CT.EMR.PR.1 CT.EMR.PR.2 CT.EMR.PR.3 CT.EMR.PR.4

Amazon Elastic Map Reduce (Amazon EMR) controls

Topics

[CT.EMR.PR.1] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3
[CT.EMR.PR.2] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key
[CT.EMR.PR.3] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key
[CT.EMR.PR.4] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit

[CT.EMR.PR.1] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3

This control checks whether an Amazon EMR security configuration is configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3.

Control objective: Encrypt data at rest
Implementation: AWS CloudFormation guard rule
Control behavior: Proactive
Resource types: AWS::EMR::SecurityConfiguration
AWS CloudFormation guard rule: CT.EMR.PR.1 rule specification

Details and examples

For details about the PASS, FAIL, and SKIP behaviors associated with this control, see the: CT.EMR.PR.1 rule specification
For examples of PASS and FAIL CloudFormation Templates related to this control, see: CT.EMR.PR.1 example templates

Explanation

Amazon S3 encryption works with EMR File System (EMRFS) objects that are read from and written to Amazon S3. When you enable encryption at rest, you specify Amazon S3 server-side encryption (SSE) or client-side encryption (CSE) as the default encryption mode. Optionally, you can specify different encryption methods for individual buckets by using per bucket encryption overrides.

Remediation for rule failure

In the EncryptionConfiguration parameter, set the value of EnableAtRestEncryption to true, and provide an AtRestEncryptionConfiguration configuration.

The examples that follow show how to implement this remediation.

Amazon EMR security configuration - Example

An Amazon EMR security configuration configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3. The example is shown in JSON and in YAML.

JSON example



{
    "SecurityConfiguration": {
        "Type": "AWS::EMR::SecurityConfiguration",
        "Properties": {
            "SecurityConfiguration": {
                "EncryptionConfiguration": {
                    "EnableInTransitEncryption": false,
                    "EnableAtRestEncryption": true,
                    "AtRestEncryptionConfiguration": {
                        "S3EncryptionConfiguration": {
                            "EncryptionMode": "SSE-S3"
                        }
                    }
                }
            }
        }
    }
}

YAML example



SecurityConfiguration:
  Type: AWS::EMR::SecurityConfiguration
  Properties:
    SecurityConfiguration:
      EncryptionConfiguration:
        EnableInTransitEncryption: false
        EnableAtRestEncryption: true
        AtRestEncryptionConfiguration:
          S3EncryptionConfiguration:
            EncryptionMode: SSE-S3

CT.EMR.PR.1 rule specification



# ###################################
##       Rule Specification        ##
#####################################
# 
# Rule Identifier:
#   emr_sec_config_encryption_at_rest_s3_check
# 
# Description:
#   This control checks whether an Amazon EMR security configuration is configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3.
# 
# Reports on:
#   AWS::EMR::SecurityConfiguration
# 
# Evaluates:
#   AWS CloudFormation, AWS CloudFormation hook
# 
# Rule Parameters:
#   None
# 
# Scenarios:
#   Scenario: 1`
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document does not contain any EMR security configuration resources
#      Then: SKIP
#   Scenario: 2
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 3
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has not been provided
#            or has been provided and set to a value other than bool(true)
#      Then: FAIL
#   Scenario: 4
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 5
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EncryptionMode' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration'
#            has not been provided or has been provided as an empty string
#      Then: FAIL
#   Scenario: 6
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EncryptionMode' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration'
#            has been provided as a non-empty string
#      Then: PASS

#
# Constants
#
let EMR_SECURITY_CONFIGURATION_TYPE = "AWS::EMR::SecurityConfiguration"
let INPUT_DOCUMENT = this

#
# Assignments
#
let emr_security_configurations = Resources.*[ Type == %EMR_SECURITY_CONFIGURATION_TYPE ]

#
# Primary Rules
#
rule emr_sec_config_encryption_at_rest_s3_check when is_cfn_template(%INPUT_DOCUMENT)
                                                     %emr_security_configurations not empty {
    check(%emr_security_configurations.Properties)
        <<
        [CT.EMR.PR.1]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3
        [FIX]: In the 'EncryptionConfiguration' parameter, set the value of 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration.
        >>
}

rule emr_sec_config_encryption_at_rest_s3_check when is_cfn_hook(%INPUT_DOCUMENT, %EMR_SECURITY_CONFIGURATION_TYPE) {
    check(%INPUT_DOCUMENT.%EMR_SECURITY_CONFIGURATION_TYPE.resourceProperties)
        <<
        [CT.EMR.PR.1]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3
        [FIX]: In the 'EncryptionConfiguration' parameter, set the value of 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration.
        >>
}

