster.

To launch a cluster with Amazon S3 server-side encryption enabled using AWS CLI

Type the following command to launch an Amazon EMR cluster with Amazon S3 server-side encryption enabled.

aws emr create-cluster --release-label emr-4.6.0 \
--instance-count 3 --instance-type m1.large --emrfs Encryption=ServerSide

Using AWS KMS-managed keys with SSE

You can use AWS KMS-managed keys with server-side encryption. You enable this feature when you create your cluster with server-side encryption enabled and provide a KMS key ID or KMS key ARN (Amazon Resource Name) with the fs.s3.serverSideEncryption.kms.keyId setting in the emrfs-site configuration classification. For more information, see Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS).

Note

The KMS key ID and the bucket where you access Amazon S3 objects must reside in the same region.

You will likely need to add your instance profile or EC2 role to the list of key users for the desired KMS key. You can do this in one of two ways: using the AWS Management Console or by applying a key policy with CLI or SDK. An example key policy is provided below:

 {
      "Sid": "Allow use of your key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::acct:role/ec2-role-name"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "kms:EncryptionContext:aws:s3:arn": [
            "arn:aws:s3:::bucket1/*",
            "arn:aws:s3:::bucket2/*"
          ]
        }
      }
    }

You can define a policy with conditions like the above to restrict use of the key for certain objects. In this case, the policy allows the EC2 role delegate to perform KMS actions for all objects in bucket1 and bucket2. To make the policy less restrictive, remove the "condition" key and its value from this policy.

Note

By default, Amazon EMR does not pass any encryption context but Amazon S3 adds encryption context to requests for KMS-encrypted objects or objects that are going to be encrypted using a KMS key. For more information, see Encryption Context in the AWS Key Management Service Developer Guide and API Support for AWS Key Service Management in Amazon S3 in the Amazon Simple Storage Service Developer Guide.

Adding Your EC2 Role to the List of Key Users

The following procedure describes how to add a key user with the AWS Management Console.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Encryption Keys.

  3. Click the desired Key Alias.

  4. In the key details page under Key Users, choose Add, which opens an Attach dialog.

  5. Scroll down to choose the appropriate role. The default name for the role is EMR_EC2_DefaultRole.

  6. Choose Attach.

Type the following AWS CLI command to launch a cluster with SSE using a KMS key:

aws emr create-cluster --release-label emr-4.5.0 --instance-count 3 \
--instance-type m1.xlarge --use-default-roles \
--emrfs Encryption=ServerSide,Args=[fs.s3.serverSideEncryption.kms.keyId=keyId]

The following command uses the configuration API to configure server-side encryption:

aws emr create-cluster --release-label emr-4.5.0 --instance-count 3 \
--instance-type m1.xlarge --applications Name=Hadoop \
--configurations file://./myConfig.json --use-default-roles

myConfig.json

[
  {
    "Classification":"emrfs-site",
    "Properties": {
       "fs.s3.enableServerSideEncryption": "true",
       "fs.s3.serverSideEncryption.kms.keyId":"a4567b8-9900-12ab-1234-123a45678901"
    }
  }
]

Note

For Windows, replace the above Linux line continuation character (\) with the caret (^).

emrfs-site.xml properties for server-side encryption

Property Default valueDescription
fs.s3.enableServerSideEncryptionfalse

When set to true, objects stored in Amazon S3 are encrypted using server-side encryption.

fs.s3.serverSideEncryption.kms.keyIdn/a

Specifies an AWS KMS key ID or ARN.