You can use S3 Encryption as described in the EMR docs Amazon S3 Server-Side Encryption:
fs.s3.enableServerSideEncryption
: When set to true, objects stored in Amazon S3 are encrypted using server-side encryption. If no key is specified, SSE-S3 is used.
fs.s3.serverSideEncryption.kms.keyId
: Specifies an AWS KMS key ID or ARN. If a key is specified, SSE-KMS is used.
Create a cluster with SSE-S3 enabled:
aws emr create-cluster --release-label emr-5.24.0
--instance-count 3 --instance-type m5.xlarge --emrfs Encryption=ServerSide
Create a cluster with SSE-KMS enabled:
aws emr create-cluster --release-label emr-5.24.0 --instance-count 3
--instance-type m5.xlarge --use-default-roles
--emrfs Encryption=ServerSide,Args=[fs.s3.serverSideEncryption.kms.keyId=<keyId>]
Or by providing a cluster configuration JSON :
[
...
{
"Classification":"emrfs-site",
"Properties": {
"fs.s3.enableServerSideEncryption": "true",
"fs.s3.serverSideEncryption.kms.keyId":"<keyId>"
}
}
]
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…