#
# Parameterized Rules
#
rule check(emr_security_configuration) {
    %emr_security_configuration {
        SecurityConfiguration exists
        SecurityConfiguration is_struct

        SecurityConfiguration {
            # Scenario 2
            EncryptionConfiguration exists
            EncryptionConfiguration is_struct

            EncryptionConfiguration {
                # Scenario 3
                EnableAtRestEncryption exists
                EnableAtRestEncryption == true

                # Scenario 4
                AtRestEncryptionConfiguration exists
                AtRestEncryptionConfiguration is_struct

                # Scenarios 5 and 6
                AtRestEncryptionConfiguration {
                    S3EncryptionConfiguration exists
                    S3EncryptionConfiguration is_struct

                    S3EncryptionConfiguration {
                        EncryptionMode exists
                        check_is_string_and_not_empty(EncryptionMode)
                    }
                }
            }
        }
    }
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
    %doc {
        AWSTemplateFormatVersion exists  or
        Resources exists
    }
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
    %doc.%RESOURCE_TYPE.resourceProperties exists
}

rule check_is_string_and_not_empty(value) {
    %value {
        this is_string
        this != /\A\s*\z/
    }
}

CT.EMR.PR.1 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: true
          AtRestEncryptionConfiguration:
            S3EncryptionConfiguration:
              EncryptionMode: SSE-S3

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableAtRestEncryption: false
          EnableInTransitEncryption: false

[CT.EMR.PR.2] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key

This control checks whether an Amazon EMR security configuration is configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3 with an AWS KMS key.

Control objective: Encrypt data at rest
Implementation: AWS CloudFormation guard rule
Control behavior: Proactive
Resource types: AWS::EMR::SecurityConfiguration
AWS CloudFormation guard rule: CT.EMR.PR.2 rule specification

Details and examples

For details about the PASS, FAIL, and SKIP behaviors associated with this control, see the: CT.EMR.PR.2 rule specification
For examples of PASS and FAIL CloudFormation Templates related to this control, see: CT.EMR.PR.2 example templates

Explanation

Amazon S3 encryption works with EMR File System (EMRFS) objects that are read from and written to Amazon S3. When you enable encyption at rest, you specify Amazon S3 server-side encryption (SSE) or client-side encryption (CSE) as the default encryption mode. Optionally, you can specify different encryption methods for individual buckets using per bucket encryption overrides.

Remediation for rule failure

In the EncryptionConfiguration parameter, set EnableAtRestEncryption to true, and provide an AtRestEncryptionConfiguration configuration, with EncryptionMode set to SSE-KMS or CSE-KMS.

The examples that follow show how to implement this remediation.

Amazon EMR security configuration - Example

An Amazon EMR security configuration configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3 with AWS KMS. The example is shown in JSON and in YAML.

JSON example



{
    "SecurityConfiguration": {
        "Type": "AWS::EMR::SecurityConfiguration",
        "Properties": {
            "SecurityConfiguration": {
                "EncryptionConfiguration": {
                    "EnableInTransitEncryption": false,
                    "EnableAtRestEncryption": true,
                    "AtRestEncryptionConfiguration": {
                        "S3EncryptionConfiguration": {
                            "EncryptionMode": "SSE-KMS",
                            "AwsKmsKey": {
                                "Fn::GetAtt": [
                                    "KmsKey",
                                    "Arn"
                                ]
                            }
                        }
                    }
                }
            }
        }
    }
}

YAML example



SecurityConfiguration:
  Type: AWS::EMR::SecurityConfiguration
  Properties:
    SecurityConfiguration:
      EncryptionConfiguration:
        EnableInTransitEncryption: false
        EnableAtRestEncryption: true
        AtRestEncryptionConfiguration:
          S3EncryptionConfiguration:
            EncryptionMode: SSE-KMS
            AwsKmsKey: !GetAtt 'KmsKey.Arn'

CT.EMR.PR.2 rule specification



# ###################################
##       Rule Specification        ##
#####################################
# 
# Rule Identifier:
#   emr_sec_config_encryption_at_rest_s3_kms_check
# 
# Description:
#   This control checks whether an Amazon EMR security configuration is configured to encrypt EMR File System (EMRFS) objects at rest in Amazon S3 with an AWS KMS key.
# 
# Reports on:
#   AWS::EMR::SecurityConfiguration
# 
# Evaluates:
#   AWS CloudFormation, AWS CloudFormation hook
# 
# Rule Parameters:
#   None
# 
# Scenarios:
#   Scenario: 1
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document does not contain any EMR security configuration resources
#      Then: SKIP
#   Scenario: 2
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 3
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has not been provided
#            or has been provided and set to a value other than bool(true)
#      Then: FAIL
#   Scenario: 4
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 5
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EncryptionMode' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration'
#            has not been provided or has been provided and set to a value other than
#            a KMS-based encryption mode ('SSE-KMS', 'CSE-KMS')
#      Then: FAIL
#   Scenario: 6
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EncryptionMode' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration'
#            has been provided and set to a KMS-based encryption mode ('SSE-KMS', 'CSE-KMS')
#       And: 'Overrides' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration' has been
#            provided as a non-empty list where one or more entries does not contain 'EncryptionMode',
#            or contains 'EncryptionMode' set to a value other than a KMS-based encryption mode
#            ('SSE-KMS', 'CSE-KMS')
#      Then: FAIL
#   Scenario: 7
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EncryptionMode' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration'
#            has been provided and set to a KMS-based encryption mode ('SSE-KMS', 'CSE-KMS')
#       And: 'Overrides' in 'AtRestEncryptionConfiguration.S3EncryptionConfiguration' has not
#            been provided, or has been provided as an empty list, or list where every entry
#            contains 'EncryptionMode' set to a KMS-based encryption mode ('SSE-KMS', 'CSE-KMS')
#      Then: PASS

#
# Constants
#
let EMR_SECURITY_CONFIGURATION_TYPE = "AWS::EMR::SecurityConfiguration"
let S3_KMS_ENCRYPTION_MODES = [ "SSE-KMS", "CSE-KMS" ]
let INPUT_DOCUMENT = this

#
# Assignments
#
let emr_security_configurations = Resources.*[ Type == %EMR_SECURITY_CONFIGURATION_TYPE ]

#
# Primary Rules
#
rule emr_sec_config_encryption_at_rest_s3_kms_check when is_cfn_template(%INPUT_DOCUMENT)
                                                         %emr_security_configurations not empty {
    check(%emr_security_configurations.Properties)
        <<
        [CT.EMR.PR.2]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key
        [FIX]: In the 'EncryptionConfiguration' parameter, set 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration, with 'EncryptionMode' set to 'SSE-KMS' or 'CSE-KMS'.
        >>
}

rule emr_sec_config_encryption_at_rest_s3_kms_check when is_cfn_hook(%INPUT_DOCUMENT, %EMR_SECURITY_CONFIGURATION_TYPE) {
    check(%INPUT_DOCUMENT.%EMR_SECURITY_CONFIGURATION_TYPE.resourceProperties)
        <<
        [CT.EMR.PR.2]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key
        [FIX]: In the 'EncryptionConfiguration' parameter, set 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration, with 'EncryptionMode' set to 'SSE-KMS' or 'CSE-KMS'.
        >>
}

#
# Parameterized Rules
#
rule check(emr_security_configuration) {
    %emr_security_configuration {
        SecurityConfiguration exists
        SecurityConfiguration is_struct

        SecurityConfiguration {
            # Scenario 2
            EncryptionConfiguration exists
            EncryptionConfiguration is_struct

            EncryptionConfiguration {
                # Scenario 3
                EnableAtRestEncryption exists
                EnableAtRestEncryption == true

                # Scenario 4
                AtRestEncryptionConfiguration exists
                AtRestEncryptionConfiguration is_struct

                # Scenarios 5, 6 and 7
                AtRestEncryptionConfiguration {
                    S3EncryptionConfiguration exists
                    S3EncryptionConfiguration is_struct

                    let s3_encryption_configuration = S3EncryptionConfiguration

                    %s3_encryption_configuration {
                        check_kms_key_configuration(this)
                    }

                    %s3_encryption_configuration [
                        Overrides exists
                        Overrides is_list
                        Overrides not empty
                    ] {
                        Overrides[*] {
                            check_kms_key_configuration(this)
                        }
                    }
                }
            }
        }
    }
}

rule check_kms_key_configuration(s3_encryption_config) {
    %s3_encryption_config {
        EncryptionMode exists
        EncryptionMode in %S3_KMS_ENCRYPTION_MODES
    }
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
    %doc {
        AWSTemplateFormatVersion exists  or
        Resources exists
    }
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
    %doc.%RESOURCE_TYPE.resourceProperties exists
}

CT.EMR.PR.2 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.



Resources:
  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: example-key-policy
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS:
              Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: "*"
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: true
          AtRestEncryptionConfiguration:
            S3EncryptionConfiguration:
              EncryptionMode: SSE-KMS
              AwsKmsKey:
                Fn::GetAtt:
                - KmsKey
                - Arn

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: false

[CT.EMR.PR.3] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key

This control checks whether Amazon EMR security configurations are configured with local disk encryption enabled, using EBS volume encryption and AWS KMS.

Control objective: Encrypt data at rest
Implementation: AWS CloudFormation guard rule
Control behavior: Proactive
Resource types: AWS::EMR::SecurityConfiguration
AWS CloudFormation guard rule: CT.EMR.PR.3 rule specification

Details and examples

For details about the PASS, FAIL, and SKIP behaviors associated with this control, see the: CT.EMR.PR.3 rule specification
For examples of PASS and FAIL CloudFormation Templates related to this control, see: CT.EMR.PR.3 example templates

Explanation

For data at rest, EMR provides the option to encrypt local disk storage. The local storage consists of EC2 instance store volumes and the attached Amazon Elastic Block Store (EBS) storage, which are provisioned with your cluster. The EBS encryption option encrypts the EBS root device volume and its attached storage volumes. The EBS encryption option is available only when you specify AWS Key Management Service as your key provider. AWS Control Tower recommends using EBS encryption.

Usage considerations

If you create a cluster in a Region where Amazon EC2 encryption of EBS volumes is enabled by default for your account, an EBS volume is encrypted even when local disk encryption is not enabled.
With local disk encryption enabled in a security configuration, the Amazon EMR settings take precedence over the Amazon EC2 encryption-by-default settings for cluster EC2 instances.

Remediation for rule failure

In the EncryptionConfiguration parameter, set the value of EnableAtRestEncryption to true, and provide an AtRestEncryptionConfiguration configuration, containing an LocalDiskEncryptionConfiguration configuration that sets EnableEbsEncryption to true.

The examples that follow show how to implement this remediation.

Amazon EMR security configuration - Example

An Amazon EMR security configuration configured with EBS encryption using AWS KMS. The example is shown in JSON and in YAML.

JSON example



{
    "SecurityConfiguration": {
        "Type": "AWS::EMR::SecurityConfiguration",
        "Properties": {
            "SecurityConfiguration": {
                "EncryptionConfiguration": {
                    "EnableInTransitEncryption": false,
                    "EnableAtRestEncryption": true,
                    "AtRestEncryptionConfiguration": {
                        "LocalDiskEncryptionConfiguration": {
                            "EnableEbsEncryption": true,
                            "EncryptionKeyProviderType": "AwsKms",
                            "AwsKmsKey": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                        }
                    }
                }
            }
        }
    }
}

YAML example



SecurityConfiguration:
  Type: AWS::EMR::SecurityConfiguration
  Properties:
    SecurityConfiguration:
      EncryptionConfiguration:
        EnableInTransitEncryption: false
        EnableAtRestEncryption: true
        AtRestEncryptionConfiguration:
          LocalDiskEncryptionConfiguration:
            EnableEbsEncryption: true
            EncryptionKeyProviderType: AwsKms
            AwsKmsKey: arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab

CT.EMR.PR.3 rule specification



# ###################################
##       Rule Specification        ##
#####################################
# 
# Rule Identifier:
#   emr_sec_config_ebs_encryption_check
# 
# Description:
#   This control checks whether Amazon EMR security configurations are configured with local disk encryption enabled, using EBS volume encryption and AWS KMS.
# 
# Reports on:
#   AWS::EMR::SecurityConfiguration
# 
# Evaluates:
#   AWS CloudFormation, AWS CloudFormation hook
# 
# Rule Parameters:
#   None
# 
# Scenarios:
#   Scenario: 1
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document does not contain any EMR security configuration resources
#      Then: SKIP
#   Scenario: 2
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 3
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has not been provided
#            or has been provided and set to a value other than bool(true)
#      Then: FAIL
#   Scenario: 4
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 5
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EnableEbsEncryption' in 'AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration'
#            has not been provided or has been provided and set to a value other than bool(true)
#      Then: FAIL
#   Scenario: 6
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableAtRestEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'AtRestEncryptionConfiguration' has been provided as a struct
#       And: 'EnableEbsEncryption' in 'AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration'
#            has been provided and set to bool(true)
#      Then: PASS

#
# Constants
#
let EMR_SECURITY_CONFIGURATION_TYPE = "AWS::EMR::SecurityConfiguration"
let INPUT_DOCUMENT = this

#
# Assignments
#
let emr_security_configurations = Resources.*[ Type == %EMR_SECURITY_CONFIGURATION_TYPE ]

#
# Primary Rules
#
rule emr_sec_config_ebs_encryption_check when is_cfn_template(%INPUT_DOCUMENT)
                                              %emr_security_configurations not empty {
    check(%emr_security_configurations.Properties)
        <<
        [CT.EMR.PR.3]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key
        [FIX]: In the 'EncryptionConfiguration' parameter, set the value of 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration, containing an 'LocalDiskEncryptionConfiguration' configuration that sets 'EnableEbsEncryption' to true.
        >>
}

rule emr_sec_config_ebs_encryption_check when is_cfn_hook(%INPUT_DOCUMENT, %EMR_SECURITY_CONFIGURATION_TYPE) {
    check(%INPUT_DOCUMENT.%EMR_SECURITY_CONFIGURATION_TYPE.resourceProperties)
        <<
        [CT.EMR.PR.3]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key
        [FIX]: In the 'EncryptionConfiguration' parameter, set the value of 'EnableAtRestEncryption' to true, and provide an 'AtRestEncryptionConfiguration' configuration, containing an 'LocalDiskEncryptionConfiguration' configuration that sets 'EnableEbsEncryption' to true.
        >>
}

#
# Parameterized Rules
#
rule check(emr_security_configuration) {
    %emr_security_configuration {
        SecurityConfiguration exists
        SecurityConfiguration is_struct

        SecurityConfiguration {
            # Scenario 2
            EncryptionConfiguration exists
            EncryptionConfiguration is_struct

            EncryptionConfiguration {
                # Scenario 3
                EnableAtRestEncryption exists
                EnableAtRestEncryption == true

                # Scenario 4
                AtRestEncryptionConfiguration exists
                AtRestEncryptionConfiguration is_struct

                # Scenarios 5 and 6
                AtRestEncryptionConfiguration {
                    LocalDiskEncryptionConfiguration exists
                    LocalDiskEncryptionConfiguration is_struct

                    LocalDiskEncryptionConfiguration {
                        EnableEbsEncryption exists
                        EnableEbsEncryption == true
                    }
                }
            }
        }
    }
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
    %doc {
        AWSTemplateFormatVersion exists  or
        Resources exists
    }
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
    %doc.%RESOURCE_TYPE.resourceProperties exists
}

CT.EMR.PR.3 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.



Resources:
  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: example-key-policy
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS:
              Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: "*"
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: true
          AtRestEncryptionConfiguration:
            LocalDiskEncryptionConfiguration:
              EnableEbsEncryption: true
              EncryptionKeyProviderType: AwsKms
              AwsKmsKey:
                Fn::GetAtt:
                - KmsKey
                - Arn

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: false

[CT.EMR.PR.4] Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit

This control checks whether an Amazon EMR security configuration is configured to require encryption in transit.

Control objective: Encrypt data in transit
Implementation: AWS CloudFormation guard rule
Control behavior: Proactive
Resource types: AWS::EMR::SecurityConfiguration
AWS CloudFormation guard rule: CT.EMR.PR.4 rule specification

Details and examples

For details about the PASS, FAIL, and SKIP behaviors associated with this control, see the: CT.EMR.PR.4 rule specification
For examples of PASS and FAIL CloudFormation Templates related to this control, see: CT.EMR.PR.4 example templates

Explanation

For data in transit, EMR security configurations provide you two options. You can create PEM certificates, zip them in a file, and reference them from Amazon S3, or you can implement a certificate custom provider in Java and specify the S3 path to the JAR. In either case, EMR downloads artifacts to each node in the cluster automatically, and later uses them to implement open-source, in-transit encryption features. For more information on how these certificates are used with different big data technologies, see Amazon EMR documentation.

Usage considerations

Several encryption mechanisms are associated with in-transit encryption. These mechanisms are open-source features, they are application-specific, and they may vary by Amazon EMR release. For more information, see Encryption in transit in the Amazon EMR Management Guide.

Remediation for rule failure

In the EncryptionConfiguration parameter, set the EnableInTransitEncryption parameter to true, and provide an InTransitEncryptionConfiguration configuration.

The examples that follow show how to implement this remediation.

Amazon EMR security configuration - Example

An Amazon EMR security configuration configured to require encryption of data in transit. The example is shown in JSON and in YAML.

JSON example



{
    "SecurityConfiguration": {
        "Type": "AWS::EMR::SecurityConfiguration",
        "Properties": {
            "SecurityConfiguration": {
                "EncryptionConfiguration": {
                    "EnableAtRestEncryption": false,
                    "EnableInTransitEncryption": true,
                    "InTransitEncryptionConfiguration": {
                        "TLSCertificateConfiguration": {
                            "CertificateProviderType": "PEM",
                            "S3Object": "s3://MyConfigStore/artifacts/MyCerts.zip"
                        }
                    }
                }
            }
        }
    }
}

YAML example



SecurityConfiguration:
  Type: AWS::EMR::SecurityConfiguration
  Properties:
    SecurityConfiguration:
      EncryptionConfiguration:
        EnableAtRestEncryption: false
        EnableInTransitEncryption: true
        InTransitEncryptionConfiguration:
          TLSCertificateConfiguration:
            CertificateProviderType: PEM
            S3Object: s3://MyConfigStore/artifacts/MyCerts.zip

CT.EMR.PR.4 rule specification



# ###################################
##       Rule Specification        ##
#####################################
# 
# Rule Identifier:
#   emr_sec_config_encryption_in_transit_check
# 
# Description:
#   This control checks whether an Amazon EMR security configuration is configured to require encryption in transit.
# 
# Reports on:
#   AWS::EMR::SecurityConfiguration
# 
# Evaluates:
#   AWS CloudFormation, AWS CloudFormation hook
# 
# Rule Parameters:
#   None
# 
# Scenarios:
#   Scenario: 1
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document does not contain any EMR security configuration resources
#      Then: SKIP
#   Scenario: 2
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 3
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableInTransitEncryption' in 'EncryptionConfiguration' has not been provided
#            or has been provided and set to a value other than bool(true)
#      Then: FAIL
#   Scenario: 4
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableInTransitEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'InTransitEncryptionConfiguration' has not been provided
#      Then: FAIL
#   Scenario: 5
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableInTransitEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'InTransitEncryptionConfiguration' has been provided as a struct
#       And: 'CertificateProviderType' in 'InTransitEncryptionConfiguration.TLSCertificateConfiguration'
#            has not been provided or has been provided and set to an empty string
#      Then: FAIL
#   Scenario: 6
#     Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document
#       And: The input document contains an EMR security configuration resource
#       And: 'EncryptionConfiguration' in 'SecurityConfiguration' has been provided as a struct
#       And: 'EnableInTransitEncryption' in 'EncryptionConfiguration' has been provided and
#            set to bool(true)
#       And: 'InTransitEncryptionConfiguration' has been provided as a struct
#       And: 'CertificateProviderType' in 'InTransitEncryptionConfiguration.TLSCertificateConfiguration'
#            has been provided and set to a non-empty string
#      Then: PASS

#
# Constants
#
let EMR_SECURITY_CONFIGURATION_TYPE = "AWS::EMR::SecurityConfiguration"
let INPUT_DOCUMENT = this

#
# Assignments
#
let emr_security_configurations = Resources.*[ Type == %EMR_SECURITY_CONFIGURATION_TYPE ]

#
# Primary Rules
#
rule emr_sec_config_encryption_in_transit_check when is_cfn_template(%INPUT_DOCUMENT)
                                                     %emr_security_configurations not empty {
    check(%emr_security_configurations.Properties)
        <<
        [CT.EMR.PR.4]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit
        [FIX]: In the 'EncryptionConfiguration' parameter, set the 'EnableInTransitEncryption' parameter to true, and provide an 'InTransitEncryptionConfiguration' configuration.
        >>
}

rule emr_sec_config_encryption_in_transit_check when is_cfn_hook(%INPUT_DOCUMENT, %EMR_SECURITY_CONFIGURATION_TYPE) {
    check(%INPUT_DOCUMENT.%EMR_SECURITY_CONFIGURATION_TYPE.resourceProperties)
        <<
        [CT.EMR.PR.4]: Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit
        [FIX]: In the 'EncryptionConfiguration' parameter, set the 'EnableInTransitEncryption' parameter to true, and provide an 'InTransitEncryptionConfiguration' configuration.
        >>
}

#
# Parameterized Rules
#
rule check(emr_security_configuration) {
    %emr_security_configuration {
        SecurityConfiguration exists
        SecurityConfiguration is_struct

        SecurityConfiguration {
            # Scenario 2
            EncryptionConfiguration exists
            EncryptionConfiguration is_struct

            EncryptionConfiguration {
                # Scenario 3
                EnableInTransitEncryption exists
                EnableInTransitEncryption == true

                # Scenario 4
                InTransitEncryptionConfiguration exists
                InTransitEncryptionConfiguration is_struct

                # Scenarios 5 and 6
                InTransitEncryptionConfiguration {
                    TLSCertificateConfiguration exists
                    TLSCertificateConfiguration is_struct

                    TLSCertificateConfiguration {
                        CertificateProviderType exists
                        check_is_string_and_not_empty(CertificateProviderType)
                    }
                }
            }
        }
    }
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
    %doc {
        AWSTemplateFormatVersion exists  or
        Resources exists
    }
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
    %doc.%RESOURCE_TYPE.resourceProperties exists
}

rule check_is_string_and_not_empty(value) {
    %value {
        this is_string
        this != /\A\s*\z/
    }
}

CT.EMR.PR.4 example templates

You can view examples of the PASS and FAIL test artifacts for the AWS Control Tower proactive controls.

PASS Example - Use this template to verify a compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableAtRestEncryption: false
          EnableInTransitEncryption: true
          InTransitEncryptionConfiguration:
            TLSCertificateConfiguration:
              CertificateProviderType: PEM
              S3Object: s3://MyConfigStore/artifacts/MyCerts.zip

FAIL Example - Use this template to verify that the control prevents non-compliant resource creation.



Resources:
  SecurityConfiguration:
    Type: AWS::EMR::SecurityConfiguration
    Properties:
      SecurityConfiguration:
        EncryptionConfiguration:
          EnableInTransitEncryption: false
          EnableAtRestEncryption: false

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Elastic Load Balancing controls

AWS Glue controls